Organizational Controls (A.5)

Organizational controls form the management foundation of your ISMS. These 37 controls in Annex A.5 establish governance, policies, roles, and strategic security management across your organization.

Overview of Annex A.5

ISO 27001:2022 restructured controls into four themes. Annex A.5 covers organizational controls—those that establish management frameworks, policies, and governance structures.

The 37 Organizational Controls:

A.5.1 to A.5.37 cover topics from policies to threat intelligence to asset management
Many were previously scattered across different sections in the 2013 version
These controls establish the management layer that other controls depend upon

A.5.1 - Policies for Information Security

Purpose: Establish management direction and support for information security.

Control Statement: "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur."

Implementation:

1. Information Security Policy (Master Policy) Your top-level policy that:

States management commitment
Defines security objectives
Establishes governance framework
References topic-specific policies
Applies to entire organization

Example Structure:

1. Purpose and Scope
2. Management Commitment
3. Information Security Objectives
4. Policy Framework Overview
5. Roles and Responsibilities
6. Compliance Requirements
7. Policy Review Process
8. Related Policies
9. Approval and Effective Date

2. Topic-Specific Policies Detailed policies for specific areas:

Acceptable Use Policy
Access Control Policy
Information Classification Policy
Cryptography Policy
Backup Policy
Incident Response Policy
Business Continuity Policy
Third-Party Security Policy
Mobile Device Policy
Remote Working Policy

Policy Lifecycle:

Draft by policy owner
Review by stakeholders
Approve by management
Publish and communicate
Train affected personnel
Review annually or when significant change
Update and re-approve as needed

A.5.2 - Information Security Roles and Responsibilities

Purpose: Ensure clear accountability for information security activities.

Control Statement: "Information security roles and responsibilities shall be defined and allocated according to the organization needs."

Key Roles to Define:

1. Top Management

Ultimate accountability for ISMS
Approve policies and resources
Review ISMS performance
Champion security culture

2. Information Security Manager / CISO

Overall responsibility for ISMS
Policy development and maintenance
Risk management oversight
Security strategy and planning
Reporting to management

3. Asset Owners

Responsible for specific information assets
Define classification and handling
Approve access requests
Ensure appropriate controls

4. Process Owners

Responsible for specific processes
Ensure processes operate correctly
Maintain process documentation
Report process performance

5. System Owners

Responsible for IT systems
Ensure secure configuration
Manage system access
Coordinate patching and updates

6. All Personnel

Follow security policies
Report incidents
Complete security training
Protect information assets

Document in:

Job descriptions
Responsibility matrix (RACI)
Policy documents
Training materials

A.5.3 - Segregation of Duties

Purpose: Reduce risk of unauthorized or unintentional modification or misuse of assets.

Control Statement: "Conflicting duties and conflicting areas of responsibility shall be segregated."

Key Segregation Principles:

1. No Single Person Control from End-to-End Example conflicts to prevent:

Request and approve own access
Develop and deploy to production
Initiate and approve payments
Create and approve policies
Commit code and deploy without review

2. Common Segregation Examples:

Finance:

Separate: Request payment / Approve payment / Process payment

IT Development:

Separate: Write code / Review code / Deploy to production

Access Management:

Separate: Request access / Approve access / Grant access

Security:

Separate: Define controls / Implement controls / Audit controls

3. Implementation Methods:

Organizational:

Different people perform different roles
Reporting lines prevent conflicts
Approval hierarchies enforced

Technical:

Role-based access control (RBAC)
Dual authorization requirements
Automated approval workflows
Audit logging of actions

4. When Segregation Isn't Possible:

For small organizations or specialized roles:

Implement compensating controls
Increase monitoring and logging
Require management review
Use independent audits
Document risk acceptance

A.5.4 - Management Responsibilities

Purpose: Require management to support information security aligned with business requirements.

Control Statement: "Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization."

