The control 5.1 of ISO 27002:2022 covers the need of organisations to have an information security policy document in place to protect against information security issues.
An information security policy provides employees, management and external parties (e.g., customers and suppliers) with a framework for the management of electronic information, including computer networks.
The purpose of an information security policy is to reduce the risk of data loss or theft from internal and external threats. An information security policy also ensures that all employees are aware of their responsibilities for protecting the data held by their organisations.
An information security policy can also be used to demonstrate compliance with laws and regulations, and helps to meet standards such as ISO 27001.
Cyber security threats are any possible malicious attack that seeks to unlawfully access data, disrupt digital operations or damage information. Cyber threats can originate from various actors, including corporate spies and hacktivists, terrorist groups, hostile nation-states and criminal organisations.
Some of the more popular cyber security and information security threats are:
The purpose of the information security policy is to ensure management support for the protection of your company’s sensitive information from theft and unauthorised access.
Control 5.1 covers the control, purpose and implementation guidance for establishing an information security policy in an organisation according to the framework as defined by ISO 27001.
Control 5.1 states that organisations need to have high- and low-level policies on how they manage their information security. The organisation’s senior management needs to approve the policies, which should be reviewed regularly and also if changes in the information security environment occur.
The best approach is to meet regularly at least once a month, with additional meetings scheduled as needed. If changes are made to the policies, management must approve them before they’re implemented. The policies should also be shared with internal and external stakeholders.
Attributes are a means of categorising controls. These allow you to quickly align your control selection with common industry language and standards. In control 5.1 these are.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Identify | #Governance | #Governance and Ecosystem #Resilience |
The information security policy should provide the basis for, and be supported by, detailed operating procedures which describe how information security will be managed in practice.
The policy should be approved by top management, who should ensure that it is communicated to staff and made available to interested parties.
The policy gives direction on the organisation’s approach to managing information security, and can be used as a framework for developing more detailed operating procedures.
The policy is an essential element in establishing and maintaining an information security management system (ISMS), as required by the ISO/IEC 27000 family of standards, but even if the organisation does not intend to implement formal certification to ISO 27001 or any other standard, a well-defined policy is still important.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
In ISO 27002: 2022, control 5.1 Information Security Policies is not a new control, rather it is the result of the merging of controls 5.1.1 Policies for Information Security and 5.1.2 Review of Policies for Information Security from ISO 27002 revision 2013.
In ISO 27002:2022, control 5.1 has been updated to include a description of its purpose and expanded implementation guidance. It also came with an attributes table that allows users to reconcile controls with industry terminologies.
In ISO 27002:2022, control 5.1 states that information security and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties.
The information security policy of an organisation should reflect the organisation’s size, type, and sensitivity of information assets. It should also be consistent with industry standards and applicable government regulations.
While the essence of the control itself is similar to 5.1.1 of ISO 27002: 2013, version 2022 specifically states that these information security policies should be reviewed regularly and also if changes in the information security environment occur. This rider is covered in clause 5.1.2 of ISO 27002:2013.
ISO 27002: 2013 and ISO 27002: 2022 states that the highest level of the organisation should define a security policy that top management approves and that states how they will oversee the protection of their information. However, the requirements covered by the policies for both versions are different.
In ISO 27002:2013, Information security policies should address requirements created by:
The information security policy should contain statements concerning:
But the requirements for ISO 27002:2022 are a bit more comprehensive.
The information security policy should take into consideration requirements derived from:
The information security policy should contain statements concerning:
At the same time, topic-specific policies were reworked in ISO 27002:2022 to include; information security incident management, asset management, networking security, information security incident management, and secure development. Some of the ones in ISO 27002:2013 were either removed or merged to form a more holistic framework.
At ISMS.online, our easy-to-use, yet powerful, cloud system will provide you with a complete set of tools and resources to help you manage your own ISO 27001/27002 Information Security Management System (ISMS), whether you are new to ISO 27001/27002 or already certified.
Our intuitive step-by-step workflow, tools, frameworks, policies & controls, actionable documentation and guidance walks you through the process of implementing ISO 27002, making it simple for you to define the scope of the ISMS, identify risks and implement controls using our algorithms – either from scratch or from best practice templates.
Get in touch today to book a demo.
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
