ISO 27001:2022 Control 5.1 – Policies for Information Security

ISO 27001 Control 5.1: Policies for Information Security

ISO/IEC 27001:2022 Control 5.1 requires organisations to establish, approve, communicate, and maintain information security policies that set clear direction for protecting information. The 5.1 information security policies are a fundamental requirement for establishing security governance, supporting compliance, and guiding employee behaviour. The ISO 27001 Annex, specifically Annex A, provides detailed guidance on implementing these policies and is essential for certification. The new ISO update in 2022 introduced changes to 5.1 information security policies, reflecting the latest best practices and compliance requirements. In plain terms: you need a top-level information security policy, it needs to be backed up by more detailed policies on specific topics, and the whole lot needs to be reviewed and kept in step with the business.

This version is written to help you implement the control, show an auditor you meet it, and avoid the common gaps I see in small and growing organisations.

Introduction to Control 5.1

Control 5.1 is a foundational element of ISO 27001, setting the stage for how your organization approaches managing information security. This control requires you to establish and maintain policies for information security that protect your information assets and support your business strategy. By implementing Control 5.1, you create a clear framework for information security management, ensuring your organization can demonstrate compliance and satisfy applicable requirements related to information security. Ultimately, Control 5.1 helps you align your information security efforts with your business goals, making sure that protecting information is an integral part of your management approach.

Purpose and Objective

The main purpose of Control 5.1 is to ensure your organization has a robust policy framework for information security management. This framework provides clear direction so that all relevant personnel and interested parties know exactly what is expected of them when it comes to protecting information assets. The objective is to embed information security into your organization’s culture and daily operations, supporting the effectiveness of your information security management system (ISMS). By having well-defined and communicated policies, you can demonstrate the suitability, adequacy, and effectiveness of your ISMS, making sure your approach to information security meets the requirements of ISO 27001 and supports your business needs.

1. What the control actually wants

Control 5.1 (Policies for information security): information security policies shall be defined, approved by management, published, communicated to relevant personnel and interested parties, and reviewed at planned intervals or when significant changes occur. Policy statements should be formal documents, approved by top management, and tailored to the organization’s context.

So auditors will look for four things:

Defined – there is a documented information security policy (and, ideally, supporting topic-specific policies).
Approved – top management has signed it off (name, role, date, version).
Communicated – people who need to follow it, as well as relevant interested parties, have actually seen it.
Reviewed – policies are reviewed regularly, and you can show the review cycle has happened.

If you cover those four, you are most of the way there. It is also essential to ensure that employees understand their responsibilities under these policies for effective implementation and ongoing compliance.

2. Policy hierarchy (what you actually need)

A simple, workable structure for SMEs is:

Information Security Policy (top-level, strategic)
Topic-specific / supporting policies (operational detail)

Appropriate policies are essential documented guidelines that support the information security management system, ensuring compliance with standards and aligning with legal, statutory, and contractual requirements.

You do not need 30 separate policies on day one, but you do need to show that you can create them, keep them consistent, and update them. Typical supporting policies include an access control policy, incident management policy, and acceptable use policy.

3. The foundation: Information Security Policy

This is the highest-level statement of how your organisation manages information security. The policy articulates the organisation’s approach to information security, providing a strategic framework for all related activities.

Purpose

Set direction and expectations
Link security to business objectives
Show leadership commitment
Point to the other policies
Provide management direction and management’s direction for information security

What to include

Scope – what parts of the business or ISMS this policy applies to
Objectives / principles – confidentiality, integrity, availability; “support business operations”; “protect customer data”
Commitment – to meet legal, regulatory and contractual requirements
Commitment to continual improvement – required by ISO 27001
Roles and responsibilities – who owns information security, who approves policies
Requirement to create topic-specific policies – access control, acceptable use, incident management, etc.
Detailed requirements – specify detailed requirements for compliance and implementation of security controls
Review – how often it will be reviewed (normally annually or on major change)
Approval – name, role, date

A small example paragraph you can drop in:

“Top management is committed to protecting the confidentiality, integrity and availability of information. We will define, implement and maintain information security policies and supporting procedures, comply with applicable legal, regulatory and contractual requirements, and continually improve the effectiveness of our information security controls.”

That hits the ISO 27001:2022 intent.

4. Supporting framework: topic-specific policies

These “operationalise” the top policy. They tell people what to do.

Typical policies for a small tech / services organisation:

Access control / user account management
Acceptable use of assets
Information classification and handling
Asset management
Secure development / change management (if you build software)
Backup and recovery
Incident management / reporting security events
Supplier / third-party security
Mobile / remote working
Cryptography (if relevant)
Information transfer / data sharing
Physical and environmental security (can be brief if mostly cloud)

You don’t have to publish all of these externally. Some can stay internal if they contain sensitive detail (e.g. configuration standards).

Good practice for these policies

State the purpose (why this exists)
State who it applies to (employees, contractors, partners)
State controls / rules (e.g. “admin accounts must be named and assigned to individuals”)
State responsibilities (IT, HR, line managers, users)
State references (to the main information security policy)
Add review period (usually 12 or 24 months)
Provide implementation guidance to help teams develop, communicate, and maintain effective policies in line with standards such as ISO 27001 and ISO 27002.