Management Obligations:

1. Set Direction

Establish security objectives
Allocate adequate resources
Approve policies and standards
Champion security initiatives

2. Lead by Example

Follow security policies
Demonstrate commitment
Participate in training
Address security in decisions

3. Enable and Support

Provide necessary tools
Allocate time for security activities
Remove obstacles
Recognize good security behavior

4. Monitor and Enforce

Review security metrics
Address non-compliance
Support investigations
Take corrective action

A.5.5 - Contact with Authorities

Purpose: Maintain appropriate contacts with relevant authorities.

Control Statement: "The organization shall establish and maintain contact with relevant authorities."

Relevant Authorities:

Regulatory Bodies:

Data protection authorities (GDPR, etc.)
Industry regulators (financial, healthcare)
Standards organizations
Telecommunications regulators

Law Enforcement:

Local police cybercrime units
National cybersecurity centers
FBI, Secret Service (US)
National Cyber Security Centre (UK)
Interpol for international incidents

Emergency Services:

Fire department
Emergency management
Physical security services

Utility Providers:

Electricity suppliers
Internet service providers
Telecommunications carriers

Implementation:

Maintain contact list with names, roles, contact details
Establish communication protocols
Know when to contact each authority
Practice notification procedures
Document all interactions

A.5.6 - Contact with Special Interest Groups

Purpose: Maintain contact with specialized forums and professional associations.

Control Statement: "The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations."

Valuable Contacts:

Information Sharing Communities:

Industry-specific ISACs (Information Sharing and Analysis Centers)
Threat intelligence sharing platforms
Vulnerability disclosure programs

Professional Organizations:

(ISC)² - Information Systems Security Certification Consortium
ISACA - Information Systems Audit and Control Association
ISSA - Information Systems Security Association
IAPP - International Association of Privacy Professionals

Technical Communities:

OWASP - Open Web Application Security Project
FIRST - Forum of Incident Response and Security Teams
Cloud Security Alliance
SANS Institute

Benefits:

Early warning of threats
Best practice sharing
Professional development
Networking opportunities
Industry benchmarking

A.5.7 - Threat Intelligence

Purpose: Collect and analyze information about security threats.

Control Statement: "Information relating to information security threats shall be collected and analyzed to produce threat intelligence."

Threat Intelligence Sources:

Commercial Feeds:

Threat intelligence platforms (TIP)
Vendor threat reports
SIEM correlation feeds
Dark web monitoring

Open Source Intelligence (OSINT):

MITRE ATT&CK framework
CVE databases
Security mailing lists
Security blogs and researchers
Government advisories (CISA, NCSC)

Industry Sharing:

ISAC feeds
Peer organizations
Vendor security bulletins
Incident response communities

Internal Sources:

Security log analysis
Incident patterns
Vulnerability scan results
Threat hunting activities

Threat Intelligence Process:

1. Collection

Gather data from multiple sources
Filter for relevance to your environment
Normalize data formats

2. Processing

Correlate indicators
Identify patterns
Enrich with context
Remove false positives

3. Analysis

Assess threat relevance
Determine potential impact
Identify affected assets
Evaluate current defenses

4. Dissemination

Share with relevant teams
Update defensive controls
Inform risk assessments
Brief management

5. Action

Implement protective measures
Update detection rules
Patch vulnerabilities
Enhance monitoring

A.5.8 - Information Security in Project Management

Purpose: Integrate information security into project management.

Control Statement: "Information security shall be integrated into project management."

Security in Project Lifecycle:

Initiation Phase:

Identify security requirements
Assess security risks
Include security in scope
Allocate security resources

Planning Phase:

Define security deliverables
Plan security activities
Schedule security reviews
Budget for security controls

Execution Phase:

Implement security controls
Conduct security testing
Review security documentation
Validate compliance

Closure Phase:

Security acceptance criteria met
Documentation complete
Training delivered
Ongoing security responsibilities assigned

Security Checkpoints:

Security requirements review
Threat modeling session
Security design review
Code security review
Penetration testing
Security acceptance testing

A.5.9 - Inventory of Information and Other Associated Assets

Purpose: Identify organizational assets and define protection responsibilities.

Control Statement: "An inventory of information and other associated assets, including owners, shall be developed and maintained."

