ISO 27001 controls: What is Annex A:5?

Discover how ISO/IEC 27001 certification can enhance your organisation's information security. Our ISO experts dissect the key controls and strategies of Annex A, highlighting how to effectively implement them to boost cybersecurity and ensure compliance.
ISO 27001 controls: What is Annex A:5?

ISO/IEC 27001 is an international standard on how to manage information security. It outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), aimed at helping organisations make the information they hold more secure. This inspires customer confidence and demonstrates to regulators that your organisation adheres to the best practices of cybersecurity and data integrity.

These systems maintain the confidentiality, integrity, and availability of information. The ISO 27000 series includes a list of controls and its objectives in its Annexure A to provide a managed security program.

Today, we are going to start explaining the series of Controls for ISO 27001 in Annexure A.


A5. Information Security Policies

A.5.1: Directions for Information Security – Objective

Annex A.5.1 focuses on management direction for information security. The objective of this Annex is to provide direction and support for information security. These controls must be followed in consideration of an organisation’s legal governance and include two controls as explained below.

A.5.1.1: Policies for Information Security

Any organisation seeking the ISO 27001 series of certifications must clearly articulate its policies to the management, employees, and its relevant stakeholders. The policies must be driven by business requirements and comply with legal and regulatory frameworks.

These policies, inclusive and part of the education, training, and awareness program, relate to A7.2.2. The policies establish the principles that members of the organisation and key parties like suppliers must follow.

A.5.1.2: Review of the Policies for Information Security

While implementing the ISO 27000 standard of information security management, the organisation must regularly review the policies.

Clause 5.1 in Annexure determines that the information security management should review the policies at planned intervals or whenever:

  • There is a large-scale change in the management;
  • Corporate law or regulation is renewed;
  • A significant change occurs; and
  • There is a violation of information security.

Maintaining the policies regarding Information Security must be an integral part of any organisation. Management of the organisation must provide direction and support for information security to avoid any threats to their data.

The organisation shall identify any external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management systems.

Implementing an ISO Management System?

If you are implementing an ISO management system in your organisation and you’re preparing for an external audit, an ISO Gap Analysis Checklist will provide you with the list of items you need to prepare. Contact Citation Certification today to learn how our services can support your ISO 27001 certification efforts.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.