What is ISO 27001 Control 5.01?

ISO 27001 Control 5.01 (Policies for Information Security - OnePager) is a security control that helps organizations establish and maintain information security management systems. This control focuses on implementing specific security measures to protect information assets.

Why is Control 5.01 important for information security?

Control 5.01 is essential because it addresses Policies for Information Security - OnePager, which is a critical aspect of maintaining organizational security posture and ensuring compliance with ISO 27001 standards.

How to implement ISO 27001 Control 5.01?

Implementation of Control 5.01 involves establishing policies and procedures for Policies for Information Security - OnePager, conducting regular assessments, and ensuring all stakeholders understand their responsibilities in maintaining this control.

What policies are required for Control 5.01?

Control 5.01 requires documented policies that define the organization's approach to Policies for Information Security - OnePager. These policies should be approved by management, communicated to all relevant parties, and reviewed regularly.

What is ISO 27001 Control 5.02?

ISO 27001 Control 5.02 (Information security roles and responsibilities - OnePager) is a security control that helps organizations establish and maintain information security management systems. This control focuses on implementing specific security measures to protect information assets.

Why is Control 5.02 important for information security?

Control 5.02 is essential because it addresses Information security roles and responsibilities - OnePager, which is a critical aspect of maintaining organizational security posture and ensuring compliance with ISO 27001 standards.

How to implement ISO 27001 Control 5.02?

Implementation of Control 5.02 involves establishing policies and procedures for Information security roles and responsibilities - OnePager, conducting regular assessments, and ensuring all stakeholders understand their responsibilities in maintaining this control.

What is ISO 27001 Control 5.03?

ISO 27001 Control 5.03 (Segregation of duties - OnePager) is a security control that helps organizations establish and maintain information security management systems. This control focuses on implementing specific security measures to protect information assets.

Why is Control 5.03 important for information security?

Control 5.03 is essential because it addresses Segregation of duties - OnePager, which is a critical aspect of maintaining organizational security posture and ensuring compliance with ISO 27001 standards.

How to implement ISO 27001 Control 5.03?

Implementation of Control 5.03 involves establishing policies and procedures for Segregation of duties - OnePager, conducting regular assessments, and ensuring all stakeholders understand their responsibilities in maintaining this control.

Welcome to Asphalia Analytics

Discover your
Cybersecurity Weaknesses
before Hackers do.

Contact by Phone Contact by Mail

Screenshot of the Asphalia Analytics app

Security • 1 min read • January 29, 2026

Cyber Security Act 2

Seven years after the original Cybersecurity Act, the EU is ready for version 2.0. CSA2 brings mandatory supply chain security measures, stronger ENISA capabilities, and the ability to force the removal of high-risk components from critical infrastructure — even retroactively.

CSA2 is here, and it's not just an update — it's a reset. The European Commission's January 2026 proposal tackles supply chain risks head-on, with new powers to ban high-risk vendors from 5G networks and critical sectors, a reinforced ENISA, and a certification framework that finally moves beyond voluntary adoption.

Security • 1 min read • January 29, 2026

NIS2 2026 Amendments

If you've just finished mapping your NIS2 obligations, you might not want to hear this — but the directive was explicitly designed to evolve, and the first major review cycle is already approaching in 2026.

Understanding what the European Commission will be evaluating, from sector coverage to cross-border coordination mechanisms, can help you build a compliance programme that won't need a complete overhaul when the amendments arrive. Here's a breakdown of what to watch for.

Security • 1 min read • January 29, 2026

NIS2 2026 Updates

The European Commission just announced targeted amendments to NIS2 that promise to simplify compliance for 28,700 companies - but does 'simplification' really mean easier, or just different hoops to jump through?

Security • 1 min read • December 6, 2025

Use Case 1

NIS2 Compliance: Know Your Attack Surface

The Challenge

Since October 2024, NIS2 requires essential and important entities to "take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems" (Article 21). This explicitly includes vulnerability management and knowledge of your exposed assets.

For many SMEs, this represents a significant challenge: how do you identify what attackers can see of your infrastructure without an in-house security team or expensive enterprise tools?

Our Solution

Asphalia Analytics provides a complete inventory of your external attack surface with risk prioritization aligned to NIS2 requirements:

Asset Discovery: Identification of all your exposed assets (domains, subdomains, IPs, services)
Shadow IT Detection: Uncovering forgotten or unknown assets that could be exploited
Vulnerability Assessment: Detection of exploitable vulnerabilities on exposed services
Compliance-Ready Reporting: Report directly usable for your compliance audits
Prioritized Remediation: Actionable recommendations ranked by risk level

Expected Outcome

Documentation ready to demonstrate your compliance with Article 21.2 (vulnerability management) during regulatory inspections or audits.