Asset Categories:

1. Information Assets

Customer data
Employee records
Intellectual property
Business plans
Source code

2. Hardware Assets

Servers and workstations
Network equipment
Mobile devices
Storage devices
IoT devices

3. Software Assets

Operating systems
Applications
Development tools
Databases

4. Services

Cloud services
Managed services
Outsourced functions
Network services

5. People

Key personnel with specialized knowledge
Subject matter experts

6. Intangible Assets

Reputation
Organizational knowledge
Relationships

Asset Register Contents:

Unique asset identifier
Asset description
Asset type and classification
Asset owner
Asset custodian
Location (physical or logical)
Value or importance
Dependencies
Applicable controls

A.5.10 - Acceptable Use of Information and Assets

Purpose: Define and implement rules for acceptable use of information and assets.

Control Statement: "Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented."

Acceptable Use Policy (AUP) Topics:

1. Permitted Uses

Business purposes
Limited personal use (if allowed)
Educational and training
Approved communications

2. Prohibited Uses

Illegal activities
Personal business ventures
Excessive personal use
Accessing inappropriate content
Sharing confidential information
Unauthorized software installation
Cryptocurrency mining
Storing personal sensitive data

3. Internet and Email Use

Appropriate websites
Email standards
Attachment handling
Personal email usage
Social media guidelines
Downloading restrictions

4. Device Usage

Corporate devices vs. BYOD
Remote access requirements
Physical security
Lost/stolen reporting
Software installation rules

5. Data Handling

Classification guidelines
Storage requirements
Transmission rules
Retention and disposal
Encryption requirements

6. Monitoring and Privacy

Explain monitoring occurs
No expectation of privacy
Legal compliance
Audit rights

7. Consequences

Violation procedures
Disciplinary actions
Legal consequences
Termination grounds

Implementation:

Document comprehensive AUP
Obtain management approval
Communicate to all personnel
Require acknowledgment
Include in onboarding
Review annually
Enforce consistently

A.5.11 - Return of Assets

Purpose: Ensure personnel return all organizational assets upon termination or change.

Control Statement: "Personnel and other interested parties as appropriate shall return all of the organization's assets in their possession upon change or termination of their employment, contract or agreement."

Asset Return Process:

Triggering Events:

Employment termination
Contract expiration
Role change
Extended leave
Project completion

Assets to Return:

Computing devices (laptops, tablets, phones)
Access cards and keys
Documents and media
Company credit cards
Tools and equipment
Confidential information
Intellectual property

Return Checklist:

□ Laptop and charger
□ Mobile phone and accessories
□ Tablet devices
□ Security access cards
□ Office keys
□ Parking passes
□ Company credit cards
□ Physical documents
□ USB drives and external storage
□ Software licenses (if transferable)
□ Customer information
□ Project documentation

Process Steps:

HR notifies IT and Security of termination
Manager ensures all assets identified
Return checklist provided to employee
Assets physically returned and verified
IT performs device data wipe
Access permissions revoked
Return documented and signed
Final paycheck contingent on full return (if legal)

A.5.12 - Classification of Information

Purpose: Ensure appropriate protection based on information sensitivity.

Control Statement: "Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements."

Classification Scheme:

Level 1: Public

Approved for public disclosure
No harm if disclosed
Examples: Marketing materials, published reports

Level 2: Internal

For internal use only
Minor harm if disclosed
Examples: Internal procedures, policies, org charts

Level 3: Confidential

Sensitive business information
Significant harm if disclosed
Examples: Financial data, contracts, employee records

Level 4: Restricted

Highly sensitive
Severe harm if disclosed
Examples: Trade secrets, strategic plans, regulated data

Handling Requirements by Level:

Aspect	Public	Internal	Confidential	Restricted
Storage	Any	Company systems	Encrypted storage	Encrypted + access control
Transmission	Any method	Internal email	Encrypted email	Encrypted + approval
Access	Anyone	Employees	Need-to-know	Authorized personnel only
Disposal	Normal trash	Shred	Secure shred	Witnessed shred
Printing	Any printer	Internal printers	Secure printers	Authorized printers only
Labeling	None	None	Mark Confidential	Mark Restricted

A.5.13 - Labelling of Information

Purpose: Develop and implement appropriate procedures for information labelling.

