Information Security Management
ISO 27001 Organisational Controls Explored
Organisational controls form the governance backbone any information security management system (ISMS).
Read on for a complete list of the organisational controls and explanations by an ISO 27001 consultant.
Jump to the full list of Annex A controls โ
Looking for the broader Annex A context? Start here โ
All 37 Organisational Controls List
Below is a complete list of the Organisational controls, each linking to its own detailed explanation and examples.
I’ve grouped them into themes to help organise them, but these are not ISO 27001 formal groupings.
5.1 Policies for information security – The set of approved, documented, and communicated policies that direct how your organisation manages information security.
5.2 Information security roles and responsibilities – Clear definitions of who is accountable for what across the ISMS, from top management down to individual contributors.
5.3 Segregation of duties – Splitting conflicting tasks between different people so that no single person can both perform and authorise sensitive activities.
5.4 Management responsibilities – The expectation that management actively requires staff to follow security policies and procedures, not just assume they will.
5.5 Contact with authorities – Established relationships with regulators, law enforcement, and other authorities you may need to engage with, before you need to engage with them.
5.6 Contact with special interest groups – Active participation in security forums, industry bodies, and professional networks to stay informed about emerging threats and good practice.
5.7 Threat intelligence – The collection and analysis of information about current and emerging threats relevant to your organisation, used to inform security decisions.
5.8 Information security in project management – Building security considerations into how projects are planned, run, and delivered, rather than bolting them on at the end.
5.9 Inventory of information and other associated assets – A maintained register of the information, systems, and equipment that matter to your business, with named owners.
5.10 Acceptable use of information and other associated assets – Documented rules covering how staff and other users are permitted to handle the organisation’s information and equipment.
5.11 Return of assets – The process for recovering laptops, access cards, documents, and other assets when staff leave or change roles.
5.12 Classification of information – A scheme for categorising information based on its sensitivity, value, and the protection it requires.
5.13 Labelling of information – Marking information consistently with its classification so that the people handling it know how to treat it.
5.14 Information transfer – Rules and protections for moving information between people, systems, or organisations in a secure way.
5.15 Access control – The overall framework that defines who can access what, on what basis, and how that access is governed.
5.16 Identity management – The lifecycle of user identities across your systems, from creation through changes to deletion.
5.17 Authentication information – The management of passwords, tokens, keys, and other secrets that prove a user is who they say they are.
5.18 Access rights – The day-to-day provisioning, review, and removal of user access to systems and information.
5.19 Information security in supplier relationships – The approach to identifying, assessing, and managing information security risks from your suppliers and third parties.
5.20 Addressing information security within supplier agreements – Ensuring contracts with suppliers include appropriate security clauses, responsibilities, and expectations.
5.21 Managing information security in the ICT supply chain – Extending supplier security thinking to the wider chain of providers behind your direct suppliers.
5.22 Monitoring, review and change management of supplier services – The ongoing process of checking that suppliers continue to deliver to the agreed security standard.
5.23 Information security for use of cloud services – The processes for assessing, adopting, managing, and exiting cloud services securely.
5.24 Information security incident management planning and preparation – Having a documented incident response capability in place before you need it.
5.25 Assessment and decision on information security events – The process for deciding whether a reported event is actually a security incident that needs a response.
5.26 Response to information security incidents – The structured handling of confirmed incidents, including containment, communication, and resolution.
5.27 Learning from information security incidents – Capturing lessons from incidents and feeding them back into improvements to the ISMS.
5.28 Collection of evidence – Preserving evidence during and after incidents in a way that supports investigation, legal action, or regulatory reporting.
5.29 Information security during disruption – Maintaining appropriate information security even when normal operations are disrupted by an incident or crisis.
5.30 ICT readiness for business continuity – Ensuring your IT services can be recovered to required levels within required timeframes when disruption occurs.
5.31 Legal, statutory, regulatory and contractual requirements – A maintained understanding of the external requirements your organisation must comply with, and how you’re meeting them.
5.32 Intellectual property rights – Protecting your own IP and ensuring you don’t infringe on the IP of others through your operations.
5.33 Protection of records – Safeguarding records from loss, destruction, falsification, unauthorised access, and unauthorised release in line with retention requirements.
5.34 Privacy and protection of PII – Handling personally identifiable information in line with applicable privacy laws and the expectations of the people whose data you hold.
5.35 Independent review of information security – Periodic reviews of the ISMS by someone independent from those who run it day-to-day.
5.36 Compliance with policies, rules and standards for information security – Verifying that your own policies and standards are actually being followed in practice.
5.37 Documented operating procedures – Written procedures for the operational tasks that support information security, so they happen consistently regardless of who’s doing them.
Select a control family to explore it in more detail
Table of Contents
ISO 27001 Annex A: Organisational Controls
There’s little additional value in my repeating a description of the overall purpose of Annex A and how to approach it. If you are looking for that guide, then do review my guidance below.
The organisational control family comprises 37 controls that support the governance framework and align well with the main body of the standard’s clauses (policies, etc). So, for organisational controls, think ‘policies and procedures’.
ISO 27001 Full Document Toolkit
Every document your auditor
expects to see.
130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications โ all updated for ISO 27001:2022.
