Information Security Management

ISO 27001 Organisational Controls Explored

Organisational controls form the backbone of Annex A and any information security management system (ISMS).

They cover the policies, responsibilities, and governance processes that keep information security effective across your business.

ISO 27001 requires you to review them as part of your risk assessment and then respond to each control in a document called “The Statement of Applicability.

Every control is explained in more detail below.

Explore The Toolkit

Ready-to-use templates

Learn About My Course

Step-by-step implementation

Consultancy Options

Fast-track with expert support

Verified toolkit reviews:

Start with the free toolkit

(Includes: Information Security Scope Template)

ISO 27001 Annex A Organisational Controls Explained in 3 minutes

Select a control family to explore it in more detail

Organisational
Controls People
Controls Phyiscal
Controls Technological
Controls

See a list of all the controls of Annex A

What Are Organisational Controls in ISO 27001?

Organisational controls are the policy and process-based safeguards that guide how your organisation manages information security.
They define who does what, how decisions are made, and how security integrates with everyday operations.

They’re often the first controls an auditor will review because they demonstrate that security is managed systematically — not left to chance.

< Back to my Annex A Overview

How ISO 27001 Organisational Controls Fit into Annex A

ISO 27001:2022 includes 37 organisational controls (A.5.1 to A.5.37).
They sit within the wider Annex A structure of four control themes:

Organisational – management and governance processes (this page)
People – human factors and awareness
Physical – premises and equipment
Technological – systems and infrastructure

Together, these controls ensure your ISMS runs consistently and aligns with business objectives.

The specific controls you apply — and how — are documented in your Statement of Applicability.

How the ISO 27001 organisational controls relate to the other control families in Annex A

Control List (5.1 – 5.37)

Below is a complete list of the Organisational controls, each linking to its own detailed explanation and examples.

I’ve grouped them into themes to help organise them, but these are not ISO 27001 formal groupings.

Governance & Policy Management (5.1-5.4)

Defines how information security is directed, owned, and reviewed.

5.1 Policies for information security

5.2 Information security roles & responsibilities

5.3 Segregation of duties

5.4 Management responsibilities

External Engagement & Risk Awareness (5.5-5.8)

Ensures the organisation stays informed and connected to its threat and regulatory landscape.

5.5 Contact with authorities

5.6 Contact with special interest groups

5.7 Threat intelligence

5.8 Information security in project management

Asset & Data Handling Controls (5.9-5.14)

Governs the lifecycle of information and related assets.

5.9 Inventory of information and other associated assets

5.10 Acceptable use of information and other associated assets

5.11 Return of assets

5.12 Classification of information

5.13 Labelling of information

5.14 Information transfer

Access & Identity Management (5.15-5.18)

Ensures only authorised people have appropriate access.

5.15 Access control

5.16 Identity management

5.17 Authentication information

5.18 Access rights

Supplier & Service Management (5.19-5.23)

Manages risks linked to suppliers, cloud, and ICT services.

5.19 Information security in supplier relationships

5.20 Addressing information security within supplier agreements

5.21 Managing information security in the ICT supply chain

5.22 Monitoring, review and change management of supplier services

5.23 Information security for use of cloud services

Incident & Continuity Management (5.24-5.30)

Enables detection, response, and recovery when incidents occur.

5.24 Information security incident management planning and preparation

5.25 Assessment and decision on information security events

5.26 Response to information security incidents

5.27 Learning from information security incidents

5.28 Collection of evidence

5.29 Information security during disruption

5.30 ICT readiness for business continuity

Legal & Compliance Controls (5.31-5.37)

Keeps the ISMS aligned with external requirements.

5.31 Legal, statutory, regulatory and contractual requirements

5.32 Intellectual property rights

5.33 Protection of records

5.34 Privacy and protection of PII

5.35 Independent review of information security

5.36 Compliance with policies, rules and standards for information security

5.37 Documented operating procedures

Get every ISO 27001 document today.

Complete templates pack: policies, procedures, Statement of Applicability, risk register, and records. Updated for ISO 27001:2022

130 Word/Excel templates, ready to edit
Auditor notes: what evidence to show
Instant download, licence for your organisation

Buy the Toolkit – £85

See reviews & details

Instant download · 30-day upgrade credit to the Course

a picture of the lite information security toolkit

The Importance of Organisational Controls in 27001

So, why have this group of controls? Well, the benefits include;

They establish governance and accountability, ensuring decisions are traceable.
They drive risk-based planning and continuous improvement.
They help demonstrate compliance with legal and contractual obligations.
They ensure the ISMS stays aligned with business goals.

Often, when we think of security we think of technological controls, and maybe a little bit about training, but here ISO 27001 is trying to get you to think about governance, and the ‘wrap around’ to the technological controls. How do you manage policies, risk, data types, assets, access control, suppliers, incidents and legal / regulatory compliance.

These are really important aspects of security that need serious consideration and review.

Check out some of the other control families here;

FAQ: Organisational Controls

Are all 37 controls mandatory?

You must consider all of them and justify inclusion/exclusion in your statement of applicability (SoA).

Do these controls replace the old Annex A domains?

Yes — in 2022 the 14 domains were replaced by the four themes (Organisational, People, Physical, Technological).

Where can I find implementation guidance?

You can refer to ISO 27002, which explains each control’s purpose and actions, but I’ve added guides to each control above.