Annex A of ISO 27001 contains 93 controls, with 37 classified as organizational controls under section A.5. These controls address the governance, policies, roles, risk management, and compliance frameworks essential for a resilient ISMS. Unlike people, physical, or technological controls, organizational controls focus on the structural and procedural aspects of security, ensuring alignment with business objectives and regulatory requirements.
Each control in Annex A.5 includes a unique identifier, title, and brief statement, as defined in the normative ISO 27001 standard. For detailed implementation guidance, ISO/IEC 27002:2022, an informative companion, provides practical advice, examples, and best practices across 164 pages, using the same numbering for seamless reference. Both standards are available for purchase from the International Organization for Standardization (ISO) or authorized resellers.
Complete List of Annex A.5 Organizational Controls
The table below lists all 37 organizational controls of Annex A.
Control ID | Control Title |
|---|---|
A.5.1 | Policies for Information Security |
A.5.2 | Information Security Roles and Responsibilities |
A.5.3 | Segregation of Duties |
A.5.4 | Management Responsibilities |
A.5.5 | Contact With Authorities |
A.5.6 | Contact With Special Interest Groups |
A.5.7 | Threat Intelligence |
A.5.8 | Information Security in Project Management |
A.5.9 | Inventory of Information and Other Associated Assets |
A.5.10 | Acceptable Use of Information and Other Associated Assets |
A.5.11 | Return of Assets |
A.5.12 | Classification of Information |
A.5.13 | Labelling of Information |
A.5.14 | Information Transfer |
A.5.15 | Access Control |
A.5.16 | Identity Management |
A.5.17 | Authentication Information |
A.5.18 | Access Rights |
A.5.19 | Information Security in Supplier Relationships |
A.5.20 | Addressing Information Security Within Supplier Agreements |
A.5.21 | Managing Information Security in the ICT Supply Chain |
A.5.22 | Monitoring, Review and Change Management of Supplier Services |
A.5.23 | Information Security for Use of Cloud Services |
A.5.24 | Information Security Incident Management Planning and Preparation |
A.5.25 | Assessment and Decision on Information Security Events |
A.5.26 | Response to Information Security Incidents |
A.5.27 | Learning From Information Security Incidents |
A.5.28 | Collection of Evidence |
A.5.29 | Information Security During Disruption |
A.5.30 | ICT Readiness for Business Continuity |
A.5.31 | Legal, Statutory, Regulatory and Contractual Requirements |
A.5.32 | Intellectual Property Rights |
A.5.33 | Protection of Records |
A.5.34 | Privacy and Protection of PII |
A.5.35 | Independent Review of Information Security |
A.5.36 | Compliance With Policies, Rules and Standards for Information Security |
A.5.37 | Documented Operating Procedures |
Key Topics Covered in Annex A.5
Annex A.5 encompasses a wide range of governance and management practices critical to an effective ISMS. These controls ensure that security is embedded in organizational processes, from policy development to incident response. Below is a breakdown of the main areas covered by A.5, with examples and their relevance.
Policy Development and Organizational Structure
The following controls are related to this topic:
A.5.1 (Policies for Information Security)
A.5.2 (Information Security Roles and Responsibilities)
A.5.3 (Segregation of Duties)
A.5.4 (Management Responsibilities)
A.5.5 (Contact with Authorities)
A.5.6 (Contact with special Interest Groups)
Purpose: Establish clear security policies and assign accountability to prevent oversight. For example, A.5.1 requires documented policies to guide security practices, while A.5.2 ensures roles like Information Security Officer are defined.
Relevance: Clear policies and roles are foundational for consistent security governance, especially in complex organizations.
Threat Intelligence and Project Management
The following controls are related to this topic:
A.5.7 (Threat Intelligence)
A.5.8 (Information Security in Project Management)
Purpose: Enable proactive risk management by monitoring threats (A.5.7) and integrating security into project lifecycles (A.5.8). For instance, A.5.7 involves gathering threat data to anticipate cyberattacks.
Relevance: With rising cyber threats in 2025, such as AI-driven attacks, threat intelligence is critical for staying ahead.
Asset Management
The following controls are related to this topic:
A.5.9 (Inventory of Information and Other Associated Assets)
A.5.10 (Acceptable Use of Assets)
A.5.11 (Return of Assets)
A.5.12 (Classification of Information)
A.5.13 (Labelling of Information)
A.5.14 (Information Transfer).
Purpose: Ensure assets are identified, classified, and protected. For example, A.5.11 requires personnel to return assets like laptops upon termination to prevent data leaks.
Relevance: Comprehensive asset management reduces vulnerabilities in hybrid work environments with diverse devices.
Access and Identity Management
The following controls are related to this topic:
A.5.15 (Access Control)
A.5.16 (Identity Management)
A.5.17 (Authentication Information)
A.5.18 (Access Rights).
Purpose: Prevent unauthorized access through robust access control policies and authentication mechanisms. A.5.17, for instance, mandates secure management of passwords or biometrics.
Relevance: With remote work prevalent in 2025, strong identity management is essential to secure distributed systems.
Supplier Management
The following controls are related to this topic:
A.5.19 (Information Security in Supplier Relationships)
A.5.20 (Supplier Agreements)
A.5.21 (Managing Information Security in the ICT Supply Chain)
A.5.22 (Monitoring, Review and Change Management of Supplier Services)
A.5.23 (Information Security for Use of Cloud Services).
Purpose: Secure third-party relationships and supply chains. A.5.23 addresses security for cloud services like AWS or Azure.
Relevance: As third-party risks grow with increased outsourcing, these controls ensure vendor compliance.
Incident Management
The following controls are related to this topic:
A.5.24 (Incident Management Planning)
A.5.25 (Assessment of Security Events)
A.5.26 (Response to Incidents)
A.5.27 (Learning from Incidents)
A.5.28 (Collection of Evidence).
Purpose: Enable rapid response and recovery from security incidents. A.5.26 outlines steps to contain breaches, while A.5.27 promotes learning to prevent recurrence.
Relevance: With ransomware attacks surging, structured incident management minimizes damage.
Business Continuity and Compliance
The following controls are related to this topic:
A.5.29 (Security During Disruption)
A.5.30 (ICT Readiness for Business Continuity)
A.5.31 (Legal and Regulatory Requirements)
A.5.32 (Intellectual Property Rights)
A.5.33 (Protection of Records)
A.5.34 (Privacy and PII)
A.5.35 (Independent Review)
A.5.36 (Compliance with Policies)
A.5.37 (Operating Procedures).
Purpose: Ensure continuity, legal compliance, and privacy protection. A.5.34 addresses GDPR-compliant PII protection, while A.5.35 mandates independent ISMS reviews.
Relevance: Compliance with global regulations like GDPR and CCPA is critical in 2025 to avoid penalties.
