上次已提及新版ISO 27001對政策之要求, 沒有再區分 "Information security policies 資訊安全政策" 及"ISMS policies 資訊安全管理系統政策", 僅保留"Information security policies 資訊安全政策", 也述及本文的要求, 以下將述及控制措施的要求與實作指引
A.5.1.1 Policies for information security
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
At the highest level, organizations should define an "information security policy" which is approved by management (thus demonstrating its commitment to the policy) and which sets out the organization’s approach to managing its information security objectives.
Information security policies should address requirements created by:
a) business strategy;
b) regulations, legislation and contracts;
c) the current and projected information security threat environment.
The information security policy should contain statements concerning:
a) definition of information security, objectives and principles to guide all activities relating to information security;
b) assignment of general and specific responsibilities for information security management to defined roles;
c) processes for handling deviations and exceptions.
At a lower level, the information security policy should be supported by topic-specific policies, which further mandate the implementation of information security control objectives and are typically structured to address the needs of certain target groups within an organization or to cover certain topics.
Examples of such detailed policy topics include:
a) access control (see clause 9);
b) information classification (and handling) (see 8.2);
c) physical and environmental security (see clause 11);
d) end user oriented topics such as: