Organizational

controls Definition

ISO 27001 Annex A 5.1 requires organizations to establish and maintain

5.1) Policies for information security policies to ensure the suitability, adequacy, and
information effectiveness of their information security management practices. These
security policies must align with business objectives and regulatory requirements
while being periodically reviewed and updated

ISO 27001:2022 Annex A 5.2 focuses on defining and allocating roles and
5.2) Information
responsibilities for information security. This ensures that tasks are
security roles
assigned appropriately, supporting the effective implementation, operation,
and
and management of the organization's information security policies and
responsibilities
objectives
 ISO 27001:2022 Annex A 5.3 addresses segregation of duties, a practice
5.3) Segregation of aimed at dividing responsibilities and privileges among different individuals
duties or teams. This ensures no single person has complete control over critical
tasks, reducing risks such as fraud, errors, and bypassing of security controls

ISO 27001:2022 Annex A 5.4 focuses on management responsibilities in

ensuring compliance with the organization's information security policies
5.4) Management and procedures. This control emphasizes that management must actively
responsibilities support, communicate, and enforce the organization’s information security
measures. They must also ensure employees and contractors understand
their roles and comply with security policies
 ISO 27001 Annex A 5.5 requires organizations to create a process for
5.5) Contact with contacting relevant authorities, such as law enforcement or regulatory
authorities bodies, in case of incidents or emergencies. This helps meet legal,
regulatory, and contractual requirements.

Control 5.6 of ISO 27001 requires organizations to establish and maintain

contact with special interest groups (SIGs) or other professional associations
related to information security. SIGs are groups formed by people or
5.6) Contact with
organizations that share an interest in a particular area of expertise or
special interest
industry, such as cybersecurity, data privacy, or cloud computing. The
groups
purpose is to stay informed about security threats, best practices, and
industry developments that could impact the organization’s security
policies.
 Threat intelligence refers to the collection and analysis of information about
potential and existing cyber threats that may affect an organization's
security. This includes data on malicious actors, tactics, techniques, and
procedures (TTPs) they use to exploit vulnerabilities in systems. Threat
5.7) Threat intelligence
intelligence aims to help organizations proactively identify and defend
against these threats before they cause damage. It is a key element of a
robust cybersecurity strategy, enabling businesses to anticipate and mitigate
risks.
 Information security in project management ensures that all aspects of a
project, including data, resources, and deliverables, are protected against
unauthorized access, breaches, or other security risks throughout the
5.8) Information
project lifecycle. This integration of information security measures is
security in project
essential to safeguard both the organization's and clients' sensitive data. It
management
involves identifying and managing information security risks from the
initiation of the project until its completion and ensuring that proper
controls are in place at all stages of the project management process.
 An inventory of information and other associated assets is a comprehensive
list of all the assets an organization stores, processes, or transmits, which
5.9) Inventory of
are critical for maintaining information security. This includes not only
information
physical assets like servers or devices but also intangible assets such as data,
and other
software, and intellectual property. It is essential for determining the
associated
location, handling, security measures, and ownership responsibilities for
assets
each asset. This inventory helps to ensure that the organization can properly
protect these assets from threats and manage risks effectively.

The acceptable use of information and other associated assets refers to the
rules and guidelines that govern how an organization's information and
5.10) Acceptable use
assets should be used. These rules are set to ensure that assets, such as
of information
data, software, hardware, and intellectual property, are used in a way that
and other
does not jeopardize their availability, confidentiality, integrity, or security.
associated
The policy outlines acceptable behaviors, processes, and actions while using
assets
these assets to protect the organization from misuse, cyber threats, and
operational risks.
 The return of assets refers to the requirement that when individuals leave
an organization (whether through termination, resignation, or
reassignment), they must return all assets belonging to the organization.
5.11) Return of assets These assets may include physical items such as computers, mobile devices,
security tokens, and intellectual property like software licenses, documents,
and data. The policy ensures that all assets are recovered to prevent
unauthorized access, loss of information, or misuse.
 Evidence to Request:

Policy Documents: A formal, approved information

security policy.
Management Approval: Evidence that leadership
has endorsed the policies.
Communication Records: Proof that policies have
been communicated (e.g., training logs).
Review Logs: Documentation showing periodic
reviews and updates.
Implementation Evidence: Reports or examples of
the policy in action (e.g., incident handling).
Audit Records: Results from compliance monitoring
or internal audits

Organizational Chart: Clearly defined roles and

reporting lines related to information security.
Role Descriptions: Job descriptions specifying
information security responsibilities for relevant
positions.
Assignment of Responsibilities: Documents or
emails showing allocation of specific tasks (e.g.,
incident response, access control management).
Training Records: Proof of training for employees in
their security responsibilities.
Policies and Procedures: Documentation outlining
how roles are defined, allocated, and reviewed.
Performance Monitoring Records: Evidence of
regular audits or reviews to confirm roles are
fulfilled as intended
Role Definitions: Policies and documentation
detailing segregated roles and responsibilities.
Access Control Records: Logs showing restricted
permissions based on roles.
Approval Processes: Evidence of multi-person
approval for critical activities like financial
transactions or system changes.
Audit Logs: Records of activity reviews showing
tasks were performed by separate individuals or
teams.
Training Records: Evidence of training for staff to
understand their specific responsibilities under the
segregation of duties principle.
Incident Records: Documentation of past incidents
and how segregation of duties mitigated or
resolved them

Policy Documents: Records showing management-

approved policies and procedures for information
security.
Communication Evidence: Emails, memos, or
meeting records indicating management's
communication of security policies to staff.
Training Logs: Documentation that demonstrates
all employees and contractors have been trained in
information security policies.
Compliance Monitoring: Reports or audits verifying
that employees adhere to the policies.
Incident Reports: Documentation of how
management handled previous security incidents
and applied corrective measures.
Performance Reviews: Records showing how
management evaluates compliance with security
responsibilities during appraisals
 Documented Procedures: Policies outlining
when and how the organization should contact
authorities.
Contact List: Up-to-date details of relevant
authorities, including law enforcement, regulatory
bodies, and emergency contacts.
Incident Records: Logs showing previous instances
where authorities were contacted, detailing the
process and outcome.
Training Records: Evidence that staff has been
trained on these procedures, ensuring they know
when and how to reach out to authorities.
Periodic Reviews: Documentation proving that the
contact details and communication procedures are
reviewed and updated regularly.

(These measures ensure that the organization is

prepared to respond appropriately in scenarios
requiring external communication and support.)

Membership Documentation: Proof of membership

or participation in relevant SIGs or associations.
Meeting Records: Evidence of attendance at SIG-
related events, such as conferences or forums.
Communication Records: Emails, newsletters, or
other documents showing regular interaction with
these groups.
Adopted Guidelines: Demonstration that the
organization has integrated insights or security
recommendations from SIGs into its policies or
security practices.
Reports and Updates: Any reports or summaries
detailing updates from these groups and how they
influence security measures in the organization.

(These documents show that the organization

actively engages with the right SIGs to stay
updated on critical information security topics).
 Threat Intelligence Sources: Documentation of the
sources used to gather threat intelligence (e.g.,
commercial threat feeds, open-source data,
government alerts).
Reports or Dashboards: Evidence of regular threat
intelligence reports or dashboards that monitor and
analyze potential threats.
Threat Intelligence Sharing: Records showing
collaboration with external entities, such as sharing
threat intelligence with industry groups or
government bodies.
Incident Response Actions: Evidence showing how
threat intelligence has informed responses to
security incidents or mitigations.
Tools and Software: Information about the tools
used to collect and analyze threat data, such as
threat intelligence platforms or SIEM systems.

(These pieces of evidence confirm that the

organization has a structured approach to
understanding and acting on threat intelligence.)
Risk Assessments: Documentation of risk
assessments specifically related to project
deliverables and information security.
Security Controls in Project Plans: Evidence
showing that information security measures are
incorporated into project planning and execution
(e.g., data encryption, access controls).
Security Reviews and Audits: Records of regular
security reviews or audits conducted during the
project lifecycle.
Communication with Security Teams: Evidence of
collaboration with security teams to ensure
potential risks are addressed.
Training and Awareness: Proof of any training or
awareness programs provided to project teams
about handling sensitive data and security
practices.

(These pieces of evidence demonstrate that the

project management process includes proper
handling and protection of information security
risks.)
Risk Assessments: Documentation of risk
assessments specifically related to project
deliverables and information security.
Security Controls in Project Plans: Evidence
showing that information security measures are
incorporated into project planning and execution
(e.g., data encryption, access controls).
Security Reviews and Audits: Records of regular
security reviews or audits conducted during the
project lifecycle.
Communication with Security Teams: Evidence of
collaboration with security teams to ensure
potential risks are addressed.
Training and Awareness: Proof of any training or
awareness programs provided to project teams
about handling sensitive data and security
practices.

(These pieces of evidence demonstrate that the

project management process includes proper
handling and protection of information security
risks.)

Acceptable Use Policy (AUP): A documented policy

specifying the acceptable use of information assets.
Employee Awareness Programs: Evidence that
employees and external users are trained or
informed about acceptable use practices.
Access Control Logs: Records showing enforcement
of the policy, such as restricted access to sensitive
assets or monitoring of usage.
Incident Reports: Documentation of any policy
violations or breaches and corrective actions taken.
Review and Update Records: Evidence that the
acceptable use policy is periodically reviewed and
updated as necessary.

(These ensure the organization maintains control

over how its information and assets are used
securely and in compliance with internal policies).
Asset Return Policy: A documented policy outlining
the process for returning assets, including timelines
and responsibilities.
Exit Procedures: Evidence that employees are
instructed to return assets during their exit process,
such as a checklist or form signed by both the
employee and the responsible manager.
Asset Tracking Records: Logs or records showing
the assets issued and returned by employees,
especially for sensitive items.
Incident Reports: Documentation of any instances
where assets were not returned or were returned
late, along with corrective actions.
Audits or Inspections: Evidence of periodic audits
ensuring that all assets are tracked and returned as
needed.

(This process helps protect the organization’s

resources and data security after personnel leave).