Guest
A.5.1.1 Policies for Information Security
We have a customer requirement that we would like to include in the Information Security Policy. I will map these onto area ‘Setting top-level information security objectives and intentions’, but would also expect control A.5.1.1 Policies for Information Security to be triggered. From the mapping document this does not seem to be the case. Actually, A.5.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls.
Should A.5.* not be mapped as a result of the area I mentioned? Or any other area?
Assign topic to the user
ISO 27001 & ISO 22301 PREMIUM DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 & ISO 22301 PREMIUM DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 & ISO 22301 PREMIUM DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Rhand Leal
Jul 19, 2022
Please note that ‘Setting top-level information security objectives and intentions’ is related to the Information Security Policy, which is a mandatory document for ISO 27001, so it needs to be implemented regardless of whether the controls from sections A.5 and A.7 are applicable or not, so then they are not linked to these controls.
Comment as guest or Sign in
Jul 19, 2022
Jul 19, 2022
Jul 19, 2022