ISO 27002:2022, Control 5.1 – Policies for Information Security

ISO 27002:2022 Revised Controls

Book a demo

cropped,image,of,professional,businesswoman,working,at,her,office,via

The control 5.1 of ISO 27002:2022 covers the need of organisations to have an information security policy document in place to protect against information security issues.

What Is Control 5.1?

An information security policy provides employees, management and external parties (e.g., customers and suppliers) with a framework for the management of electronic information, including computer networks.

The purpose of an information security policy is to reduce the risk of data loss or theft from internal and external threats. An information security policy also ensures that all employees are aware of their responsibilities for protecting the data held by their organisations.

An information security policy can also be used to demonstrate compliance with laws and regulations, and helps to meet standards such as ISO 27001.

Cyber Security and Information Security Threats Explained

Cyber security threats are any possible malicious attack that seeks to unlawfully access data, disrupt digital operations or damage information. Cyber threats can originate from various actors, including corporate spies and hacktivists, terrorist groups, hostile nation-states and criminal organisations.

Some of the more popular cyber security and information security threats are:

  • Malware: viruses, spyware and other malicious programs.
  • Phishing emails: messages that appear to be from trustworthy sources but contain links and attachments that install malware.
  • Ransomware: malware that prevents users from accessing their own data until they pay a ransom.
  • Social engineering: attackers manipulating people into giving sensitive information, usually by appearing to be trustworthy.
  • Whaling attacks: phishing emails designed to appear as if they come from high-profile individuals within an organisation.
Get a Headstart on ISO 27001
  • All updated with the 2022 control set
  • Make 81% progress from the minute you log in
  • Simple and easy to use
Book your demo
img

What Is the Purpose of Control 5.1?

The purpose of the information security policy is to ensure management support for the protection of your company’s sensitive information from theft and unauthorised access.

Control 5.1 covers the control, purpose and implementation guidance for establishing an information security policy in an organisation according to the framework as defined by ISO 27001.

Control 5.1 states that organisations need to have high- and low-level policies on how they manage their information security. The organisation’s senior management needs to approve the policies, which should be reviewed regularly and also if changes in the information security environment occur.

The best approach is to meet regularly at least once a month, with additional meetings scheduled as needed. If changes are made to the policies, management must approve them before they’re implemented. The policies should also be shared with internal and external stakeholders.

Attributes Table

Attributes are a means of categorising controls. These allow you to quickly align your control selection with common industry language and standards. In control 5.1 these are.

Control TypeInformation Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive#Confidentiality
#Integrity
#Availability
#Identify#Governance #Governance and Ecosystem
#Resilience

What Is Involved and How to Meet the Requirements

The information security policy should provide the basis for, and be supported by, detailed operating procedures which describe how information security will be managed in practice.

The policy should be approved by top management, who should ensure that it is communicated to staff and made available to interested parties.

The policy gives direction on the organisation’s approach to managing information security, and can be used as a framework for developing more detailed operating procedures.

The policy is an essential element in establishing and maintaining an information security management system (ISMS), as required by the ISO/IEC 27000 family of standards, but even if the organisation does not intend to implement formal certification to ISO 27001 or any other standard, a well-defined policy is still important.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

Changes and Differences from ISO 27002:2013

In ISO 27002: 2022, control 5.1 Information Security Policies is not a new control, rather it is the result of the merging of controls 5.1.1 Policies for Information Security and 5.1.2 Review of Policies for Information Security from ISO 27002 revision 2013.

In ISO 27002:2022, control 5.1 has been updated to include a description of its purpose and expanded implementation guidance. It also came with an attributes table that allows users to reconcile controls with industry terminologies.

In ISO 27002:2022, control 5.1 states that information security and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties.

The information security policy of an organisation should reflect the organisation’s size, type, and sensitivity of information assets. It should also be consistent with industry standards and applicable government regulations.

While the essence of the control itself is similar to 5.1.1 of ISO 27002: 2013, version 2022 specifically states that these information security policies should be reviewed regularly and also if changes in the information security environment occur. This rider is covered in clause 5.1.2 of ISO 27002:2013.

ISO 27002: 2013 and ISO 27002: 2022 states that the highest level of the organisation should define a security policy that top management approves and that states how they will oversee the protection of their information. However, the requirements covered by the policies for both versions are different.

Control 5.1 2013 – 2022 Implementation Guidelines Compared

In ISO 27002:2013, Information security policies should address requirements created by:

  • Business strategy.

  • Regulations, legislation and contracts.

  • The current and projected information security threat environment.

The information security policy should contain statements concerning:

  • Definition of information security, objectives and principles to guide all activities relating to
    information security.
  • Assignment of general and specific responsibilities for information security management to
    defined roles.
  • Processes for handling deviations and exceptions.

But the requirements for ISO 27002:2022 are a bit more comprehensive.

The information security policy should take into consideration requirements derived from:

  • Business strategy and requirements.

  • Regulations, legislation and contracts.

  • The current and projected information security risks and threats.

The information security policy should contain statements concerning:

  • Definition of information security.
  • Information security objectives or the framework for setting information security objectives.
  • Principles to guide all activities relating to information security.
  • Commitment to satisfy applicable requirements related to information security.
  • Commitment to continual improvement of the information security management system.
  • Assignment of responsibilities for information security management to defined roles.
  • Procedures for handling exemptions and exceptions.

At the same time, topic-specific policies were reworked in ISO 27002:2022 to include; information security incident management, asset management, networking security, information security incident management, and secure development. Some of the ones in ISO 27002:2013 were either removed or merged to form a more holistic framework.

How ISMS.Online Helps

At ISMS.online, our easy-to-use, yet powerful, cloud system will provide you with a complete set of tools and resources to help you manage your own ISO 27001/27002 Information Security Management System (ISMS), whether you are new to ISO 27001/27002 or already certified.

Our intuitive step-by-step workflow, tools, frameworks, policies & controls, actionable documentation and guidance walks you through the process of implementing ISO 27002, making it simple for you to define the scope of the ISMS, identify risks and implement controls using our algorithms – either from scratch or from best practice templates.

Get in touch today to book a demo.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo


 
 
 
 
 
 
 
 
 
 
 
 
 

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.