Annex A of ISO 27001 outlines 93 information security reference controls, categorized into four main themes: Organizational Controls (A.5), People Controls (A.6), Physical Controls (A.7), and Technological Controls (A.8). These controls help organizations mitigate risks based on their unique risk assessments.
This guide focuses on Annex A.5, which includes 37 controls (A.5.1 to A.5.37) that focus on organizational topics, organizational structure, access control rules, management of incidents and supplier and much more.
What Are Annex A.5 Organizational Controls in ISO 27001:2022?
The controls of Annex A.5 provide fundamental measures for managing information security risks at the organizational level. They cover regulations, measures, policies, rules, processes, procedures, and structures that shape your approach to information security.
With 37 controls, Annex A.5 ensures security is integrated into everyday operations. Detailed implementation guidance is available in ISO 27002:2022, allowing customization based on your business size, industry, and emerging risks like ransomware attacks. Implementing these controls not only aids ISO 27001 certification but also improves resilience against data breaches and regulatory fines.
Complete List of ISO 27001 Annex A.5 Controls
Below is the full list of Annex A.5 organizational controls from ISO 27001:2022. We've structured it in a table for easy reference, including control numbers and names. For each, consider how it applies to your ISMS—use ISO 27002 for in-depth guidance on implementation.
Control ID | Control Title |
|---|---|
A.5.1 | Policies for Information Security |
A.5.2 | Information Security Roles and Responsibilities |
A.5.3 | Segregation of Duties |
A.5.4 | Management Responsibilities |
A.5.5 | Contact With Authorities |
A.5.6 | Contact With Special Interest Groups |
A.5.7 | Threat Intelligence |
A.5.8 | Information Security in Project Management |
A.5.9 | Inventory of Information and Other Associated Assets |
A.5.10 | Acceptable Use of Information and Other Associated Assets |
A.5.11 | Return of Assets |
A.5.12 | Classification of Information |
A.5.13 | Labelling of Information |
A.5.14 | Information Transfer |
A.5.15 | Access Control |
A.5.16 | Identity Management |
A.5.17 | Authentication Information |
A.5.18 | Access Rights |
A.5.19 | Information Security in Supplier Relationships |
A.5.20 | Addressing Information Security Within Supplier Agreements |
A.5.21 | Managing Information Security in the ICT Supply Chain |
A.5.22 | Monitoring, Review and Change Management of Supplier Services |
A.5.23 | Information Security for Use of Cloud Services |
A.5.24 | Information Security Incident Management Planning and Preparation |
A.5.25 | Assessment and Decision on Information Security Events |
A.5.26 | Response to Information Security Incidents |
A.5.27 | Learning From Information Security Incidents |
A.5.28 | Collection of Evidence |
A.5.29 | Information Security During Disruption |
A.5.30 | ICT Readiness for Business Continuity |
A.5.31 | Legal, Statutory, Regulatory and Contractual Requirements |
A.5.32 | Intellectual Property Rights |
A.5.33 | Protection of Records |
A.5.34 | Privacy and Protection of PII |
A.5.35 | Independent Review of Information Security |
A.5.36 | Compliance With Policies, Rules and Standards for Information Security |
A.5.37 | Documented Operating Procedures |
Key Topics Covered in Annex A.5 Controls
Annex A.5 addresses a broad spectrum of organizational security topics, ensuring comprehensive governance. Here's a breakdown of the main areas:
Policy Development and Roles: Controls like A.5.1 (Policies for Information Security) and A.5.2 (Information Security Roles and Responsibilities) focus on creating security policies and assigning accountability to prevent oversight.
Threat Intelligence and Project Management: A.5.7 (Threat Intelligence) and A.5.8 (Information Security in Project Management) help organizations stay ahead of risks by integrating security into projects and monitoring threats.
Asset Management: From A.5.9 (Inventory of Information and Other Associated Assets) to A.5.13 (Labelling of Information), these controls ensure assets are identified, classified, and protected.
Access and Identity Management: Controls A.5.15 to A.5.18 cover access control, identity management, authentication, and rights, crucial for preventing unauthorized access in modern hybrid work environments.
Supplier Management: A.5.19 to A.5.23 address supplier relationships, agreements, supply chain security, monitoring, and cloud services—vital as third-party risks rise in 2025.
Incident Management: A.5.24 to A.5.28 outline planning, assessment, response, learning, and evidence collection for security incidents, enabling quick recovery.
Business Continuity and Compliance: Controls A.5.29 to A.5.37 include disruption security, business continuity, legal requirements, intellectual property, records protection, privacy (PII), independent reviews, compliance, and operating procedures.
