RBC ISO 27001 · Q1 2026 / ISO 27001:2022 / 5. Organizational controls / A.5.1 Policies for information security

A.5.1 ISO 27001:2022 Organizational Priority: high

Policies for information security

Not reviewed · Last AI run 2h ago · 3 mappings pending

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. Topic-specific policies should typically address: a) access control b) physical and environmental security c) asset management d) information transfer e) secure configuration and handling of user endpoint devices f) network security g) information security incident management

Verdict

3/5

AI 3.0 · Override —

Final = AI score (no human override)

AI rationale

Information security policy is documented and approved (firewall config screenshot + asset list confirm policy is in force). However, no evidence yet of scheduled review intervals or topic-specific policies for incident management or information transfer. Score reflects partial coverage of the control's requirements.

⚠ Gaps (3)

·No evidence of scheduled policy review intervals
·Topic-specific policies for incident management not documented
·Information transfer policy not provided

→ Recommendations (2)

·Request annual review log from IT governance
·Request topic-specific policy index (covers items b, d, g)

Mapped evidence 5 cited · 1 pending review

📄

Information_Security_Policy_v3.2.pdf document 3/5 · approved

AI rationale: Document is the formal information security policy, approved by CISO 2025-09-12. Covers items (a) access control and (e) endpoint security. Score 3 reflects partial topic coverage…

Captured 2026-04-12 · Also maps to A.5.10, A.5.32

🖼

Firewall config — Palo Alto admin panel.png screenshot 3/5 · approved

AI rationale: Demonstrates that policy is technically enforced via firewall ACLs. Supports item (f) network security…

Captured 2026-04-15 · Also maps to A.8.20

📊

asset_inventory_2026Q1.csv configuration 2/5 · pending · low confidence

AI rationale: Asset inventory is tangentially relevant — confirms scope of policy enforcement but doesn't directly evidence the policy itself. Suggest unmapping.

· suggested action: unmap

✍️

Observation: CISO confirmed annual review cycle in call observation human-authored

Spoke with David Chen (CISO) on 2026-04-22. Confirmed policy is reviewed annually each Q3 by the IT governance committee. Next review scheduled for 2026-09. Evidence to be requested.

By G. Wang · 2026-04-22

Discussion 2 comments · 1 unresolved

Anouar M. 2026-04-20 · Reviewer

Score feels low. The asset list shouldn't really count against this control — it's a different kind of evidence. Suggest unmapping the CSV and bumping to 3.

George W. 2026-04-22 · Consultant

Agreed. Will add observation from CISO call and unmap the CSV. Need to request the annual review log from David's team.

▸ Activity 12 events · last 7 days

George W. added observation · 2h ago

AI suggested 1 mapping (asset_inventory) · 4h ago

Anouar M. commented · yesterday

George W. uploaded firewall screenshot · 4d ago

AI generated initial mappings (3) · 4d ago

A.5.1 · pending review · use shortcuts A approve R remap V revisit

Policies for information security

Mapped evidence 5 cited · 1 pending review

Discussion 2 comments · 1 unresolved

Design notes (where this maps to OOUX)

What's not in this mockup yet