A.5 Security Policies
A.5.1 Information Security Policy
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1.1 Information Security Policy Document
A set of policies must be defined, approved by management, published and communicated to employees and relevant external parties. The policies must be led by business needs, alongside the applicable regulations and legislation affecting the organisation too. These policies need to be reviewed regularly and updated when necessary. An information security policy document shall be approved by management, and published and communicated to all the employees and relevant external parties.
A.5.1.2 Review of the Information Security Policies
The policies for information security need to be reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy and effectiveness. Whenever changes are made to the business, its risks & issues, technology or legislation & regulation or if security weaknesses, events or incidents indicate a need for policy change. Policies must be also reviewed and updated on a regular basis. ISO considers ‘regular’ to be at least annually, which can be hard work if you are manually managing that many reviews and also dovetailing it with the independent review.