Control A.5.1 in ISO 27001:2022 Annex A is the foundation of your entire Information Security Management System. It requires that your organisation defines, approves, publishes, and communicates a set of information security policies — and reviews them at planned intervals or when significant changes occur.
If you get A.5.1 right, every other Annex A control becomes easier to implement. Get it wrong, and auditors will flag gaps across your entire ISMS.
What Does Control A.5.1 Require?
The formal requirement from ISO 27001:2022 Annex A states:
A.5.1 — Policies for information security: A set of policies for information security shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals or if significant changes occur.
In practical terms, this means you need:
Why A.5.1 Matters
A.5.1 is often the first control auditors examine because it sets the tone for your entire ISMS. Here's why it's critical:
Step-by-Step Implementation
Step 1: Define your policy hierarchy
Start with a layered approach:
Most organisations need between 8 and 15 topic-specific policies. Don't create policies for the sake of it — each one should map to risks identified in your risk assessment.
Step 2: Draft policies aligned to your risk register
For each topic-specific policy, reference the risks it addresses. A good policy includes:
Step 3: Get management approval
ISO 27001 explicitly requires management approval. This means:
Step 4: Communicate and get acknowledgement
Writing policies is not enough. You must prove that relevant people have received and understood them:
Step 5: Schedule and perform reviews
Set a review cadence — annually at minimum, or triggered by:
Document every review, even if no changes were made. Auditors want to see that you actively considered whether updates were needed.
Evidence Needed for Auditors
When the certification auditor examines A.5.1, they'll look for:
EvidenceWhat it provesTop-level information security policy (signed, dated)Management commitment and strategic directionSet of topic-specific policiesCoverage of relevant Annex A domainsPolicy approval records (signatures, meeting minutes)Formal management approvalCommunication log / distribution recordsPolicies were shared with relevant personnelAcknowledgement records (signed forms, digital confirmations)Personnel received and accepted the policiesReview records with dates and outcomesPolicies are maintained and currentVersion history / change logControlled document management
Common Pitfalls
How ISMS Copilot Helps
ISMS Copilot accelerates A.5.1 implementation by:
Instead of spending weeks drafting policies from scratch, teams using ISMS Copilot typically complete their full policy set in days.
Related Controls
A.5.1 connects directly to several other Annex A controls:
Frequently Asked Questions
How many information security policies do I need for ISO 27001?
There is no fixed number. ISO 27001 requires one top-level information security policy plus topic-specific policies relevant to your organisation. Most companies implement between 8 and 15 topic-specific policies. The key is that your policies cover the risks identified in your risk assessment and the Annex A controls in your Statement of Applicability. A 20-person startup will need fewer policies than a 5,000-person enterprise.
How often should information security policies be reviewed?
ISO 27001 requires reviews at "planned intervals" — most organisations set an annual review cycle. However, you should also review policies when significant changes occur: a major security incident, organisational restructuring, new regulations, or changes to your technology stack. Document every review, even when no changes are made, to demonstrate ongoing compliance.
Can I use policy templates for ISO 27001 A.5.1?
Templates are a useful starting point, but they must be customised to reflect your organisation's actual operations, risk profile, and context. Auditors look for policies that are specific and actionable — not generic documents that could apply to any company. Tools like ISMS Copilot generate tailored drafts based on your specific inputs, which saves time while ensuring relevance.