ISO 27002:2022 Clause 5 Organizational Controls Guide
The ISO/IEC 27001:2022 standard introduced a major update to its Annex A controls, consolidating the previous 14 domains into four thematic groups: Organizational, People, Physical, and Technological. ISO/IEC 27002:2022 Clause 5 includes the Organizational Controls – a set of 37 controls that address overarching security governance, policies, and processes not covered by the other themes.
Navigate
ISO/IEC 27001
Templates & Tools
Intro Organizational Controls Guide
In this guide, we explain all 37 Clause 5 controls, their purpose and importance, how they contribute to a robust information security management system (ISMS), and practical tips for implementation.
Security Policy and Governance Controls (A.5.1 – A.5.4)
Effective security governance sets the foundation for an ISMS.
Clause 5 starts with controls that ensure top management provides direction and accountability for information security.
5.1 Policies for Information Security
Establish and communicate a set of information security policies, then review them regularly (and upon significant changes). These policies articulate management’s commitment and set the tone for security practices across the organization.
Implementation
Develop a clear security policy framework approved by leadership, and schedule periodic reviews (e.g. annually or after major incidents/changes) to keep policies up to date.
Support
Our consultants assist in creating tailored security policy documents aligned with ISO 27001 and business objectives, ensuring they are comprehensive and regularly updated. We also help conduct policy gap analyses to check existing policies against Control 5.1 requirements.
5.2 Information Security Roles and Responsibilities
Define and assign security-related roles and responsibilities within the organization. Clear designation of who is responsible for various security tasks (from the CISO or IT Security Manager to department coordinators) ensures accountability.
Implementation
Update job descriptions and organizational charts to reflect security duties (e.g. incident response lead, asset owner) and avoid ambiguity. Management must also ensure personnel are aware of and fulfill these responsibilities.
CyberZoni’s support
We help organizations establish a governance structure for security – for example, by defining role charters, RACI matrices, and advising on whether new roles (like a Chief Information Security Officer or Data Protection Officer) are needed to meet Control 5.2. Our vCISO services can fill security leadership gaps for small businesses.
5.3 Segregation of Duties
Separate conflicting duties among individuals to reduce the risk of error or fraud. No single person should have end-to-end control of critical processes. For example, the person who approves new vendors should not also be able to issue payments to those vendors without secondary oversight.
Implementation
Implement dual-control or peer review for sensitive tasks (like code deployment or financial transactions) so that malicious or unintended actions require collusion or are caught in review. Document these controls in procedures.
support
Through our consulting and internal audit services, we evaluate your business processes for segregation of duties risks and recommend control improvements (e.g. workflow changes or system permission configurations) to align with Control 5.3.
5.4 Management Responsibilities
Ensure that management actively supports the ISMS by making sure team members are aware of their information security obligations and perform them properly.
Essentially, leaders at all levels must reinforce security policies and verify compliance within their departments.
Implementation
Include security objectives in management performance goals and have managers conduct periodic check-ins or self-assessments on their team’s compliance with security procedures.
CyberZoni Support
We provide security awareness training for managers and templates for management-led compliance checklists, helping leadership demonstrate and document their engagement with the ISMS (fulfilling Control 5.4).
How these governance controls strengthen your ISMS
With instituting clear policies, defined roles, duty separation, and management oversight, an organization creates a strong governance framework for information security.
These controls ensure accountability and commitment from the top, aligning security efforts with business processes and reducing the likelihood of oversight failures.
CyberZoni’s expertise in policy development and organizational design helps businesses implement these foundational controls effectively, which is especially valuable for small firms building their first ISMS and for larger enterprises aligning complex organizational structures with ISO 27001 requirements.
External Coordination and Threat Awareness (A.5.5 – A.5.7)
Clause 5 next addresses the need for external communication channels and staying informed about evolving threats. These controls ensure the organization can quickly engage with outside entities and maintain awareness of the security landscape.
5.5 Contact with Authorities
Establish procedures for timely communication with relevant authorities (regulators, law enforcement, data protection authorities, etc.) when required.
For example, if you experience a data breach that triggers legal reporting requirements, you should know who to contact and how.