Control Statement: "An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization."

Labeling Methods:

Electronic Documents:

Headers and footers
Watermarks
Metadata tags
Email subject prefixes
File naming conventions

Physical Documents:

Cover sheets
Header/footer stamps
Color-coded paper
Security banners
Confidentiality notices

Example Formats:

Email: [CONFIDENTIAL] Project Phoenix Budget
File name: RESTRICTED_Strategic_Plan_2024.pdf
Header: INTERNAL USE ONLY
Watermark: CONFIDENTIAL - DO NOT DISTRIBUTE

Implementation Considerations:

Automate labeling where possible
Train personnel on proper labeling
Include in document templates
Make labeling easy
Audit for compliance

Additional Key Organizational Controls

A.5.14 - Information Transfer Control transfer of information within and outside the organization.

A.5.15 - Access Control Establish rules for access control based on business and security requirements.

A.5.16 - Identity Management Manage full lifecycle of identities with access to information systems.

A.5.17 - Authentication Information Allocate and manage authentication information properly.

A.5.18 - Access Rights Provision, review, modify, and remove access rights per policy.

A.5.19 - Information Security in Supplier Relationships Define and agree security requirements with suppliers.

A.5.20 - Addressing Security in Supplier Agreements Establish relevant security requirements in agreements with suppliers.

A.5.21 - Managing Security in ICT Supply Chain Define and implement processes to manage security risks in ICT supply chain.

A.5.22 - Monitoring, Review and Change Management of Supplier Services Monitor, review, evaluate and manage supplier service changes.

A.5.23 - Information Security for Use of Cloud Services Define processes for acquisition, use, management and exit from cloud services.

A.5.24 - Information Security Incident Management Planning and Preparation Plan and prepare for managing information security incidents.

A.5.25 - Assessment and Decision on Information Security Events Assess events and decide if they are security incidents.

A.5.26 - Response to Information Security Incidents Respond to incidents according to documented procedures.

A.5.27 - Learning from Information Security Incidents Analyze incidents and use knowledge gained to strengthen security.

A.5.28 - Collection of Evidence Establish procedures for identifying, collecting, acquiring and preserving evidence.

A.5.29 - Information Security During Disruption Plan to maintain information security during disruptions.

A.5.30 - ICT Readiness for Business Continuity Ensure ICT readiness to meet business continuity objectives.

A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements Identify, document and meet security requirements from these sources.

A.5.32 - Intellectual Property Rights Implement procedures to protect intellectual property rights.

A.5.33 - Protection of Records Protect records from loss, destruction, falsification, unauthorized access and release.

A.5.34 - Privacy and Protection of PII Identify and meet requirements for privacy and protection of PII.

A.5.35 - Independent Review of Information Security Review information security approach independently at planned intervals.

A.5.36 - Compliance with Policies, Rules and Standards Regularly review compliance of processes and procedures with policies.

A.5.37 - Documented Operating Procedures Document procedures for information processing facilities and make them available.

Implementation Strategy for Organizational Controls

Phase 1: Governance Foundation (Weeks 1-4)

Develop information security policy
Define roles and responsibilities
Establish management support
Create policy framework

Phase 2: Core Management Controls (Weeks 5-8) 5. Implement acceptable use policy 6. Create asset inventory 7. Develop classification scheme 8. Establish access control policy

Phase 3: Extended Controls (Weeks 9-12) 9. Supplier security requirements 10. Incident management framework 11. Business continuity planning 12. Compliance monitoring

Phase 4: Advanced Controls (Weeks 13-16) 13. Threat intelligence program 14. Independent review process 15. Evidence collection procedures 16. Continuous improvement

Next Lesson: Policy Bundle Template - Learn how to create a comprehensive set of information security policies that satisfy ISO 27001 requirements and provide practical guidance for your organization.