UnixTime

Research Note

A.5 Controls Implementation Audit Risk Mapping

This table maps each covered A.5 organizational control to implementation output, audit evidence, and ISO/IEC 27005-style risk logic.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This table maps each covered A.5 organizational control to implementation output, audit evidence, and ISO/IEC 27005-style risk logic.

Mapping table

Control Implementer output Auditor verifies Risk-management link
A.5.1 Policies for Information Security Policy framework and review process Approval, communication, acknowledgement, review Governance treatment for inconsistent security behavior
A.5.2 Information Security Roles and Responsibilities Defined roles and RACI Responsibility allocation and awareness Risk ownership and accountability
A.5.3 Segregation of Duties Conflict matrix and compensating controls Conflicts identified and controlled Reduces fraud, error, and abuse likelihood
A.5.4 Management Responsibilities Manager accountability process Managers enforce security requirements Controls human/management non-compliance risk
A.5.5 Contact with Authorities Authority contact register and triggers Relevant contacts and escalation paths Supports incident, legal, and continuity risk response
A.5.6 Contact with Special Interest Groups Specialist group participation process Relevant participation and internal sharing Improves threat/context awareness
A.5.7 Threat Intelligence Threat collection, analysis, action workflow Intelligence is contextualized and acted on Improves risk identification and review
A.5.8 Information Security in Project Management Project security requirements and gates Security embedded into project lifecycle Treats change/project introduction risk
A.5.9 Inventory of Information and Other Associated Assets Asset inventory with owners/classification Inventory current and used Supports risk identification and impact analysis
A.5.10 Acceptable Use of Information and Other Associated Assets Use and handling rules Users know and follow rules Treats misuse and mishandling risk
A.5.11 Return of Assets Return/removal process Leavers/movers/contractors sampled Treats asset loss and lingering access risk
A.5.12 Classification of Information Classification scheme Classification applied by need Supports impact analysis and proportional treatment
A.5.13 Labelling of Information Labelling procedure Labels persist and guide handling Reduces handling errors
A.5.14 Information Transfer Transfer rules and agreements Transfers use approved controls Treats leakage/interception/misdirection risk
A.5.15 Access Control Access control policy/rules Access based on business need Treats unauthorized access risk
A.5.16 Identity Management Identity lifecycle process Unique/current identities and exceptions Treats orphan and unaccountable identity risk
A.5.17 Authentication Information Credential handling process Secrets issued, reset, protected Treats credential compromise risk
A.5.18 Access Rights Access request/review/removal process Actual access matches authorized need Treats excessive and stale access risk
A.5.19 Information Security in Supplier Relationships Supplier security process and register Supplier risks identified and controlled Treats third-party exposure risk
A.5.20 Addressing Information Security Within Supplier Agreements Risk-based security clauses Requirements agreed before access Treats contractual control gap risk
A.5.21 Managing Information Security in the ICT Supply Chain ICT dependency/supply-chain register Indirect suppliers and changes considered Treats inherited supply-chain risk
A.5.22 Monitoring, Review and Change Management of Supplier Services Supplier review and change process Reports, changes, incidents, actions reviewed Supports monitoring, review, and reassessment
A.5.23 Information Security for Use of Cloud Services Cloud service register, shared responsibility, and exit process Cloud risk, provider terms, configuration, monitoring, and exit evidence Treats cloud dependency, jurisdiction, configuration, and exit risk
A.5.24 Information Security Incident Management Planning and Preparation Incident process, roles, reporting, and exercise readiness Incident plan, reporting route, role clarity, exercises, and lessons learned Reduces incident impact and supports risk monitoring/improvement
A.5.25 Assessment and Decision on Information Security Events Event triage and incident classification process Recorded event assessments, categories, decision justification, and timelines Reduces missed incidents and supports timely escalation
A.5.26 Response to Information Security Incidents Incident response procedures and action records Response actions, roles, containment, recovery, communications, and follow-up Reduces incident impact and preserves response accountability
A.5.27 Learning from Information Security Incidents Post-incident review and improvement workflow Lessons learned, root cause, corrective actions, training/control updates Improves control effectiveness and reduces recurrence
A.5.28 Collection of Evidence Evidence collection and chain-of-custody process Evidence procedures, custody logs, storage controls, forensic copies Preserves evidence integrity for investigation and legal defensibility
A.5.29 Information Security During Disruption Security continuity requirements and crisis security roles BIA security requirements, continuity plans, supplier security continuity, tests Treats security degradation risk during disruption
A.5.30 ICT Readiness for Business Continuity ICT continuity requirements, recovery playbooks, and tests RTO/RPO, restore tests, recovery sequence, supplier ICT continuity evidence Treats availability and restoration risk
A.5.31 Legal, Statutory, Regulatory and Contractual Requirements Requirements register and compliance mapping Applicable requirements, owners, legal advice, control mapping, change tracking Treats legal, regulatory, statutory, contractual, and jurisdictional risk
A.5.32 Intellectual Property Rights IP handling process and licence inventory Software/content licence records, endpoint samples, library review, AI-content review Treats copyright, licence, source-code, open-source, and AI-output risk
A.5.33 Protection of Records Records retention and protection register Record inventory, retention schedule, access control, backup/archive, readability, disposal evidence Treats record loss, falsification, unauthorized release, and retention compliance risk
A.5.34 Privacy and Protection of PII PII inventory and privacy requirements matrix PII location, purpose, access, transfers, legal/contractual mapping, training, breach readiness Treats privacy, PII misuse, excessive access, transfer, and breach notification risk
A.5.35 Independent Review of Information Security Independent review plan and report Review independence, schedule, triggers, findings, corrective actions, management reporting Treats assurance, blind-spot, and significant-change review risk
A.5.36 Compliance with Policies, Rules and Standards for Information Security Policy and technical compliance review process Management checks, technical checks, authorization, competence, findings, retest evidence Treats policy drift, technical nonconformity, and repeat issue risk
A.5.37 Documented Operating Procedures Controlled operating procedure register Procedure availability, version control, approval, operator awareness, supplier documentation Treats operational error, unauthorized changes, and tribal-knowledge risk
  • Iso27001
  • ISO27002
  • Iso27005
  • Annex a
  • Mapping

Note Metadata

Aliases: A.5 Implementation Audit Risk Mapping

Source: 08 Crosswalks/A.5 Controls Implementation Audit Risk Mapping.md