Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.
Audit grouping
| Audit area | Controls | Auditor focus |
|---|---|---|
| Governance | A.5.1-A.5.4 | Approval, accountability, segregation, management enforcement |
| External context | A.5.5-A.5.7 | Authority contact, specialist knowledge, threat intelligence use |
| Project and asset governance | A.5.8-A.5.14 | Security in projects, asset ownership, classification, labelling, transfer |
| Access and identity | A.5.15-A.5.18 | Business need, identity lifecycle, credentials, access reviews/removal |
| Supplier and cloud lifecycle | A.5.19-A.5.23 | Supplier risk, agreements, ICT supply chain, monitoring, cloud shared responsibility, and exit |
| Incident management lifecycle | A.5.24-A.5.28 | Incident planning, event assessment, response, lessons learned, and evidence preservation |
| Continuity and ICT readiness | A.5.29-A.5.30 | Security during disruption, ICT recovery objectives, RTO/RPO, supplier continuity, and testing |
| Legal and IP compliance | A.5.31-A.5.32 | Requirements identification, control mapping, licence compliance, IP handling, source-code/library/AI review |
| Records and privacy | A.5.33-A.5.34 | Records retention/protection, PII inventory, privacy requirements, access, transfer, retention, and breach readiness |
| Assurance and operations governance | A.5.35-A.5.37 | Independent review, policy/technical compliance checks, controlled and available operating procedures |
Audit test matrix
| Control range | Test design | Test operation | Common audit failure |
|---|---|---|---|
| A.5.1-A.5.4 | Policies, roles, responsibility model | Awareness, approvals, reviews, manager behavior | Governance exists on paper only |
| A.5.5-A.5.7 | Defined external contact/intelligence processes | Contact registers used, intelligence converted to action | Lists and feeds exist but no use |
| A.5.8-A.5.14 | Requirements, owners, asset/process rules | Sample projects/assets/transfers | Process not embedded in real work |
| A.5.15-A.5.18 | Access rules and lifecycle | Sample users, movers, leavers, privileged access | Actual access exceeds approved need |
| A.5.19-A.5.23 | Supplier and cloud process controls | Sample suppliers, cloud services, reports, changes, incidents, exit plans | Supplier/cloud review stops after onboarding |
| A.5.24-A.5.28 | Incident management lifecycle | Sample incident plan, triage decisions, response records, lessons learned, and evidence custody logs | Incidents are handled informally or without learning/evidence control |
| A.5.29-A.5.30 | Continuity and ICT readiness | Sample continuity requirements, BIA, RTO/RPO, recovery playbooks, continuity tests, and supplier reviews | Continuity restores operations while security or recovery evidence is weak |
| A.5.31-A.5.32 | Legal and IP compliance | Sample requirements register, contract obligations, crypto assessment, licence inventory, endpoint checks, AI/IP reviews | Compliance lists exist but are not mapped, owned, sampled, or kept current |
| A.5.33-A.5.34 | Records and privacy | Sample records inventory, retention evidence, PII inventory, privacy requirement mapping, access reviews, breach readiness | Records/PII exist outside inventories, retention, access, or privacy controls |
| A.5.35-A.5.37 | Assurance and operations governance | Sample independent review reports, compliance checks, technical check authorization, procedure registers, procedure version control | Reviews lack independence, findings lack closure, or procedures are stale/uncontrolled |
