Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.
Coverage status
This MOC now covers ISO/IEC 27001 Annex A.5 organizational controls A.5.1 through A.5.37.
Covered controls
| Control | Note | Core idea |
|---|---|---|
| A.5.1 | A.5.1 Policies for Information Security | Policies must be defined, approved, published, communicated, acknowledged, and reviewed |
| A.5.2 | A.5.2 Information Security Roles and Responsibilities | Security roles and responsibilities must be defined and allocated |
| A.5.3 | A.5.3 Segregation of Duties | Conflicting duties and responsibilities must be separated |
| A.5.4 | A.5.4 Management Responsibilities | Managers must require personnel to apply security policies and procedures |
| A.5.5 | A.5.5 Contact with Authorities | Relevant authorities must be identified, contactable, and linked to compliance, incident, and continuity needs |
| A.5.6 | A.5.6 Contact with Special Interest Groups | Specialist groups and professional forums help maintain external security awareness |
| A.5.7 | A.5.7 Threat Intelligence | Threat information must be collected, analyzed, contextualized, and used for ISMS decisions |
| A.5.8 | A.5.8 Information Security in Project Management | Information security must be built into project governance, requirements, changes, testing, and transition |
| A.5.9 | A.5.9 Inventory of Information and Other Associated Assets | Information and associated assets must be inventoried, owned, classified, maintained, and disposed of properly |
| A.5.10 | A.5.10 Acceptable Use of Information and Other Associated Assets | Rules for acceptable use and handling must be documented, communicated, acknowledged, and enforced |
| A.5.11 | A.5.11 Return of Assets | Assets and organizational information must be returned or securely removed when roles, contracts, or employment end or change |
| A.5.12 | A.5.12 Classification of Information | Information must be classified by protection need using clear, usable levels |
| A.5.13 | A.5.13 Labelling of Information | Labelling procedures must make classification visible or actionable across formats |
| A.5.14 | A.5.14 Information Transfer | Information transfer rules, procedures, and agreements must cover internal, external, digital, physical, and third-party transfers |
| A.5.15 | A.5.15 Access Control | Physical and logical access rules must enforce business need, least privilege, and owner-approved access |
| A.5.16 | A.5.16 Identity Management | Identities must be managed through their full lifecycle with unique accountability where possible |
| A.5.17 | A.5.17 Authentication Information | Secret authentication information must be issued, handled, reset, and protected through a controlled process |
| A.5.18 | A.5.18 Access Rights | Access rights must be provisioned, reviewed, modified, and removed according to access control rules |
| A.5.19 | A.5.19 Information Security in Supplier Relationships | Supplier security risks must be identified, assessed, controlled, contractually addressed, and reviewed |
| A.5.20 | A.5.20 Addressing Information Security Within Supplier Agreements | Supplier security requirements must be agreed based on relationship type and risk |
| A.5.21 | A.5.21 Managing Information Security in the ICT Supply Chain | ICT supply-chain dependencies and inherited supplier risks must be identified and managed |
| A.5.22 | A.5.22 Monitoring, Review and Change Management of Supplier Services | Supplier services and security practices must be monitored, reviewed, evaluated, and changed under control |
| A.5.23 | A.5.23 Information Security for Use of Cloud Services | Cloud services must be governed from acquisition through use, management, monitoring, and exit |
| A.5.24 | A.5.24 Information Security Incident Management Planning and Preparation | Incident management processes, roles, responsibilities, and reporting routes must be prepared before incidents occur |
| A.5.25 | A.5.25 Assessment and Decision on Information Security Events | Reported security events must be triaged and clearly categorized as incidents or non-incidents |
| A.5.26 | A.5.26 Response to Information Security Incidents | Incidents must be handled according to documented response procedures |
| A.5.27 | A.5.27 Learning from Information Security Incidents | Incident knowledge must improve controls, procedures, awareness, and the ISMS |
| A.5.28 | A.5.28 Collection of Evidence | Evidence related to security events must be identified, collected, acquired, and preserved under control |
| A.5.29 | A.5.29 Information Security During Disruption | Information security must be maintained at an appropriate level during disruption |
| A.5.30 | A.5.30 ICT Readiness for Business Continuity | ICT readiness must be planned, implemented, maintained, and tested against continuity objectives |
| A.5.31 | A.5.31 Legal, Statutory, Regulatory and Contractual Requirements | Relevant legal, regulatory, statutory, and contractual security requirements must be identified, documented, and kept current |
| A.5.32 | A.5.32 Intellectual Property Rights | Procedures must protect intellectual property rights for software, content, source code, licences, and AI-generated material |
| A.5.33 | A.5.33 Protection of Records | Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release |
| A.5.34 | A.5.34 Privacy and Protection of PII | Privacy and PII requirements from laws, regulations, and contracts must be identified and met |
| A.5.35 | A.5.35 Independent Review of Information Security | Information security management and implementation must be independently reviewed at planned intervals or after significant change |
| A.5.36 | A.5.36 Compliance with Policies, Rules and Standards for Information Security | Compliance with security policies, rules, standards, and technical baselines must be regularly reviewed |
| A.5.37 | A.5.37 Documented Operating Procedures | Operating procedures for information processing facilities must be documented and available to required personnel |
Related concepts
- ISO 27001 Clauses 4-10 vs Annex A
- Annex A and the Statement of Applicability
- ISO27002 Control Attributes
- Control Attributes and Risk Treatment Effects
- Internal Audit
- Management Review
- Risk Assessment
- Statement of Applicability
- A.5.5 Contact with Authorities
- A.5.6 Contact with Special Interest Groups
- A.5.7 Threat Intelligence
- A.5.8 Information Security in Project Management
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.11 Return of Assets
- A.5.12 Classification of Information
- A.5.13 Labelling of Information
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- A.5.19 Information Security in Supplier Relationships
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.21 Managing Information Security in the ICT Supply Chain
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- A.5.23 Information Security for Use of Cloud Services
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.25 Assessment and Decision on Information Security Events
- A.5.26 Response to Information Security Incidents
- A.5.27 Learning from Information Security Incidents
- A.5.28 Collection of Evidence
- A.5.29 Information Security During Disruption
- A.5.30 ICT Readiness for Business Continuity
- A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- A.5.32 Intellectual Property Rights
- A.5.33 Protection of Records
- A.5.34 Privacy and Protection of PII
- A.5.35 Independent Review of Information Security
- A.5.36 Compliance with Policies, Rules and Standards for Information Security
- A.5.37 Documented Operating Procedures
Key pattern
A.5 controls are governance-heavy. Auditors typically look for:
- clear ownership;
- approved documents;
- role clarity;
- communication and acknowledgement;
- evidence that the process is active;
- evidence that controls are reviewed and improved.
- Iso27001
- ISO27002
- Annex a
- Organizational controls
- Moc
Note Metadata
Aliases: Annex A.5 MOC
Source: 02 Annex A Organizational Controls/A.5 Organizational Controls MOC.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Internal Audit
- ISO 27001 Clauses 4-10 vs Annex A
- ISO27002 Control Attributes
- Management Review
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.35 - Independent Review of Information Security
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls Implementation Guide
- ISO 27001 Implementer Guide
- A.5 Organizational Controls Audit Guide
- ISO 27005 Risk Process Notes
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27001 Knowledge Base
- ISO 27002 Knowledge Base
- Annex A Controls MOC
- ISO 27001 Overview