UnixTime

Domain guide

What this domain covers

A.5 controls for governance, policies, suppliers, incidents, business continuity, legal requirements, and information handling.

188 resources

Guide + resources

Grouped resources

Guide notes

Implementation context, reference notes, and explanatory material.

37 items
Research note 01 min read

AQ-ISO27001-A.5.33 Protection of Records

Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.34 Privacy and Protection of PII

Audit question set for ISO27001-A.5.34. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.37 Documented Operating Procedures

Audit question set for ISO27001-A.5.37. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.28 Collection of Evidence

Audit question set for ISO27001-A.5.28. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.29 Information Security During Disruption

Audit question set for ISO27001-A.5.29. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.30 ICT Readiness for Business Continuity

Audit question set for ISO27001-A.5.30. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.32 Intellectual Property Rights

Audit question set for ISO27001-A.5.32. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.1 Policies for Information Security

Audit question set for ISO27001-A.5.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.11 Return of Assets

Audit question set for ISO27001-A.5.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.12 Classification of Information

Audit question set for ISO27001-A.5.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.13 Labelling of Information

Audit question set for ISO27001-A.5.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.14 Information Transfer

Audit question set for ISO27001-A.5.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.15 Access Control

Audit question set for ISO27001-A.5.15. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.16 Identity Management

Audit question set for ISO27001-A.5.16. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.17 Authentication Information

Audit question set for ISO27001-A.5.17. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.18 Access Rights

Audit question set for ISO27001-A.5.18. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.3 Segregation of Duties

Audit question set for ISO27001-A.5.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.4 Management Responsibilities

Audit question set for ISO27001-A.5.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.5 Contact with Authorities

Audit question set for ISO27001-A.5.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.6 Contact with Special Interest Groups

Audit question set for ISO27001-A.5.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question
Research note 01 min read

AQ-ISO27001-A.5.7 Threat Intelligence

Audit question set for ISO27001-A.5.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question

Controls

Control-level notes and control-domain references.

76 items
Framework note 04 mins read

A.5 Organizational Controls MOC

Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.

ISO27001 ISO27002 iso27001 annex-a
Framework note 06 mins read

ISO 27001 A.5.1 - Policies for Information Security

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.11 - Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.13 - Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.14 - Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.15 - Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.16 - Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.17 - Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.18 - Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.28 - Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.29 - Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 iso27002
Framework note 06 mins read

ISO 27001 A.5.3 - Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.30 - ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.32 - Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.33 - Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.34 - Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.35 - Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.37 - Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.4 - Management Responsibilities

Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.5 - Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.6 - Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.7 - Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 iso27002
Framework note 01 min read

ISO27001-A.5.33 Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.34 Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.35 Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.37 Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.23 Information Security for Use of Cloud Services

Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.28 Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.29 Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.30 ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.32 Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trademarks, patents, subscription content, and AI-generated or AI-assisted material.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.11 Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.13 Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.14 Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.15 Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.16 Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.17 Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.18 Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.3 Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.5 Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.6 Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated training.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.7 Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 annex_a

Evidence packs

Audit evidence packs, registers, proof records, and evidence examples.

37 items
Template note 02 mins read

A.5.1 Audit Evidence Pack

The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.10 Audit Evidence Pack

The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.11 Audit Evidence Pack

The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.12 Audit Evidence Pack

The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.13 Audit Evidence Pack

The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.14 Audit Evidence Pack

The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.15 Audit Evidence Pack

The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.16 Audit Evidence Pack

The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.17 Audit Evidence Pack

The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.18 Audit Evidence Pack

The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.19 Audit Evidence Pack

The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.2 Audit Evidence Pack

The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.20 Audit Evidence Pack

The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.21 Audit Evidence Pack

The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.22 Audit Evidence Pack

The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.23 Audit Evidence Pack

The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.24 Audit Evidence Pack

The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.25 Audit Evidence Pack

The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.26 Audit Evidence Pack

The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.27 Audit Evidence Pack

The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.28 Audit Evidence Pack

The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.29 Audit Evidence Pack

The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.3 Audit Evidence Pack

The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.30 Audit Evidence Pack

The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.31 Audit Evidence Pack

The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.32 Audit Evidence Pack

The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.33 Audit Evidence Pack

The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.34 Audit Evidence Pack

The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.35 Audit Evidence Pack

The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.36 Audit Evidence Pack

The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.37 Audit Evidence Pack

The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.4 Audit Evidence Pack

The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.5 Audit Evidence Pack

The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.6 Audit Evidence Pack

The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.7 Audit Evidence Pack

The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.8 Audit Evidence Pack

The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...

ISO27001 ISO27002 audit evidence
Template note 02 mins read

A.5.9 Audit Evidence Pack

The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...

ISO27001 ISO27002 audit evidence

Templates

Reusable implementation, audit, and operational templates.

37 items
Template note 01 min read

A.5.10 Audit Checklist

Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.11 Audit Checklist

Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.12 Audit Checklist

Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.13 Audit Checklist

Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.14 Audit Checklist

Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.15 Audit Checklist

Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.16 Audit Checklist

Use this during internal audits to verify that identities are managed across the full lifecycle.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.17 Audit Checklist

Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.18 Audit Checklist

Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.19 Audit Checklist

Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.20 Audit Checklist

Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.21 Audit Checklist

Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.22 Audit Checklist

Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.23 Audit Checklist

Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.24 Audit Checklist

Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.25 Audit Checklist

Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.26 Audit Checklist

Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.27 Audit Checklist

Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.28 Audit Checklist

Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.29 Audit Checklist

Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.30 Audit Checklist

Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.31 Audit Checklist

Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.32 Audit Checklist

Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.33 Audit Checklist

Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.34 Audit Checklist

Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.35 Audit Checklist

Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.36 Audit Checklist

Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.37 Audit Checklist

Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.5 Audit Checklist

Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.6 Audit Checklist

Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.7 Audit Checklist

Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.8 Audit Checklist

Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.

ISO27001 ISO27002 template audit
Template note 01 min read

A.5.9 Audit Checklist

Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.

ISO27001 ISO27002 template audit

Crosswalks

Mappings across controls, risks, standards, and assurance views.

1 item
Framework note 04 mins read

A.5 Controls Implementation Audit Risk Mapping

This table maps each covered A.5 organizational control to implementation output, audit evidence, and ISO/IEC 27005-style risk logic.

ISO27001 ISO27002 iso27001 iso27005

Deep links

Link to this domain with /research/iso27001/annex-a-organizational-controls/ . Link directly to exact notes from any resource card above.