UnixTime

Research Note

A.5 Organizational Controls Audit Guide

This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.

Audit grouping

Audit area Controls Auditor focus
Governance A.5.1-A.5.4 Approval, accountability, segregation, management enforcement
External context A.5.5-A.5.7 Authority contact, specialist knowledge, threat intelligence use
Project and asset governance A.5.8-A.5.14 Security in projects, asset ownership, classification, labelling, transfer
Access and identity A.5.15-A.5.18 Business need, identity lifecycle, credentials, access reviews/removal
Supplier and cloud lifecycle A.5.19-A.5.23 Supplier risk, agreements, ICT supply chain, monitoring, cloud shared responsibility, and exit
Incident management lifecycle A.5.24-A.5.28 Incident planning, event assessment, response, lessons learned, and evidence preservation
Continuity and ICT readiness A.5.29-A.5.30 Security during disruption, ICT recovery objectives, RTO/RPO, supplier continuity, and testing
Legal and IP compliance A.5.31-A.5.32 Requirements identification, control mapping, licence compliance, IP handling, source-code/library/AI review
Records and privacy A.5.33-A.5.34 Records retention/protection, PII inventory, privacy requirements, access, transfer, retention, and breach readiness
Assurance and operations governance A.5.35-A.5.37 Independent review, policy/technical compliance checks, controlled and available operating procedures

Audit test matrix

Control range Test design Test operation Common audit failure
A.5.1-A.5.4 Policies, roles, responsibility model Awareness, approvals, reviews, manager behavior Governance exists on paper only
A.5.5-A.5.7 Defined external contact/intelligence processes Contact registers used, intelligence converted to action Lists and feeds exist but no use
A.5.8-A.5.14 Requirements, owners, asset/process rules Sample projects/assets/transfers Process not embedded in real work
A.5.15-A.5.18 Access rules and lifecycle Sample users, movers, leavers, privileged access Actual access exceeds approved need
A.5.19-A.5.23 Supplier and cloud process controls Sample suppliers, cloud services, reports, changes, incidents, exit plans Supplier/cloud review stops after onboarding
A.5.24-A.5.28 Incident management lifecycle Sample incident plan, triage decisions, response records, lessons learned, and evidence custody logs Incidents are handled informally or without learning/evidence control
A.5.29-A.5.30 Continuity and ICT readiness Sample continuity requirements, BIA, RTO/RPO, recovery playbooks, continuity tests, and supplier reviews Continuity restores operations while security or recovery evidence is weak
A.5.31-A.5.32 Legal and IP compliance Sample requirements register, contract obligations, crypto assessment, licence inventory, endpoint checks, AI/IP reviews Compliance lists exist but are not mapped, owned, sampled, or kept current
A.5.33-A.5.34 Records and privacy Sample records inventory, retention evidence, PII inventory, privacy requirement mapping, access reviews, breach readiness Records/PII exist outside inventories, retention, access, or privacy controls
A.5.35-A.5.37 Assurance and operations governance Sample independent review reports, compliance checks, technical check authorization, procedure registers, procedure version control Reviews lack independence, findings lack closure, or procedures are stale/uncontrolled

Evidence packs

  • Iso27001
  • ISO27002
  • Auditor guide
  • Annex a
  • Organizational controls

Note Metadata

Aliases: A.5 Audit Guide

Source: 06 Auditor Guide/A.5 Organizational Controls Audit Guide.md

Graph-sourced resources

Templates and evidence