Implementation
Maintain an up-to-date contact list for various authorities (e.g. local cyber crime unit, privacy regulator) and create an incident escalation plan that includes notifying them under defined circumstances (such as a breach above a certain severity).
Periodically test these communication procedures (e.g. conduct a drill of reporting an incident to a regulator).
5.6 Contact with Special Interest Groups
Participate in external security communities or industry groups to stay abreast of emerging threats and best practices. Examples include Information Sharing and Analysis Centers (ISACs), cybersecurity forums, or professional associations relevant to your industry.
Implementation
Subscribe to threat intelligence feeds, join local security meetups or online communities, and consider formal memberships to receive regular updates. Ensure someone in the organization is assigned to monitor these channels and disseminate relevant intelligence internally.
5.7 Threat Intelligence (New in 2022)
Gather and analyze information on current information security threats. This proactive control helps an organization anticipate attacks and adjust defenses accordingly.
Implementation
Develop a threat intelligence program where you collect threat data from reputable sources – such as vendor threat reports, threat intelligence services, or government cybersecurity advisories. Integrate this intel into your risk assessment process (Clause 6) and incident response plan (Control 5.24) by updating scenarios and controls based on the latest threats.
support
Our team assists clients in setting up threat intelligence processes, recommending sources (e.g. CERT feeds, vendor bulletins) and tools to manage intel. We can periodically provide threat landscape reports tailored to your industry, helping you fulfill the requirements of Control 5.7 and stay one step ahead of attackers.
How these controls strengthen your ISMS
Having points of contact with authorities and peer groups ensures you’re not operating in isolation – you can get help or share information during security incidents, and you remain informed about new risks. In an era of fast-evolving cyber threats, threat intelligence is crucial for a robust ISMS. It enables risk-based adjustments to controls (for instance, if threat intel reveals a wave of phishing attacks in your sector, you might institute extra email filtering or employee alerts).
CyberZoni helps organizations build these external relationships and intelligence capabilities, which is particularly useful for small businesses that may not have dedicated threat analysts. With tapping into our network and expertise, even smaller firms can maintain an awareness program that rivals those of larger enterprises.
Security in Project Management (A.5.8)
Ensure information security is explicitly considered in all projects, regardless of their nature.
This means any project – whether IT system development, office relocation, a new business initiative, etc. – should assess and address information security risks as part of project management.
Implementation
Integrate a security review checkpoint in your project methodology.
For example, include security risk assessment in project planning and have the security team or a CISO review major projects for compliance with security policies.
Use checklists so project managers consistently consider things like data protection, access control, and vendor security before project rollout.
support
We assist organizations in embedding security into their project management frameworks.
Our consultants can develop project security assessment templates and train project managers on identifying security requirements early.
We help you meet Control 5.8 without hindering project agility – security becomes a built-in aspect of project planning rather than an afterthought.
Asset Management and Information Handling (A.5.9 – A.5.14)
These controls ensure that all information assets are accounted for and handled securely throughout their lifecycle.
From maintaining inventories to defining acceptable use and protecting data in transit, asset-focused controls are critical for understanding what needs protection and how it’s managed
5.9 Inventory of Information and Other Assets
Maintain an up-to-date inventory of information assets (e.g. data, databases) and associated assets like hardware and software.
Knowing what assets you have and where they are is the first step in protecting them.
Implementation
Use an asset register (spreadsheet or asset management tool) to log all assets with details like owner, classification, location, and ensure new assets are added as they come into use.
Regularly verify the inventory via audits or automated discovery tools.
5.10 Acceptable Use of Assets
Define and document rules for acceptable use of information and assets.
An Acceptable Use Policy (AUP) outlines how employees should handle organizational information, devices, email, internet access, etc., to prevent misuse.
Implementation
Develop an AUP and have all staff read and sign it. The policy should cover topics like prohibition of installing unapproved software, handling of sensitive data, personal use of company assets, and consequences of violations.
Reinforce AUP understanding with periodic reminders or training quizzes.
5.11 Return of Assets
Have formal procedures to ensure that assets (especially laptops, USB drives, access cards, documents) are returned when no longer needed – for example, when an employee leaves or a contractor finishes their term.
