UnixTime

Research Note

A.5 Organizational Controls MOC

Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.

On this page

Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.

Coverage status

This MOC now covers ISO/IEC 27001 Annex A.5 organizational controls A.5.1 through A.5.37.

Covered controls

Control Note Core idea
A.5.1 A.5.1 Policies for Information Security Policies must be defined, approved, published, communicated, acknowledged, and reviewed
A.5.2 A.5.2 Information Security Roles and Responsibilities Security roles and responsibilities must be defined and allocated
A.5.3 A.5.3 Segregation of Duties Conflicting duties and responsibilities must be separated
A.5.4 A.5.4 Management Responsibilities Managers must require personnel to apply security policies and procedures
A.5.5 A.5.5 Contact with Authorities Relevant authorities must be identified, contactable, and linked to compliance, incident, and continuity needs
A.5.6 A.5.6 Contact with Special Interest Groups Specialist groups and professional forums help maintain external security awareness
A.5.7 A.5.7 Threat Intelligence Threat information must be collected, analyzed, contextualized, and used for ISMS decisions
A.5.8 A.5.8 Information Security in Project Management Information security must be built into project governance, requirements, changes, testing, and transition
A.5.9 A.5.9 Inventory of Information and Other Associated Assets Information and associated assets must be inventoried, owned, classified, maintained, and disposed of properly
A.5.10 A.5.10 Acceptable Use of Information and Other Associated Assets Rules for acceptable use and handling must be documented, communicated, acknowledged, and enforced
A.5.11 A.5.11 Return of Assets Assets and organizational information must be returned or securely removed when roles, contracts, or employment end or change
A.5.12 A.5.12 Classification of Information Information must be classified by protection need using clear, usable levels
A.5.13 A.5.13 Labelling of Information Labelling procedures must make classification visible or actionable across formats
A.5.14 A.5.14 Information Transfer Information transfer rules, procedures, and agreements must cover internal, external, digital, physical, and third-party transfers
A.5.15 A.5.15 Access Control Physical and logical access rules must enforce business need, least privilege, and owner-approved access
A.5.16 A.5.16 Identity Management Identities must be managed through their full lifecycle with unique accountability where possible
A.5.17 A.5.17 Authentication Information Secret authentication information must be issued, handled, reset, and protected through a controlled process
A.5.18 A.5.18 Access Rights Access rights must be provisioned, reviewed, modified, and removed according to access control rules
A.5.19 A.5.19 Information Security in Supplier Relationships Supplier security risks must be identified, assessed, controlled, contractually addressed, and reviewed
A.5.20 A.5.20 Addressing Information Security Within Supplier Agreements Supplier security requirements must be agreed based on relationship type and risk
A.5.21 A.5.21 Managing Information Security in the ICT Supply Chain ICT supply-chain dependencies and inherited supplier risks must be identified and managed
A.5.22 A.5.22 Monitoring, Review and Change Management of Supplier Services Supplier services and security practices must be monitored, reviewed, evaluated, and changed under control
A.5.23 A.5.23 Information Security for Use of Cloud Services Cloud services must be governed from acquisition through use, management, monitoring, and exit
A.5.24 A.5.24 Information Security Incident Management Planning and Preparation Incident management processes, roles, responsibilities, and reporting routes must be prepared before incidents occur
A.5.25 A.5.25 Assessment and Decision on Information Security Events Reported security events must be triaged and clearly categorized as incidents or non-incidents
A.5.26 A.5.26 Response to Information Security Incidents Incidents must be handled according to documented response procedures
A.5.27 A.5.27 Learning from Information Security Incidents Incident knowledge must improve controls, procedures, awareness, and the ISMS
A.5.28 A.5.28 Collection of Evidence Evidence related to security events must be identified, collected, acquired, and preserved under control
A.5.29 A.5.29 Information Security During Disruption Information security must be maintained at an appropriate level during disruption
A.5.30 A.5.30 ICT Readiness for Business Continuity ICT readiness must be planned, implemented, maintained, and tested against continuity objectives
A.5.31 A.5.31 Legal, Statutory, Regulatory and Contractual Requirements Relevant legal, regulatory, statutory, and contractual security requirements must be identified, documented, and kept current
A.5.32 A.5.32 Intellectual Property Rights Procedures must protect intellectual property rights for software, content, source code, licences, and AI-generated material
A.5.33 A.5.33 Protection of Records Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release
A.5.34 A.5.34 Privacy and Protection of PII Privacy and PII requirements from laws, regulations, and contracts must be identified and met
A.5.35 A.5.35 Independent Review of Information Security Information security management and implementation must be independently reviewed at planned intervals or after significant change
A.5.36 A.5.36 Compliance with Policies, Rules and Standards for Information Security Compliance with security policies, rules, standards, and technical baselines must be regularly reviewed
A.5.37 A.5.37 Documented Operating Procedures Operating procedures for information processing facilities must be documented and available to required personnel

Key pattern

A.5 controls are governance-heavy. Auditors typically look for:

  • clear ownership;
  • approved documents;
  • role clarity;
  • communication and acknowledgement;
  • evidence that the process is active;
  • evidence that controls are reviewed and improved.
  • Iso27001
  • ISO27002
  • Annex a
  • Organizational controls
  • Moc

Note Metadata

Aliases: Annex A.5 MOC

Source: 02 Annex A Organizational Controls/A.5 Organizational Controls MOC.md