ISO 27001 policy requirements: Complete list and how to write them

When it comes to implementing ISO 27001, most teams get tripped up not by the controls, but by the paperwork. And at the heart of that paperwork? Policies. Lots of them.

Think of these policies as your Information Security Management System’s (ISMS) instruction manual. They tell your team what’s expected, show auditors you mean business, and help leadership steer the ship in the right direction. Without them, compliance becomes a game of broken telephone—confusing, inconsistent, and risky.

But here’s the good news: you don’t have to start from scratch. Whether you’re building a single policy or setting up an entire policy stack, there is a method to the madness. In this blog, we’ll walk you through:

• What ISO 27001 actually expects when it comes to policies
• A complete list of essential ones so you don’t miss anything critical
• How to write policies that are actually useful, not just shelfware
• Where to find vetted templates and downloads

Let’s break it down and take the mystery out of ISO 27001 documentation, one policy at a time.

What are ISO 27001 policies?

ISO 27001 policies are formal, documented rules that shape how your organization protects its information assets. These policies define what needs to be done to meet security requirements, while procedures and controls describe how it’s done.

They’re not just for show. ISO 27001 treats policies as the foundation of a good ISMS. They create structure, ensure consistency, and show that leadership is actively steering the ship, not just watching from the sidelines.

‍

Pro tip: Start short & grow.

Begin with essential policies that reflect your current risks and tech environment. As your ISMS matures, layer on additional policies that support new controls and teams.

‍

What policies does ISO 27001 require?

ISO 27001 doesn’t hand you a ready-made list of policy titles. Instead, it sets expectations through two main parts of the standard: Clause 5.2 and Annex A.

Each policy should be:

• Approved by leadership
• Communicated to everyone who needs to follow it
• Reviewed and updated regularly

Let’s unpack what that actually means for your documentation.

1. The high-level Information Security Policy (Clause 5.2)

This high-level policy sets the strategic direction for your entire information security program. It communicates management’s intent, outlines the organization’s approach to managing information risks, and sets objectives for continual improvement. It must:

• Reflect your organization’s purpose and direction
  
  
• Define security objectives
  
  
• Commit to meeting applicable requirements
  
  
• Support continual improvement
  
  
• Be approved by top management and communicated clearly
  
  

Think of it as your information security mission statement. Everyone from the CEO to the newest hire should be able to understand what it says and why it matters.

2. Topic-specific policies (Annex A)

Clause 5.1 in Annex A requires organizations to define, approve, communicate, and review policies that govern specific control areas. These are sometimes called “supporting policies,”  and they’re where most of your policy work lives.

They cover everything from access control to incident management and provide clear guidance to employees, vendors, and auditors on how the organization handles different areas of risk.

Here’s a list of common ISO 27001-aligned policies, based on control domains from Annex A:

Core governance policies

1. Risk management policy

Defines how the organization identifies, evaluates, and treats information security risks. It establishes risk appetite and criteria, sets out processes for risk assessment, and ensures consistent tracking, mitigation, and reporting of security threats.

2. Document and record control policy

Specifies how policies, procedures, and records related to information security are created, reviewed, approved, stored, and retired. This policy helps maintain version control and ensures accessibility and traceability during audits.

People-centric policies

3. Human resource security policy

Covers employee-related security measures across hiring, onboarding, employment, and exit processes. It includes background checks, confidentiality agreements, and role-based training to reduce insider risks.

4. Security awareness and training policy

Outlines how employees are educated on security practices, including onboarding training, annual refreshers, and targeted awareness campaigns. It ensures staff understand their role in maintaining security.

5. Acceptable use policy

Defines acceptable behaviors for using company-provided devices, email, internet, and other systems. It outlines what is allowed and what is considered misuse, reducing the risk of human error or abuse.

6. Clear desk and clear screen policy

Encourages employees to lock computers when unattended, secure printed documents, and maintain clean workspaces. This minimizes the risk of accidental exposure of sensitive data in physical environments.

Technical control policies

7. Access control policy

Details how access rights are granted, reviewed, modified, and revoked. It enforces principles like least privilege and separation of duties to prevent unauthorized access to systems and data.

8. Cryptography and key management policy

Defines when and how encryption is used to protect data in transit and at rest. It includes secure handling of cryptographic keys, including generation, distribution, storage, and disposal.

9. Logging & monitoring policy

Explains how system and user activities are logged, monitored, and reviewed to detect and respond to anomalies, unauthorized access, or policy violations.

10. Vulnerability management policy

Covers the process for identifying, assessing, and remediating security vulnerabilities in systems, software, and infrastructure. It ensures timely patching and reduces exposure to known threats.

