We have a customer requirement that we would like to include in the Information Security Policy. I will map these onto area ‘Setting top-level information security objectives and intentions’, but would also expect control A.5.1.1 Policies for Information Security to be triggered. From the mapping document this does not seem to be the case. Actually, A.5.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls.
Should A.5.* not be mapped as a result of the area I mentioned? Or any other area?
Please note that ‘Setting top-level information security objectives and intentions’ is related to the Information Security Policy, which is a mandatory document for ISO 27001, so it needs to be implemented regardless of whether the controls from sections A.5 and A.7 are applicable or not, so then they are not linked to these controls.