Implementation
Create a checklist as part of the offboarding process that includes collecting all company equipment and disabling access to information systems. Without this control, assets might be lost or stolen, risking data leakage.
5.12 Classification of Information
Establish a classification scheme for information based on sensitivity (e.g. Public, Internal, Confidential, Highly Confidential). The classification should guide how information is handled and protected.
Implementation
Define classification levels and criteria in a policy. Educate employees on classifying documents and data correctly. While ISO 27001 does not mandate a specific scheme, choose one that fits your business and regulatory needs (for instance, many organizations use 3–4 levels of classification).
5.13 Labeling of Information
Provide guidelines for labeling information assets according to their classification. This may include markings like “Confidential” on documents or metadata tags in file properties.
Implementation
Implement automated labeling where possible (e.g. using document templates that include classification in headers/footers, or data loss prevention tools that tag files). Physical media containing sensitive info should also be labeled (e.g. USB drives marked confidential). Proper labeling ensures everyone handling the information is aware of its sensitivity.
5.14 Information Transfer
Protect information in transit, both within the organization and with external parties.
This control covers secure information exchange – for example, using encryption for emails/files, secure file transfer protocols, and procedures to verify recipients.
Implementation
Develop an information transfer policy or procedure that dictates how different sensitivity levels of data may be transmitted (e.g. “Restricted data must be encrypted and sent only via approved secure channels”).
Include guidelines for email encryption, using secure collaboration tools, and vetting the security of third-party transfer services.
Also address physical transfer (couriers, printed documents) with measures like tamper-evident packaging.
Access Control and Identity Management (A.5.15 – A.5.18)
Controlling access to information is a fundamental security principle. The following Clause 5 controls focus on ensuring only authorized individuals can access systems and data, through formal processes and secure authentication methods
5.15 Access Control
Limit access to information and IT facilities strictly to those with a business need (principle of least privilege).
Implementation
Establish an access control policy that defines user access rights based on roles. Implement access controls via technical measures (account permissions, network segmentation) and administrative process (manager approvals for access requests). Regularly review user accounts to remove or adjust privileges that are no longer required.
5.16 Identity Management
Ensure that identities are verified and unique, and that only authorized users can access systems and services. This involves user provisioning processes and identity verification.
Implementation
Use unique user IDs (no shared accounts) and robust identity proofing when issuing credentials. For example, require new employees to present ID and have HR authorize account creation. Integrate identity management with HR processes so that when someone’s role changes or they leave, access changes promptly. Also consider multi-factor authentication (MFA) as part of identity verification for critical systems (though MFA itself might also relate to technological controls in Clause 8, it supports identity assurance).
5.17 Authentication Information
Protect secret authentication information (like passwords, cryptographic keys, tokens) by a formal management process. Essentially, this control mandates proper credential management – issuing, revoking, and protecting credentials.
Implementation
Implement strong password policies (length, complexity, rotation or use of passphrases), store passwords securely (hashed and salted), and control who can generate or change credentials. Ensure initial/default passwords are changed and that processes exist for secure password resets (verifying user identity before reset). If using certificates or tokens, manage their lifecycle securely (e.g. certificate renewal and revocation procedures).
5.18 Access Rights
Establish a formal process for granting, changing, and revoking access rights for user accounts. This includes user registration (onboarding access), modification (role change transfers), and deregistration (termination or access revocation) procedures.
Implementation
Use access request forms or a ticket system requiring management approval for new access or changes. Keep records of approvals. Implement periodic access recertification – i.e. have managers review who has access to their systems every 6–12 months to confirm it’s still appropriate. Quickly remove or adjust access when personnel leave or change roles to minimize dormant or excessive privileges.
Supplier Relationship Security (A.5.19 – A.5.22)
Many organizations rely on third-party suppliers or partners for critical services, which introduces supply chain security risks. Clause 5 includes controls to ensure security is maintained when working with external parties
5.19 Information Security in Supplier Relationships
Protect the organization’s information that is accessible to or managed by suppliers. This overarching control sets the objective of managing risks from dependencies on suppliers.
