ISO 27001 Information Security - Annex A 5 Organizational Controls

A5 Organizational controls
A5 Organizational controls

4th April 2023 - ISO 27001 Information Security in plain English - Post #18 in the series.

ISO 27001 - Annex A 5 Organizational Controls

Today, we continue our series 'ISO 27001 Information Security in plain English' with our first foray into the new Annex A controls.

Something that sets ISO 27001 apart from all the other ISO management system standards is its Annex A. This is a table of controls that are derived from the detailed guidelines published in ISO 27002 (which provides a reference and guidance on information security).

What is a control? A control is defined by ISO as a measure that modifies or maintains risk. Those measures might include policies, processes, practices, devices or other conditions or actions.

There are 93 controls specified in Annex A, and they are spread over 4 categories - each of which deals with a different facet of information security. Annex A is actually longer than the regular clauses.

In this article, we'll look at the first category - which is Annex A 5 Organizational Controls. This first section is numbered 5 to maintain numbering compatibility with the guidance standard ISO 27002.  It is quite a large category with 37 controls. For the convenience of those looking to update their ISMS from the previous version of ISO 27001, we have included the relevant control numbers from that standard in brackets. Here goes...

Find out about Qudos 3 IMS software

This article on Annex A 5 Organizational Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.

This article is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit. The toolkit is exclusively available as an integrated component of Qudos 3 software.

Annex A 5.1 Policies for information security (5.1.1 / 5.1.2)

Policies provide direction for a management system and underpin top management commitment. There are two elements to this control:

  1. A set of policies is established and communicated.
  2. Those policies are reviewed periodically - and also where significant changes occur.

Annex A 5.2 Information security roles and responsibilities (6.1.1)

Roles and responsibilities need to be defined for implementing and operating information security within the organization. To some degree, this may be achieved by assigning responsibilities to existing roles throughout the organization. There may also be new job positions created, such as CISO (Chief Information Security Officer) and DPO (Data Protection Officer).

Annex A 5.3 Segregation of duties (6.1.2)

Segregation of duties refers to ensuring that the ability (the knowledge and / or privileges) needed to complete certain processes are divided amongst two or more users. The purpose is to minimise the risk of unintended or unauthorised actions and deliberate misdemeanours occurring and going undetected.

Annex A 5.4 Management responsibilities (7.2.1)

Management has a responsibility to ensure that people are aware of and fulfil their roles in the information security management system.

Annex A 5.5 Contact with relevant authorities (6.1.3)

Procedures must be in place to make contact with the relevant authorities when something goes wrong and needs to be reported.

Annex A 5.6 Contact with special interest groups (6.1.4)

The organization needs to keep up to date with what is changing in the security threat landscape and its business context. Contact with special interest groups can provide the information required.

Annex A 5.7 Threat intelligence

This is a new control in ISO 27001:2022. It requires the organization to obtain intelligence about potential threats. Useful sources of such intelligence might include security software providers such as Microsoft Defender or  crowdstrike, or government bodies such as Scamwatch and ACSC.

Annex A 5.8 Information security in project management (6.1.5 / 14.1.1)

Information security needs to be considered in project management - regardless of the nature of the project.

5.9 Inventory of information and other associated assets (8.1.1 / 8.1.2)

The organization is required to identify and record the information and data assets that it holds.


Qudos 3 software clients should use the dedicated Assets module for creating and managing their inventory of hardware, software, and information  assets.


Annex A 5.10 Acceptable use of information and other associated assets (8.1.3 / 8.2.3)

ThIs control requires documented rules on the acceptable use of information and how people should handle information and relevant assets.

Annex A 5.11 Return of assets (8.1.4)

Arrangements must be in place for the assured return of assets when no longer required for business purposes.

Annex A 5.12 Classification of information (8.2.1)

The organization must establish a system or scheme of data classification. Please note that ISO 27001 does not prescribe any particular classification scheme.

Annex A 5.13 Labelling of information (8.2.2)

The organization must provide guidance on the labelling of assets with regard to their security classification.


A classification scheme is included in Qudos 3 software for labelling all relevant documents and records.


Annex A 5.14 Information transfer (13.2.1 to 13.2.3)

Information Transfer or Transmission controls should include practical steps to ensure information security during transmission within your organization and also with external parties.

Annex A 5.15 Access control (9.1.1 / 9.1.2)

In this control, the organization is required to restrict access to information and associated processing facilities to only those with a business 'need to know' or 'need to use'.

Annex A 5.16 Identity management (9.2.1)

Only authorised users should be able to gain an appropriate level of access to systems and services - and in addition, measures should be in place to actively prevent any unauthorised access. To that end, procedures should be established to verify the identity of a user prior to them being granted access to systems and services.

Annex A 5.17 Authentication information (9.2.4 / 9.3.1 / 9.4.3)

Secret authentication is the term used by ISO to describe secret or encoded information that provides assurance that a claimed characteristic of a person or entity is correct. This control requires a formal management process for the allocation of that secret authentication information.

Annex A 5.18 Access rights (9.2.2 / 9.2.5 / 9.2.6)

There should be a formal process in to request access being granted or changed to the organization's network and systems.

Annex A 5.19 Information security in supplier relationships (15.1.1)

All organizations are dependent to some degree on external providers or suppliers of products, systems, and services to carry out their business functions. This dependence presents potential risks that need to be managed. This control section is intended to ensure the protection of information assets that may be accessible by any external suppliers.

This article on Annex A 5 Organizational Controls is based on an extract from the Guide Book in the Qudos ISO 27001 InfoSec Toolkit - exclusively available as an integrated component of Qudos 3 software.

