Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

ISO 27001 - Annex A.5 - Information Security Policies

Data privacy threats and breach risks continue to rise on a daily basis—making information security a vital part of business continuity in today's day and age. Whether or not your organisation chooses to continue along the ISO 27001 certification path, it is essential that information security policies are practised to ensure the safety of all types of ISO 27001 safety in an organisation.

This article explains what Annex A.5 is, what information security policies are, its objective, the controls under A.5 and why it is important for your organisation's information security management.

What are information security policies?

Information security policies are a set of rules that control how information is accessed and used. Information security policies are often referred to as security policies, but they can also be called security procedures or standards.

Information security policies follow a common structure and format. They include:

  • A scope statement describing the types of activities covered by the policy
  • A statement of management commitment, which provides evidence management has assigned sufficient resources to support ongoing compliance with the policy
  • An number of specific responsibilities for employees regarding their use and protection of organisational data

What is Annex A.5?

This Annex describes the concepts, requirements and recommendations related to information security policies. The purpose of this Annex is to describe the concepts, requirements and recommendations related to information security policies. It covers policy definition, implementation and review.

In addition to providing guidance on the implementation of information security policies, Annex A.5 also addresses how to report on information security policies and how they relate to other corporate policies.

The implementation of information security policies is a continuous process. As new technologies emerge, threats evolve and business operations change, it is crucial to update your information security policies on a regular basis.

It is also advised to review your information security policies regularly. When you conduct these reviews, pay close attention to areas such as:

  • Communication - Are all employees receiving the same training? Are they aware of the latest changes made to the policy?
  • Consistency - Are all employees applying the same procedures when it comes time to enforce an action? For example, if there is a violation in one department but not another because someone used their personal cell phone at work (even though both are against organisational policy), that could be considered inconsistent enforcement.

What is the objective of Annex A.5?

The purpose of information security policies is to help protect an organisation’s assets and operations from risks associated with cybersecurity. They are meant to be flexible enough to cover different types of systems and their vulnerabilities, as well as multiple modes of operation such as traditional and cloud-based operations.

Information security policies are the documents that define the standards for information security within an organisation. They can be formal or informal. This Annex describes how to develop an information security policy and how to implement it in your organisation.

What are the Annex A.5 information security policy controls?

A.5.1.1 Policies for information security

According to ISO 27001, all organisations must conduct themselves in a transparent manner with their stakeholders. To protect their data, all stakeholders must be informed of the policies in place within the organisation. 

Policies play a critical role throughout the whole information security process, therefore, any policies created by the business must first be examined, authorised, and then communicated to employees and third parties. They must also be included in the A.7 human resource security control, and they must be adhered to by all employees.

A.5.1.2 Review of the policies for information security

To keep updated with any changes, whether internal or external, the organisation's ISMS policies must be updated on a regular basis. Management changes, governing laws, industry standards, and technology are examples of these developments. 

The documentation should always represent standards and procedures to preserve the confidentiality, integrity, and availability of files, and an information security breach may result in policy change and improvement.

Why is information security policy important for your organisation's information security management?

An information security policy helps your organisation classify your organisations sensitive data. This depends in part on applicable regulations, but it should also take into account any external factors that could affect risk perception such as industry competition or geopolitical climate change. 

Information classifications can range from low (confidential) through medium (secret), high (top secret), even top secret plus or beyond top secret. The exact terms used may vary slightly depending on which agency or company is creating the policy.

However, all organisations should understand ISO 27001 well so that those tasked with implementing it can understand what each control means.


Information security policies are the foundation of an ISMS (information security management system). They provide guidance to develop the necessary actions and controls to achieve the organisation's information security objectives overtime.

Even though all Annex A controls are not mandatory to abide by, choosing Annex A.5 is highly recommended by data privacy experts at DataGuard. 

This Annex is critical for your organisation as it protects organisational data and IT resources and also helps businesses stay competitive and keep their clients' or consumers' trust.

Interested in upscaling your organisation's Information Security policy? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!

Book an appointment


About the author