Implementation
Identify all suppliers/third parties that handle your sensitive information or could impact your security (IT providers, cloud hosts, consultants, etc.). For each, assess the risks and ensure you have appropriate agreements and oversight in place. This may involve due diligence questionnaires, reviewing the supplier’s security certifications (like ISO 27001 certification or SOC 2 reports), and requiring certain controls in contracts.
5.20 Addressing Security Within Supplier Agreements
Include applicable information security requirements in contracts or agreements with suppliers.
Implementation
When drafting or renewing supplier contracts, add clauses that mandate security controls (e.g. data protection measures, incident reporting obligations, right to audit, compliance with standards). For cloud or SaaS providers, review their terms and possibly add a Data Processing Agreement if personal data is involved. Clearly define confidentiality expectations and responsibilities for protecting any information you share.
5.21 Managing Security in the ICT Supply Chain
Manage information security risks where your suppliers subcontract to other providers or use downstream components. This control recognizes that your immediate vendor might rely on their vendors (sub-suppliers), which could introduce hidden risks.
Implementation
Ask critical suppliers to identify significant subcontractors or technology dependencies and assess how they vet those parties. Include provisions that require your supplier to impose equivalent security requirements on their subcontractors. Maintain awareness of supply chain tiers especially for ICT products (e.g. ensure hardware or software sourced via partners is from reputable, secure origins).
5.22 Monitoring and Change Management of Supplier Services
Monitor supplier performance and manage changes in the supplier’s services that might affect security.
Implementation
Assign owner(s) internally for key supplier relationships with the duty to review service reports, security deliverables, or SLAs regularly. Use automated logs or vendor portals to monitor service uptime and security events (if available). Additionally, if a supplier makes a significant change (e.g. outsources to a new sub-vendor, changes their infrastructure), evaluate the security impact and update risk assessments or contracts accordingly. Regular meetings or audits with suppliers can help keep track of changes.
Cloud Security Control (A.5.23)
Ensure information security is managed throughout the lifecycle of cloud service usage. With cloud services virtually ubiquitous, this control was added to address cloud-specific risks. It requires organizations to specify security requirements for cloud usage, implement appropriate controls, and monitor compliance in cloud environments.
Implementation
Develop a cloud security policy or guidelines. Key aspects should include: evaluating cloud providers for security capabilities (encryption, isolation, certifications), configuring cloud services securely (harden defaults, manage access keys), monitoring cloud resources for unusual activity, and planning for data backup/exit strategies.
Treat cloud assets similarly to on-premise in your asset inventory and risk assessments.
If using SaaS, ensure vendor security measures meet your needs; for IaaS/PaaS, apply secure architecture and cloud configuration standards (consider following benchmarks like CIS Benchmarks for cloud).
Information Security Incident Management (A.5.24 – A.5.28)
Despite preventive measures, security incidents may occur, so Clause 5 includes a suite of controls to ensure preparedness and learning from incidents. These controls align closely with having a strong incident response capability
5.24 Information Security Incident Management Planning and Preparation
Have a consistent and effective approach to manage information security incidents, including defined incident response plans and communication processes.
Implementation
Develop an Incident Response Plan (IRP) that outlines roles (e.g. incident response team members), incident severity classification, escalation procedures, internal and external communication steps, and post-incident analysis. Ensure this plan covers detecting and reporting security events (e.g. an employee finds malware), and that it is tested via drills or tabletop exercises.
5.25 Assessment and Decision on Information Security Events
Establish criteria to assess security events and decide if they should be classified as incidents. Not every alert or anomaly is a full-blown incident; this control ensures you have a process to triage events.
Implementation
Define what constitutes an incident vs. a minor event. For example, a single failed login might be an event, but multiple failed logins with signs of compromise elevate to an incident. Train your IT/security team on these criteria so they can consistently flag incidents. Document this decision-making process in the IRP or a separate procedure (often called an event triage or incident declaration procedure).
5.26 Response to Information Security Incidents
When an incident is confirmed, respond according to defined procedures, including containment, eradication, recovery, and communication. Also, collect and preserve evidence as appropriate.
Implementation
Follow a structured incident response workflow. For example: identify and isolate affected systems, analyze the root cause or malware involved, apply fixes or restore from backup, and recover operations. Ensure that during response you gather key evidence (system logs, forensic images if needed) especially if there might be legal action or investigation. This control also implies fulfilling any mandatory reporting – e.g. notifying regulators or customers if a data breach occurs (which ties back to contact with authorities in control 5.5).
