A.5.1 — Policies for Information Security and Privacy

An organisation has 15 policies stored in SharePoint. Three have not been updated since 2019, two contradict each other, and half the workforce has never read a single one. A.5.1 demands the opposite: a current, approved and communicated policy framework.

Policies are the foundation of the entire ISMS. They document what the organisation expects in terms of information security — from the CEO to the newest intern. Without this foundation, all subsequent controls lack legitimacy.

Purpose: To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security and privacy in accordance with business, legal, statutory, regulatory and contractual requirements.
Direction: Preventive
Protection goals: Confidentiality, Integrity, Availability
Theme: Organisational
BSI modules: ISMS.1.A3, ORP.1.A1, ISMS.1.A1, ISMS.1.A16, ORP.3.A3
KPI: % of information security and privacy policies reviewed and approved within the last 12 months

Responsible	IT Security Officer
Accountable	Information Security Officer / (C)ISO
Consulted	Department Head, Facility Manager, HR Manager, Head of IT, IT Administrator, IT Security Officer, Incident Response Team, Internal Auditor, Legal Counsel, Process Owner, Risk Owner, Software Development Lead, Top Management
Informed	All Employees, Department Head, IT Administrator, IT Security Officer, Software Developer / Architect, Top Management

What does the standard require?

Create and approve policies. The organisation needs an overarching information security policy plus topic-specific policies for relevant areas. Both must be approved by the appropriate management level.
Align with context. Policies must reflect the organisation’s business, legal, regulatory and contractual requirements — no boilerplate templates that miss the actual business reality.
Communicate to relevant audiences. Everyone affected by a policy must know and understand it. This includes external parties whose actions affect information security.
Review regularly. Policies are reviewed at planned intervals and upon significant changes. The review is documented.
Maintain consistency. Policies must not contradict each other. The overarching policy sets the framework; topic-specific policies provide detail.

In practice

Create a policy register. Maintain a central list of all policies with version, approval date, responsible person and next review date. This register serves as your steering instrument and audit evidence at the same time.

Define an approval process. Every policy follows a defined workflow: draft, expert review, approval, communication, archiving of the previous version. Record who approved what and when.

Communicate actively. Placing a policy on the intranet is insufficient. New and changed policies require active communication — via email, in training sessions or through the onboarding programme. Particularly effective: employees confirm they have read and understood the policy.

Maintain the review cycle. Set fixed dates for the annual review. Check: is the content still accurate? Have laws or contracts changed? Are there new business areas? Document the outcome — even if no changes were needed.

Typical audit evidence

Auditors typically expect the following evidence for A.5.1:

Information security policy — the overarching policy signed by top management
Policy register — central overview of all policies with version control and review status
Approval records — evidence of who approved which policy and when
Communication records — evidence that policies were distributed to target audiences (email distribution, training logs, acknowledgement confirmations)
Review records — documentation of periodic reviews, including “no change required”

KPI

% of information security and privacy policies reviewed and approved within the last 12 months

This KPI measures the currency of your policy framework. Target: 100%. Every policy that has exceeded its review date reduces the score. In practice, many organisations start at 60-70% and reach 100% after the first complete review cycle.

Supplementary KPIs:

Percentage of employees who have confirmed awareness of current policies
Average time between policy approval and communication (target: under 5 working days)
Number of policies with identified contradictions or gaps

BSI IT-Grundschutz

A.5.1 maps directly to the BSI core requirements for policy creation:

ISMS.1.A3 (Creating an information security policy) — explicitly requires a policy approved by top management with defined scope, security objectives and organisational structure.
ISMS.1.A1 (Assumption of overall responsibility) — top management must acknowledge information security as a strategic topic and provide resources.
ISMS.1.A16 (Creating audience-appropriate policies) — policies must be understandable and tailored to each target audience.
ORP.1.A1 (Defining responsibilities) — organisational rules documenting who is responsible for what.
ORP.3.A3 (Personnel briefing) — all employees must be briefed on the policies relevant to them.

A.5.1 is the bracket around the entire policy framework:

A.5.2 — Roles and responsibilities: Defines who operationally implements and monitors the policies.
A.5.3 — Segregation of duties: Requires that policies document the separation of critical functions.
A.5.36 — Compliance with policies: Verifies that policies created under A.5.1 are actually followed.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.1 — Policies for information security
ISO/IEC 27002:2022 Section 5.1 — Implementation guidance
BSI IT-Grundschutz, ISMS.1 — Security management

Frequently asked questions

How many policies does an ISMS need at minimum?

ISO 27001 requires an overarching information security policy plus topic-specific policies for each relevant area (e.g. access control, cryptography, supplier security). Most organisations end up with 10-20 policies. Quality and currency matter more than sheer volume.

Who must approve the information security policy?

Top management (CEO, board of directors). This is an explicit requirement from ISO 27001 Clause 5.2. The approval documents the leadership commitment to information security and is one of the first items auditors verify.

How often must policies be reviewed?

ISO 27001 does not prescribe a fixed frequency. Common practice is an annual review plus event-driven reviews when significant changes occur (reorganisation, new business area, security incident). The review must be documented -- even if nothing changes.