Policies for information security
Have clear, approved security policies that everyone knows about and follows.
Plain language
This control is about having clear rules for protecting information in your organisation. If these rules, known as information security policies, aren't in place, your organisation could be at risk of data breaches, which can lead to financial loss, legal trouble, and damage to your reputation.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Why it matters
If security policies are not defined, approved, communicated and acknowledged, staff lack clear direction, leading to unmanaged risk, inconsistent controls and higher breach likelihood.
Operational notes
Maintain an ISMS policy set: get management approval, publish and brief relevant personnel/parties, record acknowledgement, and review on a schedule and after major changes.
Implementation tips
- The board or top management should define an overall information security policy that fits the organisation's goals and priorities. They should consider laws like the Privacy Act 1988 and industry guidelines like the ASD Essential Eight when crafting these policies.
- Senior management should approve these information security policies to show their commitment. This involves reviewing the policies to ensure they cover necessary areas like data protection, access controls, and employee responsibilities.
- The IT manager should communicate these policies to all employees and relevant parties. This can be done through training sessions, emails, or an internal website, ensuring everyone acknowledges and understands their responsibilities.
- Department heads should develop topic-specific policies that address the unique needs of their areas, such as network security or data handling procedures. These specific guidelines ensure daily practices align with the overall security policy.
- Human Resources should regularly review these policies, especially when there's a significant change in business operations or technology. They should also organise regular policy review meetings to adjust and improve these policies as needed.
Audit / evidence tips
-
Askthe information security policy document
Gooddocument will have signatures or notes from management showing their approval
-
Askrecords of policy communication to staff and stakeholders
-
Askthe latest policy review date and notes
Goodincludes a regular review schedule and evidence of adjustments made after incidents or changes
-
Askexamples of topic-specific policies (e.g., data access policies)
Goodmatch shows particular policies supporting and conforming to the main policy’s principles
-
Askchange approval records for these policies
Goodprocess includes a documented set of updates authorised by the responsible management
Cross-framework mappings
How Annex A 5.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (7) expand_less | ||
| ISM-0588 | ISM-0588 requires a specific topic policy for the use of multifunction devices to be developed, implemented and maintained | |
| ISM-1078 | ISM-1078 requires a specific topic policy for telephone system usage to be developed, implemented, and maintained | |
| ISM-1359 | ISM-1359 requires an organisation to develop, implement and maintain a topic-specific policy covering removable media usage | |
| ISM-1549 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy for how media is handled and controlled | |
| ISM-1551 | ISM-1551 requires an organisation to develop, implement and maintain a specific topic policy for IT equipment management | |
| ISM-1829 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), representing a specific mandatory security configurati... | |
| ISM-1864 | ISM-1864 requires a specific topic-level policy for system usage to be developed, implemented, and maintained | |
| sync_alt Partially overlaps (10) expand_less | ||
| ISM-0039 | Annex A 5.1 requires the definition and management of information security policies | |
| ISM-0043 | Annex A 5.1 requires topic-specific policies to be defined, approved, communicated and reviewed, including for areas like incident manage... | |
| ISM-0047 | Annex A 5.1 requires defining, approving by management, publishing, communicating, acknowledging, and reviewing information security and ... | |
| ISM-0264 | Annex A 5.1 requires topic-specific policies to be defined, approved, communicated and reviewed to govern secure behaviour | |
| ISM-0888 | Annex A 5.1 mandates regular review of policies and their acknowledgment alongside management approval | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the cyber security program and ensure compliance with cyber security policy, standards, regulations... | |
| ISM-1587 | ISM-1587 requires system owners to provide an annual security status report for each system to the authorising officer | |
| ISM-1602 | ISM-1602 requires cyber security documentation (and subsequent changes) to be communicated to all stakeholders | |
| ISM-1617 | ISM-1617 calls for the CISO to regularly review and update the cyber security program to ensure its relevance | |
| ISM-1999 | ISM-1999 requires the board or executive committee to ensure the organisation’s cyber security strategy aligns with the overarching strat... | |
| handshake Supports (15) expand_less | ||
| ISM-0009 | ISM-0009 requires identifying additional controls for specific systems based on their unique risks, environments and the organisation’s r... | |
| ISM-0041 | Annex A 5.1 sets the requirement for organisational and topic-specific information security policies to be established and maintained thr... | |
| ISM-0407 | ISM-0407 requires keeping user access records including a signed agreement to abide by system usage policies and details of who authorise... | |
| ISM-0499 | ISM-0499 requires compliance with ASD communications security doctrine and policy for the management and operation of HACE | |
| ISM-0718 | ISM-0718 requires CISO board reporting on cyber security | |
| ISM-0725 | ISM-0725 requires the CISO to align cyber security and business strategies through a regular, formal executive steering committee/advisor... | |
| ISM-0726 | ISM-0726 requires the CISO to coordinate security risk management activities between cyber security and business teams | |
| ISM-0732 | ISM-0732 requires that the CISO receives and manages a dedicated cyber security budget for the organisation | |
| ISM-1626 | ISM-1626 requires seeking legal advice specifically for insider threat mitigation program development and implementation | |
| ISM-1865 | ISM-1865 requires personnel to agree to abide by system usage policies before being granted access to systems and resources | |
| ISM-1997 | ISM-1997 requires leadership to define cyber security roles and responsibilities within the board/executive and across the organisation | |
| ISM-1998 | ISM-1998 requires the board or executive committee to ensure cyber security is integrated throughout all business functions | |
| ISM-2001 | ISM-2001 requires executive-level championing of cyber security culture, including demonstrating commitment and setting expectations | |
| ISM-2002 | ISM-2002 requires the board or executive committee to maintain sufficient cyber security literacy to meet fiduciary and regulatory obliga... | |
| ISM-2008 | ISM-2008 sets a topic-specific rule for SECRET/TOP SECRET environments: only authorised medical devices meeting defined provenance and co... | |
| extension Depends on (2) expand_less | ||
| ISM-1195 | ISM-1195 requires a defined mobile device management policy and mandates that it is enforced using an evaluated MDM solution | |
| ISM-1868 | ISM-1868 mandates an operational restriction on SECRET and TOP SECRET mobile devices, requiring ASD pre-approval before any removable med... | |
| link Related (2) expand_less | ||
| ISM-1510 | Annex A 5.1 requires an organisation to establish and manage various security policies | |
| ISM-2074 | Annex A 5.1 requires organisations to establish and maintain information security policy and topic-specific policies, including communica... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.