UnixTime

Domain guide

What this domain covers

Control-by-control implementation meaning across organizational, people, and physical control families.

157 resources

Guide + resources

Grouped resources

Guide notes

Implementation context, reference notes, and explanatory material.

3 items
Framework note 01 min read

ISO 27002 Control Attributes Evidence Map

This note explains how ISO/IEC 27002 control attributes should be used in this KB.

ISO27002 iso27002 control-attributes evidence
Framework note 01 min read

ISO 27002 Knowledge Base

ISO/IEC 27002 provides guidance for information security controls. In this KB, it supports interpretation of ISO/IEC 27001 Annex A controls, evidence expectations, implementatio...

ISO27002 iso27002 knowledge-base moc

Controls

Control-level notes and control-domain references.

154 items
Framework note 04 mins read

A.5 Organizational Controls MOC

Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.

ISO27001 ISO27002 iso27001 annex-a
Framework note 02 mins read

A.6 People Controls MOC

A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line managem...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

A.7 Physical Controls MOC

A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...

ISO27001 ISO27002 iso27001 iso27002
Framework note 06 mins read

ISO 27001 A.5.1 - Policies for Information Security

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.11 - Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.13 - Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.14 - Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.15 - Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.16 - Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.17 - Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.18 - Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.28 - Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.29 - Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 iso27002
Framework note 06 mins read

ISO 27001 A.5.3 - Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.30 - ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.32 - Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.33 - Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.34 - Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.5.35 - Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.37 - Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.4 - Management Responsibilities

Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.5 - Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.5.6 - Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.5.7 - Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.1 - Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.2 - Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.4 - Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.7 - Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.6.8 - Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.1 - Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.10 - Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.11 - Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.12 - Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...

ISO27001 ISO27002 iso27001 iso27002
Framework note 03 mins read

ISO 27001 A.7.13 - Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.2 - Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.4 - Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.6 - Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...

ISO27001 ISO27002 iso27001 iso27002
Framework note 04 mins read

ISO 27001 A.7.7 - Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.8 - Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 iso27002
Framework note 05 mins read

ISO 27001 A.7.9 - Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 iso27002
Framework note 01 min read

ISO27001-A.7.12 Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.13 Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.1 User End Point Devices

Query-first control card for A.8.1 User End Point Devices. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.10 Information Deletion

Query-first control card for A.8.10 Information Deletion. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.11 Data Masking

Query-first control card for A.8.11 Data Masking. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.12 Data Leakage Prevention

Query-first control card for A.8.12 Data Leakage Prevention. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.13 Information Backup

Query-first control card for A.8.13 Information Backup. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.15 Logging

Query-first control card for A.8.15 Logging. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.16 Monitoring Activities

Query-first control card for A.8.16 Monitoring Activities. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.2 Privileged Access Rights

Query-first control card for A.8.2 Privileged Access Rights. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.20 Networks Security

Query-first control card for A.8.20 Networks Security. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.21 Security of Network Services

Query-first control card for A.8.21 Security of Network Services. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.22 Segregation of Networks

Query-first control card for A.8.22 Segregation of Networks. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.23 Web Filtering

Query-first control card for A.8.23 Web Filtering. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.24 Use of Cryptography

Query-first control card for A.8.24 Use of Cryptography. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.25 Secure Development Life Cycle

Query-first control card for A.8.25 Secure Development Life Cycle. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.26 Application Security Requirements

Query-first control card for A.8.26 Application Security Requirements. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.28 Secure Coding

Query-first control card for A.8.28 Secure Coding. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.3 Information Access Restriction

Query-first control card for A.8.3 Information Access Restriction. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.30 Outsourced Development

Query-first control card for A.8.30 Outsourced Development. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.32 Change Management

Query-first control card for A.8.32 Change Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.33 Test Information

Query-first control card for A.8.33 Test Information. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.4 Access to Source Code

Query-first control card for A.8.4 Access to Source Code. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.5 Secure Authentication

Query-first control card for A.8.5 Secure Authentication. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.6 Capacity Management

Query-first control card for A.8.6 Capacity Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.7 Protection Against Malware

Query-first control card for A.8.7 Protection Against Malware. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.8 Management of Technical Vulnerabilities

Query-first control card for A.8.8 Management of Technical Vulnerabilities. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.8.9 Configuration Management

Query-first control card for A.8.9 Configuration Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.10 Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.11 Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.9 Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.8 Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.1 Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.2 Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.3 Information Security Awareness, Education and Training

People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches their work, systems, information access, and security duties.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.4 Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and managers should know how to trigger the process fairly and consistently.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.5 Responsibilities After Termination or Change of Employment

When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.7 Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.6.8 Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people do not hide mistakes.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.1 Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.2 Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.3 Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.4 Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.5 Protecting Against Physical and Environmental Threats

The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.6 Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.7.7 Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.33 Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.34 Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.35 Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.37 Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.23 Information Security for Use of Cloud Services

Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.28 Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.29 Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.30 ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.32 Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trademarks, patents, subscription content, and AI-generated or AI-assisted material.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.11 Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.13 Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.14 Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.15 Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.16 Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.17 Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.18 Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.3 Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.5 Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.6 Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated training.

ISO27001 ISO27002 iso27001 annex_a
Framework note 01 min read

ISO27001-A.5.7 Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 annex_a

Deep links

Link to this domain with /research/iso27002/control-interpretation/ . Link directly to exact notes from any resource card above.