In-Depth Guide to Annex A 5.37
What Is Annex A 5.37 and Why Does It Matter?
Information security is delivered through day-to-day operations.
Many incidents occur because:
- Tasks are performed differently by different people
- Infrequent activities are forgotten or improvised
- Knowledge exists only with individuals
- Responsibility changes without proper handover
Annex A 5.37 ensures that critical and sensitive activities are:
- Repeatable
- Understandable
- Transferable
- Less dependent on individual experience
This control applies to operational activities, not just technical ones.
When Documented Operating Procedures Are Appropriate
Documented procedures are particularly valuable when:
- An activity is performed by multiple people in the same way
- An activity is performed infrequently
- There is a risk of steps being forgotten
- New or unfamiliar activities are introduced
- Responsibility is transferred between individuals or teams
- Errors could have security, operational, or compliance impact
The intent is to reduce variability where variability introduces risk.
In-Depth Guide to Annex A 5.1
What is Annex A 5.1 and Why Does It Matter?
Annex A 5.1 is a foundational governance control. It sets the tone for the entire Information Security Management System (ISMS).
Policies define:
- What the organisation values
- How security decisions are approached
- Where accountability sits
Without clear policies, security becomes inconsistent. Teams improvise. Decisions vary depending on who’s involved. Risk acceptance becomes informal and undocumented.
From a security perspective, that inconsistency is often where incidents start.
From a business perspective, unclear policies lead to friction — security teams blocking work, delivery teams bypassing controls, and leadership stepping in only when something breaks.
A well-designed policy framework:
- Aligns security with business objectives
- Supports proportionate, risk-based decisions
- Provides a reference point during incidents and disputes
- Creates consistency without bureaucracy
A common real-world scenario we see is organisations with technically strong controls but weak policy direction. When an exception arises — a supplier request, a new platform, a rushed delivery — there’s no agreed framework to guide the decision. That’s when risk is introduced quietly and unintentionally.
How to Implement Annex A 5.1 Effectively
A practical, security-first approach usually includes the following steps.
1. Define a Comprehensive Information Security Policy
Policies exist to set direction, not to document every control.Start by being clear about what your policies are there to achieve:
- Scope: What the policy applies to (systems, data, people).
- Objectives: Why security is important for the business.
- Roles & Responsibilities: Who is accountable for security.
- Key Principles: Risk management, access control, and data protection.
2. Secure Senior Management Approval
Leadership support is critical. Without it, policies remain words on paper without real enforcement. Senior executives should:
- Review and approve policies.
- Ensure resources are allocated for implementation.
- Lead by example in enforcing security policies.
3. Communicate and Train Employees
A policy is useless if no one reads or understands it.
- Include security policies in onboarding and ongoing training.
- Ensure policies are easily accessible to all employees.
- Encourage acknowledgment and acceptance of security responsibilities.
4. Regular Review & Continuous Improvement
Information security threats evolve, and so should your policies.
- Set a schedule for periodic policy reviews (at least annually).
- Update policies based on business changes, new threats, or regulatory updates.
- Conduct audits to ensure compliance and effectiveness.
5. Integrate Policies into the ISMS
Your information security policy should be the backbone of your ISMS (Information Security Management System).
- Use it to develop more detailed security procedures.
- Ensure policies align with other Annex A controls and broader risk management practices.
Key Differences: ISO 27001:2013 vs ISO 27001:2022
|
| Control Structure | Two separate controls: 5.1.1 & 5.1.2 | Merged into one control (5.1) |
| Implementation Guidance | Less prescriptive | More detailed guidance for policy creation and alignment |
| Awareness & Training | Not explicitly mentioned | Explicitly requires policies to be part of training programmes |
| Attributes Table | Not included | ew attributes table for mapping policies to industry terms |
The new approach in ISO 27001:2022 ensures that policies are not just created but actively integrated into business operations, improving security culture across organisations.
Common Challenges & How to Overcome Them
- Challenge: Employees don’t follow security policies.
- Solution: Make policies practical and relevant to daily work. Use real-world examples in training.
- Challenge: Policies are outdated or too generic.
- Solution: Schedule annual reviews and update policies based on real threats and business changes.
- Challenge: Policies are written in technical jargon.
- Solution: Use plain language that all employees can understand.
- Challenge: Lack of leadership buy-in.
- Solution: Show how weak security affects business objectives—costs of breaches, loss of client trust, and legal penalties.
Final Recommendations
- Make security policies living documents—review, refine, and update regularly.
- Use policy training and awareness to create a security-conscious workforce.
- Ensure policies are accessible, relevant, and easy to understand.
- Keep policies aligned with business strategy and regulatory requirements.
- Engage leadership in driving security culture from the top down.
By embedding strong security policies into your business operations, you don’t just tick a compliance box—you build a robust security posture that protects your organisation from real-world threats.
