Expert Advice Community

Guest

Control A.5.1.1 Policies for information security - when to select it?

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Control A.5.1.1 Policies for information security - when to select it?

During  the ISO27001:2013 implementation process it is of course mandataory at the first stage to define the ISMS scope, to obtain the support of the top management and to formalize a high level Information Security Policy. But during the SOA step is it necessary  to select the ISO 27002 control related to Information Security Policy in order to write down a detailed Infomation Security Policy ?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 13, 2016

Answer:

I assume you refer to control A.5.1.1 Policies for information security - this control does not refer to high-level Information security policy, but to detailed policies like Access control policy, Acceptable use policy, Classification policy, etc.

As with other controls, you should select this control as applicable only if there are risks, some requirements, or if there is some other business reason. So if there are risks that require you to write the detailed policies, then you should select A.5.1.1 as applicable. See also this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

By the way, in the Statement of Applicability you choose the ISO 27001 Annex A controls, not ISO 27002 controls - although, the controls are basically the same. This article will help you: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016