130 templates
Instant download
Written by practising consultant
ISO 27001:2022
The Importance of Organisational Controls in 27001
So, why have this group of controls? Well, the benefits include;
- They establish governance and accountability, ensuring decisions are traceable.
- They drive risk-based planning and continuous improvement.
- They help demonstrate compliance with legal and contractual obligations.
- They ensure the ISMS stays aligned with business goals.
Often, when we think of security we think of technological controls, and maybe a little bit about training, but here ISO 27001 is trying to get you to think about governance, and the ‘wrap around’ to the technological controls. How do you manage policies, risk, data types, assets, access control, suppliers, incidents and legal / regulatory compliance.
These are really important aspects of security that need serious consideration and review.
Next Steps and Related Topics
Check out some of the other control families here;
Or, by group
FAQ: Organisational Controls
Are all 37 controls mandatory?
You must consider all of them and justify inclusion/exclusion in your statement of applicability (SoA).
Where can I find implementation guidance?
You can refer to ISO 27002, which explains each controlโs purpose and actions, but I’ve added guides to each control above.
Where do I start with 37 organisational controls?
Start with the foundation controls and work outwards. Controls A.5.1 to A.5.4 (policies, roles and responsibilities, segregation of duties, management responsibilities) are the framework that everything else hangs from, so it’s worth getting these right first. After that, supplier and cloud controls (A.5.19 to A.5.23) usually need the most external coordination, so they benefit from an early start. Incident management (A.5.24 to A.5.30) and the legal and compliance group (A.5.31 to A.5.37) are best tackled together once the foundation is in place. You don’t need to tackle all 37 at once; working through them in thematic clusters keeps the work manageable.
How often should I review organisational controls?
The standard doesn’t prescribe a specific frequency, but most controls benefit from at least annual review, with shorter cycles for higher-risk controls. Policies (A.5.1) typically get reviewed annually or after significant changes. Supplier controls (A.5.19 to A.5.22) need ongoing management as suppliers change, plus an annual sweep of the supplier list. Access rights (A.5.18) usually get reviewed quarterly. The principle is to match review frequency to how quickly the underlying risk changes – access rights change weekly, your master information security policy doesn’t.
Which organisational controls are most commonly weak in SMEs?
In my experience, the controls SMEs most often fall short on are A.5.19 to A.5.23 (supplier and cloud security), A.5.24 to A.5.27 (incident management), and A.5.7 (threat intelligence). Supplier security is weak because SMEs don’t always treat their SaaS providers as suppliers in the formal sense. Incident management is weak because most SMEs have a plan but haven’t tested it. Threat intelligence is weak because it’s vague, and businesses don’t always know what good looks like. None of these are hard to fix once they’re recognised.
What’s the difference between A.5 organisational controls and Clause 5 Leadership?
They’re related but distinct. Clause 5 is a management system requirement – it specifies what top management must do to lead the ISMS, including demonstrating commitment, establishing a policy, and assigning roles and responsibilities at a leadership level. A.5 organisational controls are the specific operational measures that implement the governance framework leadership has established. Put simply: Clause 5 says leadership must own this; A.5 says these are the things leadership owns. They work together, and your audit will look at both.
Can I outsource organisational controls to my MSP or consultant?
You can outsource the activity but not the accountability. An MSP can run your incident response, manage supplier reviews, or even draft your policies, but the ISMS still belongs to your organisation, and top management remains accountable for the controls being effective. This is actually a common SME approach and it’s perfectly compliant – just make sure the responsibilities are documented (often in A.5.20 supplier agreements), the MSP gives you visibility into what they’re doing, and you retain the authority to direct or override their decisions. Auditors are comfortable with outsourced delivery; they’re not comfortable with outsourced ownership.
Do I need a separate policy for every organisational control?
No – and you shouldn’t try. Most SMEs end up with one master Information Security Policy supported by a small number of topic-specific policies (Access Control, Acceptable Use, Supplier Security, Incident Response, and a few others). Controls like A.5.10 (Acceptable Use), A.5.15 (Access Control), A.5.19 (Supplier Security) are then covered by a single dedicated policy each. Controls like A.5.2 (Roles and Responsibilities) or A.5.3 (Segregation of Duties) sit within the master policy. Aim for a small number of well-maintained policies rather than 37 thin ones; the latter is harder to keep current and signals over-engineering to auditors.
How do organisational controls connect to the rest of Annex A?
Organisational controls set the framework within which the other three families operate. Your Access Control policy (A.5.15) governs how A.8.5 Secure Authentication is implemented technically. Your Supplier Security approach (A.5.19) determines how cloud and SaaS controls are managed. Your Incident Management process (A.5.24 to A.5.27) coordinates the response when a Technological control fails. If the organisational controls are weak, the controls in the other families lose their structure. Most well-implemented ISMSs are organisational-controls-led, with the other three families implementing what the organisational layer specifies.
Includes all the mandatory document templates โ free, no commitment
Author Background
This article was written by Alan Parker, an ISO 27001 consultant and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less, often without a dedicated security team or a large budget.
With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally.
Qualifications: ITIL v3 Expert, ITIL v4 Bridge, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done.
Connect on LinkedIn or Bluesky, or explore his free ISO 27001 tools and templates at iseoblue.com. B.Sc (Hons) Information Systems, CISMP certified.