Regular policy review is essential to ensure topic-specific policies remain current, effective, and aligned with organizational and regulatory changes.

Annex A 5.1

Annex A 5.1 of ISO 27001 offers practical guidance for implementing Control 5.1. It highlights the need for a clear, concise information security policy that is formally approved by top management and communicated to all relevant personnel and interested parties. Annex A 5.1 also stresses the importance of keeping your policies up to date—reviewing them regularly to ensure they remain effective and relevant as your business, technology, or legal and contractual obligations change. Your information security policies should be aligned with all applicable information security requirements, including those from laws, regulations, and contracts. This ensures your organization’s approach to managing information security is both comprehensive and compliant.

5. Managing the policy lifecycle

Control 5.1 isn’t just “write a policy”. It’s “write it, approve it, communicate it, review it”.

a. Creation & approval

Draft the policy (security lead, IT manager, consultant, etc.)
Check it aligns with business objectives and risks, using risk assessments to identify and address vulnerabilities
Get senior management to approve it (CEO/MD/Director)

b. Communication

Auditors will ask: “How do staff know about this policy?”

Options:

Publish on intranet / SharePoint / Google Drive with controlled access
Include in onboarding / induction
Ask staff to acknowledge key policies annually
Add to LMS / e-learning
Include in contracts for contractors / third parties (high-level version)

c. Review

Show this in your document:

“This policy will be reviewed at least annually or sooner if there is a significant change in business, technology, legislation or risk.”
Incorporate lessons learned from audits, security incidents, and ongoing improvement efforts into policy updates.
Keep a document control table: version, date, change, author, approver.

d. Version control and consistency

When you update one policy (e.g. classification), check related ones (e.g. data transfer, backup) so they don’t contradict each other.

Information Security Incident Management

A key part of Control 5.1 is having strong policies and procedures for information security incident management. This means setting out how your organization will respond to, report, and learn from information security incidents. Your incident management policy should clearly define the roles and responsibilities of relevant personnel, including employees, contractors, and any external parties involved. It should outline the steps for incident response—such as containment, eradication, and recovery of information assets—and ensure that incidents are reported and handled efficiently. Regular review and updates of your incident management policy are essential to keep it effective and aligned with your overall approach to managing information security. By doing this, you help minimize the impact of incidents and support the continuity of your business operations, while meeting the requirements of Control 5.1.

6. What auditors will want to see

Have these ready and you will have a smooth audit on 5.1:

Current Information Security Policy – with version, date, approver, and coverage of relevant laws and regulations
List of topic-specific policies – even a simple register in Excel/Sheets
Communication evidence – induction pack, email announcement, LMS record, signed employee handbook
Review records – meeting minutes, management review, change log
Link to objectives and risks – policy references the ISMS / risk assessment and specifies detailed requirements for compliance
External sharing rules – how you share policies with customers / auditors without exposing confidential content

7. Common gaps (fix these first)

Policy has no approval by top management
Policy is out of date (3+ years old, old company name, old scope)
No evidence it was communicated to staff
Too many policies, all different formats, no owner
Policies written for ISO 27001:2013 and not updated for 2022 structure
Sensitive configuration detail inside the policy instead of in procedures/standards

8. Table: Information Security Policy vs Topic-Specific Policies

Feature	Information Security Policy	Topic-Specific Policies
Level of detail	High-level, strategic	Detailed, operational
Audience	Whole organisation, external interested parties	Specific teams / roles
Approval authority	Top management	Process / functional owner
Purpose	Set direction, show commitment	Tell people exactly what to do
Review	At least annually / on major change	On change in technology/process, or annually
Examples	Information Security Policy	Access Control, Information Classification, Incident Management, Backup, Secure Development

9. Making it scalable for small teams

Because you work with small businesses that “need ISO 27001 fast”, it’s fine to:

Start with one combined policy pack (main policy + 5–7 core policies)
Keep them in one place (e.g. /InfoSec/Policies/)
Use templates with the same header / footer / versioning
Add policies later as services or risks change

The key is to show the auditor you have a method to add, approve and review policies – not just a one-off document.

10. FAQs

What is the goal of ISO 27001 Control 5.1?
To make sure the organisation has clear, approved, communicated and regularly reviewed information security policies that guide behaviour and controls.

Who should approve the Information Security Policy?
A member of top management – ideally the MD/CEO or someone with overall responsibility for the ISMS. This demonstrates leadership and fulfils Clause 5 requirements.

How often should we review the policy?
At least annually, and after significant change (new service, new regulation, major incident, restructure). Document the review even if “no change”.

Do we have to give customers all our policies?
No. You can provide a high-level policy, or a policy statement, and keep detailed/internal operational policies confidential. Just make sure the document itself says some policies are internal.

Can policies be in one document?
Yes. ISO 27001 does not mandate separate documents. Many SMEs use a single “Information Security Policy Handbook” with sections. Just make sure roles, approval and review are clear.

11. Conclusion

Control 5.1 is one of the simplest to satisfy, but it underpins the rest of ISO 27001. Get a single, business-aligned information security policy approved by management, back it up with topic-specific policies for the main risk areas, publish them to staff, and review them on a schedule. If you can also show evidence of communication and version control, your auditor will have very little to challenge.