11. Malware protection policy

Outlines controls for detecting, preventing, and responding to malicious software, including antivirus deployment, real-time scanning, and user behavior monitoring.

12. Cloud security policy

Defines controls for configuring, securing, and monitoring cloud services and infrastructure. It addresses shared responsibility models, access controls, encryption, and compliance requirements for cloud environments.

13. API security policy

Outlines guidelines for securing Application Programming Interfaces (APIs) across their lifecycle, including authentication, authorization, input validation, rate limiting, and secure coding standards.

System & development policies

14. Secure development policy

Establishes requirements for secure software development practices, including secure coding standards, peer reviews, and testing for vulnerabilities during the Software Development Lifecycle (SDLC).

15. Change management policy

Defines how technical changes are proposed, reviewed, tested, approved, and documented before implementation to ensure they do not introduce security risks or disrupt operations.

16. AI and automation policy

Establishes controls around the use of artificial intelligence and automation tools. It addresses ethical use, data handling, model testing, accountability, and human oversight in decision-making systems.

Data and asset protection policies

17. Asset management policy

Ensures all information assets, including hardware, software, and data, are inventoried, classified, assigned owners, and handled appropriately throughout their lifecycle.

18. Information classification and handling policy

Outlines how information is classified by sensitivity and handled accordingly. It includes rules for storage, access, sharing, and secure disposal.

19. Data retention and disposal policy

Specifies how long various data types should be retained for legal, regulatory, or business purposes and the secure methods for deleting or destroying data when no longer needed.

20. Data privacy policy

Defines how personal and sensitive data is collected, processed, shared, and protected in compliance with privacy regulations like GDPR or CCPA. It includes data subject rights, consent handling, and cross-border transfers.

Network, physical, and operational policies

21. Physical and environmental security policy

Covers protections for buildings, server rooms, and physical assets, including access control, surveillance, fire protection, and climate controls to prevent damage or unauthorized access.

22. Mobile device and remote work policy

Defines security requirements for employees using laptops, smartphones, or accessing systems remotely. It addresses secure configurations, encryption, VPN usage, and acceptable behaviors.

23. Information transfer policy

Describes how sensitive or business-critical information should be transferred within and outside the organization, including encryption, secure channels, and approval workflows.

24. SaaS usage and shadow IT policy

Establishes guidelines for using third-party SaaS applications, preventing unauthorized software use, and maintaining visibility into all cloud-based tools in the environment.

Third-party & continuity policies

25. Supplier and third-party security policy

Specifies how third-party vendors are evaluated, onboarded, and monitored to ensure they meet your security requirements. It also defines how data shared with suppliers is protected.

26. Incident management policy

Explains how to detect, report, assess, and respond to information security incidents. It defines roles, escalation procedures, post-incident analysis, and communication protocols.

27. Business continuity and backup policy

Outlines measures for ensuring operations can continue during and after a disruption. It includes backup frequency, recovery objectives, testing, and roles in disaster recovery planning.

28. Threat intelligence policy

Defines how external threat intelligence is collected, validated, and integrated into the organization's risk management process. It includes sharing indicators of compromise (IOCs) and proactive defense strategies.

You may not need every one of these out of the gate. But if a control is marked as applicable in your Statement of Applicability (SoA), your policies should reflect how it is being addressed.

Each policy should have:

• A clear scope
  
  
• A responsible owner
  
  
• Definitions of who must follow it and how
  
  
• A review schedule

Together, these policies make your ISMS operational; they bring your security principles to life in daily decisions.

Pro tip: Owners & roles matter.

Each policy should name a clear owner — someone who ensures it’s maintained, updated, and actually followed. Accountability isn’t optional when it comes to audits.

How to write your ISO 27001 policies

‍

‍

Writing ISO 27001 policies isn’t about filling in templates with jargon. It’s about translating your security intent into language your teams can follow and your auditors can trust.

Here’s how to do it right:

1. Start with the standard

Begin by reviewing Clause 5.2 (for your master policy) and Annex A controls (for topic-specific ones). This helps you understand what each policy needs to support.

2. Set a clear structure

Each policy should answer these questions:

• What is the purpose of this policy?
  
  
• Who does it apply to?
  
  
• What are the key rules or expectations?
  
  
• Who owns and maintains it?
  
  
• How often will it be reviewed?
  
  

Use plain language, not legalese, so it’s accessible to everyone, from your developers to your HR team.

3. Customize for your context

Don’t copy policies from the internet or competitors. Your risk environment, tech stack, team structure, and legal exposure are unique. Your policies should reflect that.

For example:
If your developers use GitHub and AWS, your access control policy should reflect those tools, not generic references to “source code repositories.”