Evidence packs
- A.5.1 Audit Evidence Pack
- A.5.2 Audit Evidence Pack
- A.5.3 Audit Evidence Pack
- A.5.4 Audit Evidence Pack
- A.5.5 Audit Evidence Pack
- A.5.6 Audit Evidence Pack
- A.5.7 Audit Evidence Pack
- A.5.8 Audit Evidence Pack
- A.5.9 Audit Evidence Pack
- A.5.10 Audit Evidence Pack
- A.5.11 Audit Evidence Pack
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- A.5.14 Audit Evidence Pack
- A.5.15 Audit Evidence Pack
- A.5.16 Audit Evidence Pack
- A.5.17 Audit Evidence Pack
- A.5.18 Audit Evidence Pack
- A.5.19 Audit Evidence Pack
- A.5.20 Audit Evidence Pack
- A.5.21 Audit Evidence Pack
- A.5.22 Audit Evidence Pack
- A.5.23 Audit Evidence Pack
- A.5.24 Audit Evidence Pack
- A.5.25 Audit Evidence Pack
- A.5.26 Audit Evidence Pack
- A.5.27 Audit Evidence Pack
- A.5.28 Audit Evidence Pack
- A.5.29 Audit Evidence Pack
- A.5.30 Audit Evidence Pack
- A.5.31 Audit Evidence Pack
- A.5.32 Audit Evidence Pack
- A.5.33 Audit Evidence Pack
- A.5.34 Audit Evidence Pack
- A.5.35 Audit Evidence Pack
- A.5.36 Audit Evidence Pack
- A.5.37 Audit Evidence Pack
Related notes
- Iso27001
- ISO27002
- Auditor guide
- Annex a
- Organizational controls
Note Metadata
Aliases: A.5 Audit Guide
Source: 06 Auditor Guide/A.5 Organizational Controls Audit Guide.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.5.1 Audit Evidence Pack
- A.5.2 Audit Evidence Pack
- A.5.3 Audit Evidence Pack
- A.5.4 Audit Evidence Pack
- A.5.5 Audit Evidence Pack
- A.5.6 Audit Evidence Pack
- A.5.7 Audit Evidence Pack
- A.5.8 Audit Evidence Pack
- A.5.9 Audit Evidence Pack
- A.5.10 Audit Evidence Pack
- A.5.11 Audit Evidence Pack
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- A.5.14 Audit Evidence Pack
- A.5.15 Audit Evidence Pack
- A.5.16 Audit Evidence Pack
- A.5.17 Audit Evidence Pack
- A.5.18 Audit Evidence Pack
- A.5.19 Audit Evidence Pack
- A.5.20 Audit Evidence Pack
- A.5.21 Audit Evidence Pack
- A.5.22 Audit Evidence Pack
- A.5.23 Audit Evidence Pack
- A.5.24 Audit Evidence Pack
- A.5.25 Audit Evidence Pack
- A.5.26 Audit Evidence Pack
- A.5.27 Audit Evidence Pack
- A.5.28 Audit Evidence Pack
- A.5.29 Audit Evidence Pack
- A.5.30 Audit Evidence Pack
- A.5.31 Audit Evidence Pack
- A.5.32 Audit Evidence Pack
- A.5.33 Audit Evidence Pack
- A.5.34 Audit Evidence Pack
- A.5.35 Audit Evidence Pack
- A.5.36 Audit Evidence Pack
- A.5.37 Audit Evidence Pack
Related Notes
- ISO27001 ISMS KB - Start Here
- A.5 Organizational Controls MOC
- A.5.1 Audit Evidence Pack
- A.5.10 Audit Evidence Pack
- A.5.11 Audit Evidence Pack
- A.5.12 Audit Evidence Pack
- A.5.13 Audit Evidence Pack
- A.5.14 Audit Evidence Pack
- A.5.15 Audit Evidence Pack
- A.5.16 Audit Evidence Pack
- A.5.17 Audit Evidence Pack
- A.5.18 Audit Evidence Pack
- A.5.19 Audit Evidence Pack
- A.5.2 Audit Evidence Pack
- A.5.20 Audit Evidence Pack
- A.5.21 Audit Evidence Pack
- A.5.22 Audit Evidence Pack
- A.5.23 Audit Evidence Pack
- A.5.24 Audit Evidence Pack
- A.5.25 Audit Evidence Pack
- A.5.26 Audit Evidence Pack
- A.5.27 Audit Evidence Pack
- A.5.28 Audit Evidence Pack
- A.5.29 Audit Evidence Pack
- A.5.3 Audit Evidence Pack
- A.5.30 Audit Evidence Pack
- A.5.31 Audit Evidence Pack
- A.5.32 Audit Evidence Pack
- A.5.33 Audit Evidence Pack
- A.5.34 Audit Evidence Pack
- A.5.35 Audit Evidence Pack
- A.5.36 Audit Evidence Pack
- A.5.37 Audit Evidence Pack
- A.5.4 Audit Evidence Pack
- A.5.5 Audit Evidence Pack
- A.5.6 Audit Evidence Pack
- A.5.7 Audit Evidence Pack
- A.5.8 Audit Evidence Pack