Security • 1 min read • December 6, 2025

Use Case 2

Cyber Resilience Act: Assess Your Risks Before Market Launch

The Challenge

The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to perform a cybersecurity risk assessment before placing products on the market. This assessment must cover potential vulnerabilities and exploitation risks throughout the product lifecycle.

For connected device manufacturers, this means not only securing the device itself but also the entire supporting infrastructure: update servers, management portals, APIs, and cloud backends.

Our Solution

Before launching a connected product, we analyze your external exposure:

Support Infrastructure Assessment: Security posture of your portals, APIs, and update servers
Credential Leak Detection: Discovery of potentially leaked credentials or secrets in public repositories
Cloud Configuration Review: Analysis of cloud services associated with your product
Certificate Chain Validation: Verification of certificates and their trust chain
Third-Party Dependency Analysis: Identification of external services your product relies on

Expected Outcome

An external assessment report documenting your due diligence, a key element of your CRA technical file demonstrating proactive security measures.

Security • 1 min read • December 6, 2025

Use Case 3

M&A Due Diligence: Evaluate the Cyber Risk of Your Target

The Challenge

During an acquisition, the target's cyber risk becomes your risk. Undiscovered vulnerabilities, shadow IT assets, and poor security practices can represent significant hidden costs post-acquisition. Traditional due diligence often overlooks cyber exposure, leaving acquirers with unexpected remediation costs and potential liability.

The challenge is compounded by the need to assess security posture without alerting the target or requiring access to their internal systems during early-stage negotiations.

Our Solution

Without any access to the target's systems (100% external and non-invasive assessment), we provide:

Complete Attack Surface Inventory: Full mapping of the target's external footprint
Critical Risk Identification: Exposed services, known vulnerabilities, misconfigurations
Data Leak Detection: Discovery of existing credential leaks, exposed documents, or sensitive data
Comparative Security Score: Benchmarking against industry standards and peers
Historical Analysis: Changes in security posture over time where data is available

Expected Outcome

A cyber due diligence report enabling informed negotiation and post-acquisition remediation planning. Identify potential deal-breakers or negotiate price adjustments based on discovered security debt.

Security • 1 min read • December 6, 2025

Use Case 4

Supply Chain Security: Vendor Risk Assessment

The Challenge

NIS2 and DORA mandate the assessment of your critical suppliers' security posture. Self-declaration questionnaires are no longer sufficient—regulators expect objective, verifiable evidence of supply chain risk management.

With supply chain attacks increasing dramatically, organizations need continuous visibility into their vendors' external security posture, not just point-in-time assessments based on questionnaires that may not reflect reality.

Our Solution

Objective and verifiable assessment of your suppliers' attack surface:

Independent Analysis: No reliance on vendor self-declaration
Sector Benchmarking: Comparison against industry security standards
Supply Chain Risk Mapping: Identification of shared dependencies and concentration risks
Continuous Monitoring Option: Periodic reassessment to track security posture changes
Evidence-Based Reporting: Documentation suitable for regulatory compliance

Expected Outcome

Documentation compliant with NIS2 Article 21.2(d) requirements on supply chain security. Defensible evidence of your vendor risk management program for auditors and regulators.

ISO 27001 • 1 min read • November 4, 2025

5.01 - Policies for Information Security - OnePager

Tags: security-policy

ISO 27001 • 1 min read • November 4, 2025

5.02 - Information security roles and responsibilities - OnePager

ISO 27001 • 1 min read • November 4, 2025

5.03 - Segregation of duties - OnePager

Page 1 of 10Next →

Welcome to Asphalia Analytics

Discover your Cybersecurity Weaknesses before Hackers do.

Cyber Security Act 2

NIS2 2026 Amendments

NIS2 2026 Updates

Use Case 1

NIS2 Compliance: Know Your Attack Surface

The Challenge

Our Solution

Expected Outcome

Use Case 2

Cyber Resilience Act: Assess Your Risks Before Market Launch

The Challenge

Our Solution

Expected Outcome

Use Case 3

M&A Due Diligence: Evaluate the Cyber Risk of Your Target

The Challenge

Our Solution

Expected Outcome

Use Case 4

Supply Chain Security: Vendor Risk Assessment

The Challenge

Our Solution

Expected Outcome

5.01 - Policies for Information Security - OnePager

5.02 - Information security roles and responsibilities - OnePager

5.03 - Segregation of duties - OnePager

Discover your
Cybersecurity Weaknesses
before Hackers do.