ISO 27001 InfoSec Toolkit

Annex A 5.20 Addressing information security within supplier agreements (15.1.2)

All organizations are dependent to some degree on external providers or suppliers of products, systems, and services to carry out their business functions. The relationships with those suppliers can be established in a variety of ways e.g. commercial contracts, licencing agreements, joint ventures, business partnerships etc. This dependence presents potential risks that need to be managed.

Annex A 5.21 Managing information security in the ICT supply chain (15.1.3)

This control relates to situations where suppliers subcontract part of their service to others,
or obtain components for their products from others.

Annex A 5.22 Monitoring, review and change management of supplier services (15.2.1 / 15.2.2)

There is a requirement to monitor and check supplier service delivery. Where practicable, this could be done by automated logs. Any changes to the supply chain involved in the provision of those services that may impact security also needs to be managed.

Annex A 5.23 Information security for use of cloud services

This is a new control in ISO 27001:2022.

There are many advantages to the use of cloud services and as a result, their use is becoming almost universal. So, it's no surprise that the latest edition of ISO 27001 now includes a dedicated control for information security over the life-cycle of the use of cloud services.

Annex A 5.24 Information security incident management planning and preparation (16.1.1)

The objective of this annex control is to ensure a consistent and effective approach is taken to the management of information security incidents. That includes appropriate communications regarding security events and weaknesses

Annex A 5.25 Assessment and decision on information security events (16.1.4)

There is requirement for information security events to be assessed and a decision made on whether they are to be classified as an information security incident.

Annex A 5.26 Response to information security incidents (16.1.5)

Any information security incidents should be responded to as per the procedures. Appropriate evidence about the incident should be collected and retained. It may be necessary to report certain events to external parties e.g in the event of fraud or privacy breach. In which, the responsibility for, and method of communication with external parties should be established in your Communication Plan. A template Communications Plan is included in the Qudos ISO 27001 InfoSec Toolkit.

Annex A 5.27 Learning from information security incidents (16.1.6)

In addition to responding to incidents, it is important to learn from them. They should be evaluated to identify if a similar incident could occur elsewhere, or where underlying issues or trends exist that could lead to a recurring problem.

Annex A 5.28 Collection of evidence (16.1.7)

The availability of appropriate data is a key element in detecting, assessing and investigating information security incidents.

All Workers should be required to note and report any observed or suspected information security events and weaknesses. This requirement may be addressed for all workers by inclusion in standard contracts and communicating at induction or during security awareness sessions.
It may also be addressed for employees by inclusion in documented job descriptions.

Annex A 5.29 Information security during disruption (17.1.1 to 17.1.3)

The objective of this control is to ensure that information security continuity is embedded
into the organization's wider business continuity management systems. There are many potential threats that may cause an event that disrupts normal business operations. If such an event occurs and is not addressed effectively, it can cause operational disruption or even complete business failure. BCP (Business continuity planning is a process that organizations undertake to prepare for such an event, and build in organizational resilience -v to ensure an effective response, minimised impact and a faster recovery.

Annex A 5.30 ICT readiness for business continuity

Technically, this is a new control in ISO 27001:2022. However, there was some relevance in ISO 27001:2013 control A17 'Information security aspects of business continuity management'. Any existing arrangements to address that requirement may also be useful to incorporate here.

Information technology is a key element of all modern organizations. Therefore, an effective BCP must include consideration of information technology issues and ensure the continued security of that information.

Annex A 5.31 Legal, statutory, regulatory and contractual requirements (18.1.1 / 18.1.5)

This control section can be a very significant one. For, it seeks to ensure that the organization avoids breaches of legal or other compliance obligations related to information security.

Annex A 5.32 Intellectual property rights (18.1.2)

Controls must be implemented to meet obligations relating to the Intellectual property rights of others. A typical example of those rights are those belonging to the proprietors of software products in use by the organization. An acceptable use policy will typically prohibit the downloading, installation, sharing or use of any unlicenced software or other intellectual property. A template acceptable use policy is included in the Qudos ISO 27001 InfoSec Toolkit.

Annex A 5.33 Protection of records (18.1.3)

This control requires the organization to provide suitable protection of records.
It may be implemented alongside arrangements to comply with clause 7.5 Documented information.

Annex A 5.34 Privacy and protection of PII (18.1.4)

The organization is required to ensure the privacy and protection of PII (Personally Identifiable Information) in line with relevant legislation and regulation.

Annex A 5.35 Independent review of information security (18.2.1)

There must be independent reviews of the ISMS to observe that it continues to be fit for purpose. The reviewers could be internal people - providing they are independent of the business area being reviewed. Reviews can also be performed by external specialists.

Annex A 5.36 Compliance with policies, rules and standards for information security (18.2.2 / 18.2.3)

Managers must regularly review compliance within their area of responsibility with relevant policies, rules and standards for information security. The most appropriate methods for performing and recording those reviews must be determined.

Annex A 5.37 Documented operating procedures (12.1.1)

The objective of this control is to ensure correct and secure operations of information processing facilities. In this somewhat expansive area of the standard, the organization is required to ensure that a number of controls are considered for continued secure operations to be sustained,

There is also mention of the requirement to minimise the impact of any audit and checking activities upon business operations.


That concludes the article on Annex A 5 Organizational Controls. The next article in this series will look at Annex A category 6 People Controls.


About the series 'ISO 27001 Information Security in plain English'

This article on Annex A Organizational Controls is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Now updated for the latest version of the standard - ISO 27001:2022.

Click the LinkedIn Follow button below to receive notifications.


There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!