- A.5.9 Audit Evidence Pack
- Audit Evidence MOC
- AQ-ISO27001-A.5.7 Threat Intelligence
- AQ-ISO27001-A.5.1 Policies for Information Security
- AQ-ISO27001-A.5.10 Acceptable Use of Information and Other Associated Assets
- AQ-ISO27001-A.5.11 Return of Assets
- AQ-ISO27001-A.5.12 Classification of Information
- AQ-ISO27001-A.5.13 Labelling of Information
- AQ-ISO27001-A.5.14 Information Transfer
- AQ-ISO27001-A.5.15 Access Control
- AQ-ISO27001-A.5.16 Identity Management
- AQ-ISO27001-A.5.17 Authentication Information
- AQ-ISO27001-A.5.18 Access Rights
- AQ-ISO27001-A.5.19 Information Security in Supplier Relationships
- AQ-ISO27001-A.5.2 Information Security Roles and Responsibilities
- AQ-ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- AQ-ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- AQ-ISO27001-A.5.22 Monitoring, Review and Change Management of Supplier Services
- AQ-ISO27001-A.5.23 Information Security for Use of Cloud Services
- AQ-ISO27001-A.5.24 Information Security Incident Management Planning and Preparation
- AQ-ISO27001-A.5.25 Assessment and Decision on Information Security Events
- AQ-ISO27001-A.5.26 Response to Information Security Incidents
- AQ-ISO27001-A.5.27 Learning from Information Security Incidents
- AQ-ISO27001-A.5.28 Collection of Evidence
- AQ-ISO27001-A.5.29 Information Security During Disruption
- AQ-ISO27001-A.5.3 Segregation of Duties
- AQ-ISO27001-A.5.30 ICT Readiness for Business Continuity
- AQ-ISO27001-A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
- AQ-ISO27001-A.5.32 Intellectual Property Rights
- AQ-ISO27001-A.5.33 Protection of Records
- AQ-ISO27001-A.5.34 Privacy and Protection of PII
- AQ-ISO27001-A.5.35 Independent Review of Information Security
- AQ-ISO27001-A.5.36 Compliance with Policies, Rules and Standards for Information Security
- AQ-ISO27001-A.5.37 Documented Operating Procedures
- AQ-ISO27001-A.5.4 Management Responsibilities
- AQ-ISO27001-A.5.5 Contact with Authorities
- AQ-ISO27001-A.5.6 Contact with Special Interest Groups
- AQ-ISO27001-A.5.8 Information Security in Project Management
- AQ-ISO27001-A.5.9 Inventory of Information and Other Associated Assets
- A.5 Organizational Controls Implementation Guide
- Internal Audit Execution Guide
- ISO 27001 Auditor Guide
- ISO27001-A.5.1 Policies for Information Security
- ISO27001-A.5.10 Acceptable Use of Information and Other Associated Assets
- ISO27001-A.5.11 Return of Assets
- ISO27001-A.5.12 Classification of Information
- ISO27001-A.5.13 Labelling of Information
- ISO27001-A.5.14 Information Transfer
- ISO27001-A.5.15 Access Control
- ISO27001-A.5.16 Identity Management
- ISO27001-A.5.17 Authentication Information
- ISO27001-A.5.18 Access Rights
- ISO27001-A.5.19 Information Security in Supplier Relationships
- ISO27001-A.5.2 Information Security Roles and Responsibilities
- ISO27001-A.5.20 Addressing Information Security Within Supplier Agreements
- ISO27001-A.5.21 Managing Information Security in the ICT Supply Chain
- ISO27001-A.5.22 Monitoring, Review and Change Management of Supplier Services
- ISO27001-A.5.3 Segregation of Duties
- ISO27001-A.5.4 Management Responsibilities
- ISO27001-A.5.5 Contact with Authorities
- ISO27001-A.5.6 Contact with Special Interest Groups
- ISO27001-A.5.8 Information Security in Project Management
- ISO27001-A.5.9 Inventory of Information and Other Associated Assets
- A.5 Controls Implementation Audit Risk Mapping
- Annex A Controls MOC
- Audit Evidence Index
- ISO 27001 Overview