Control A.5.1.1 Policies for information security - when to select it?
Assign topic to the user
Answer:
I assume you refer to control A.5.1.1 Policies for information security - this control does not refer to high-level Information security policy, but to detailed policies like Access control policy, Acceptable use policy, Classification policy, etc.
As with other controls, you should select this control as applicable only if there are risks, some requirements, or if there is some other business reason. So if there are risks that require you to write the detailed policies, then you should select A.5.1.1 as applicable. See also this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
By the way, in the Statement of Applicability you choose the ISO 27001 Annex A controls, not ISO 27002 controls - although, the controls are basically the same. This article will help you: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Comment as guest or Sign in
Jan 13, 2016