From 890e0d8c4f9ce88451f364f202f63b8dbd53489b Mon Sep 17 00:00:00 2001 From: Richard Kranendonk Date: Fri, 1 May 2026 16:37:33 +0200 Subject: [PATCH] Restore files to match origin/27002-metadata Both a-5.1-Policies-for-information-security.md and a-5.2-Information-security-roles-and-responsibilities.md had extraneous content (duplicate headers, extra frontmatter, text changes) compared to their expected state. Restored from origin/27002-metadata branch. --- ...a-5.1-Policies-for-information-security.md | 36 +++++++++++++++---- ...ion-security-roles-and-responsibilities.md | 1 - 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md index c16d528..aa4086c 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.1-Policies-for-information-security.md @@ -1,4 +1,27 @@ -#iso27002/2022/EN +--- +notetype: sourcetext +standard: ISO 27002 +version: 2022 +language: EN +type: control +id: "A.5.1" +title: "Policies for information security" +theme: Organizational +control_type: [Preventive] +information_security_properties: + - Confidentiality + - Integrity + - Availability +cybersecurity_concepts: [Identify] +operational_capabilities: [Governance] +security_domains: + - Governance_and_Ecosystem + - Resilience +tags: + - iso27002/2022/EN +status: active +--- + ## 5.1 Policies for information security #### Control @@ -8,7 +31,7 @@ Information security policy and topic-specific policies should be defined, appro To ensure continuing suitability, adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements. #### Guidance -At the highest level, the organization should define an “information security policy” which is approved by top management and which sets out the organization’s approach to managing its information security. +At the highest level, the organization should define an "information security policy" which is approved by top management and which sets out the organization's approach to managing its information security. The information security policy should take into consideration requirements derived from: @@ -45,10 +68,10 @@ j) information classification and handling; k) management of technical vulnerabilities; l) secure development. -The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization’s information security policy and topic-specific policies and managing information security in response to changes to: +The responsibility for the development, review and approval of the topic-specific policies should be allocated to relevant personnel based on their appropriate level of authority and technical competency. The review should include assessing opportunities for improvement of the organization's information security policy and topic-specific policies and managing information security in response to changes to: -a) the organization’s business strategy; -b) the organization’s technical environment; +a) the organization's business strategy; +b) the organization's technical environment; c) regulations, statutes, legislation and contracts; d) information security risks; e) the current and projected information security threat environment; @@ -56,7 +79,7 @@ f) lessons learned from information security events and incidents. The review of information security policy and topic-specific policies should take the results of management reviews and audits into account. Review and update of other related policies should be considered when one policy is changed to maintain consistency. -The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization’s needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others. +The information security policy and topic-specific policies should be communicated to relevant personnel and interested parties in a form that is relevant, accessible and understandable to the intended reader. Recipients of the policies should be required to acknowledge they understand and agree to comply with the policies where applicable. The organization can determine the formats and names of these policy documents that meet the organization's needs. In some organizations, the information security policy and topic-specific policies can be in a single document. The organization can name these topic-specific policies as standards, directives, policies or others. If the information security policy or any topic-specific policy is distributed outside the organization, care should be taken not to improperly disclose confidential information. @@ -74,4 +97,3 @@ Topic-specific policies can vary across organizations. # Related - [[ISO_27002_PE 5.1 Policies for information security]] - diff --git a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md index d525666..7b88880 100644 --- a/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md +++ b/Corpus/Standards/ISO27x/OST/27002/EN/a-5.2-Information-security-roles-and-responsibilities.md @@ -1,4 +1,3 @@ -#iso27002/2022/EN ## 5.2 Information security roles and responsibilities ### Control