4. Link policies to controls

Each policy should map back to one or more ISO 27001 controls. This makes your Statement of Applicability stronger and helps during internal audits.

5. Get leadership approval

Policies carry weight only when management signs off. Formal approval shows auditors that the organization takes security seriously at the top level.

What is the difference between controls and policies?

Policies are high-level rules or guidelines that define what your organization intends to do (for example, “We will restrict access to systems based on role”).

Controls are specific actions or technical measures that define how those policies are implemented (for example, “Enable multi-factor authentication for admin accounts”).

In short, policies guide behavior, and controls enforce it.

“If you’ve got good controls in place, security is invisible … you’re not having to worry about whoever is clicking on a bad link because you’ve already got the measures in place to detect, respond, and recover.”

— Goher Ritter, CISO at Worldpay, speaking in Information Security Is Like an F1 Pit Crew

‍

Ways to implement ISO 27001 policies

‍

‍

Once your policies are written and approved, the next step is to implement them. Implementation isn’t just about uploading documents to a shared drive—it’s about making sure they’re actually followed.

Here are a few proven ways to embed policies into daily operations:

1. Make them accessible

Store your policies in a central, easy-to-find location like an internal knowledge base or compliance platform. Everyone should know where to find the latest version.

2. Train your teams

Use onboarding sessions, workshops, or quick video briefings to explain the “why” behind each policy. Make it relevant to their roles so the guidance sticks.

3. Collect acknowledgments

Have employees formally acknowledge they’ve read and understood the policies. This not only boosts accountability but also creates a paper trail for ISO 27001 audits.

4. Embed policies into tools and workflows

Tie policies to actual behavior. For instance, link your access control policy to how requests are approved in Jira or how encryption settings are enforced in AWS.

5. Monitor and reinforce

Check for policy violations using logging and monitoring tools. Reinforce the rules through regular reminders, internal audits, or spot checks.

6. Review and refine

Policies aren’t static. Review them at least once a year or whenever there’s a change in risk, tools, structure, or regulations. Feedback from users can help make them more practical.

How Scrut helps you write and manage ISO 27001 policies

Drafting policies is hard enough. Keeping them aligned, updated, and audit-ready? That’s a whole different challenge. Scrut takes the pain out of both.

Here’s how Scrut supports you at every step:

• Start with expert templates by tapping into Scrut’s 75+ policy blueprints approved by experts so you can hit the ground running.
  
  
• Customize with confidence thanks to built-in guidance prompts and sample text that help you tailor policies to your team’s workflows.
  
  
• Assign owners and track progress so every policy moves smoothly from draft through review to approval.
  
  
• Automate reviews and version control by setting reminders and logging every change to keep your documentation audit-ready.
  
  
• Centralize access and acknowledgment by hosting all policies in one platform, sharing them with teams, and seeing who’s signed off.
  
  
• Link policies to controls and evidence so each document connects directly to ISO 27001 requirements and proof of implementation.

Make ISO 27001 compliance effortless

Scrut gives you everything you need to draft, manage, and track ISO 27001 policies - without the busywork.

‍

FAQs

What are the 3 key elements of information security in ISO 27001?

The three core elements of information security, as emphasized by ISO 27001, are:

1. Confidentiality – Ensuring that sensitive information is only accessible to those who are authorized to view it.
   
   
2. Integrity – Making sure that data is accurate, complete, and protected from unauthorized changes.
   
   
3. Availability – Ensuring that information and systems are accessible when needed by authorized users.
   
   

Together, these form the foundation of a strong Information Security Management System (ISMS) under ISO 27001.

Which are the ISO 27001 mandatory policies?

ISO 27001 requires just one mandatory policy - the Information Security Policy. This policy, outlined in Clause 5.2 of the standard, describes your organization's overall approach to information security and must be approved by senior management, communicated, and reviewed regularly.

While this is the only explicitly mandatory policy, ISO 27001 also expects organizations to create supporting policies for applicable Annex A controls (such as access control, incident management, and asset handling). These aren’t named as mandatory in the clause, but if you implement the associated controls, having a supporting policy becomes essential for audit readiness.

How many new policies were added to the new version of ISO 27001:2022?

ISO 27001:2022 introduced 11 new controls in Annex A compared to the previous version, ISO 27001:2013. These updates reflect modern risks like cloud security, threat intelligence, and data masking.

How many controls does each Annex A category have?

A total of 93 controls, grouped into these four themes, reflecting the 2022 update are as follows:

• Organisational controls - 37 controls
• People controls - 8 controls
• Physical controls - 14 controls
• Technological controls - 34 controls

‍