5.27 Learning from Information Security Incidents
After resolving an incident, perform a post-incident review to identify lessons and prevent recurrence.
Implementation
Conduct a post-mortem meeting for major incidents to evaluate what went wrong, how effective the response was, and what improvements can be made. Document these findings and track the implementation of recommended improvements (for example, if an incident happened because a vulnerability wasn’t patched, improve your patch management process; if response was slow due to unclear roles, update the IR plan and training).
5.28 Collection of Evidence
Have procedures to collect, preserve, and analyze evidence of information security incidents. This is crucial if incidents may lead to legal proceedings or forensic investigations.
Implementation
Train your IT staff on basic digital evidence handling – e.g. preserving log files, not altering affected systems before they’re analyzed, and maintaining chain-of-custody records for any collected evidence. If an incident is serious (fraud, intrusion) consider involving digital forensics professionals to properly collect and store evidence. Additionally, establish that all employees must report observed security events or weaknesses promptly. This often ties into security awareness training: staff should know how to recognize and report potential security issues (phishing attempts, lost devices, etc.).
Business Continuity and Information Security (A.5.29 – A.5.30)
Clause 5 also integrates information security with business continuity planning, recognizing that disruptions (like natural disasters or IT outages) should not compromise information security
5.29 Information Security During Disruption
Ensure information security is maintained during adverse events or business disruptions. In other words, even when the organization is in disaster recovery mode, security controls shouldn’t be completely relaxed.
Implementation
Incorporate security into your Business Continuity Plans (BCP) and disaster recovery procedures. For example, if you have to switch to manual processes or backup systems during a disruption, verify that data is still handled securely (no unauthorized copying of data, secure storage of paper records, etc.). If employees must work offsite due to an emergency, ensure remote work security measures (VPNs, secure communication) are available. Include security checkpoints in continuity test scenarios – e.g. test that backup data can be restored without integrity issues and that access control is maintained in alternate sites.
5.30 ICT Readiness for Business Continuity (New in 2022)
Ensure the organization’s information and communication technology (ICT) is prepared to support business continuity plans. This control expands on the older continuity controls, emphasizing having IT infrastructure and services resilient and ready for disruptive events.
Implementation
Develop an ICT continuity plan as part of your BCP. Key elements include: data backups and offsite storage, redundant systems or failover capabilities for critical applications, arrangements for emergency IT support, and regular testing of backup restoration and failover procedures. Document recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems and make sure security measures (e.g. encryption of backups, secure configurations of secondary systems) are in place so that when continuity plans activate, data and systems remain protected.
Compliance and Audit (A.5.31 – A.5.36)
The final set of organizational controls relates to identifying and meeting compliance obligations, protecting records and privacy, and verifying that the ISMS remains effective through independent review and internal compliance checks.
5.31 Legal, Statutory, Regulatory, and Contractual Requirements
Identify and comply with all information security-related legal, regulatory, and contractual obligations. This includes laws (e.g. data protection laws, cybersecurity regulations), industry standards, and specific client contract clauses regarding security.
Implementation
Maintain a compliance register that lists applicable laws and regulations (for example, GDPR, HIPAA, PCI DSS, national cybersecurity laws) and key requirements from each. Assign owners to each compliance item and periodically review compliance status. Violations of laws can be costly, so integrate legal compliance checks into your ISMS monitoring (Clause 9). Document how each obligation is met (policies, technical controls, etc.) so you can demonstrate compliance during audits.
5.32 Intellectual Property Rights (IPR):
Implement controls to ensure compliance with intellectual property rights and avoid infringing others’ IP. For example, use only properly licensed software and respect copyright for information you use.
Implementation
Establish an Acceptable Software Use guideline: prohibit use of unlicensed software, torrenting copyrighted material on company networks, etc. Train employees on respecting software licenses and content copyrights. Regularly audit software installations to ensure licensing compliance. Many organizations tie this control with their AUP (acceptable use policy) which should explicitly ban unauthorized software or IP misuse.
5.33 Protection of Records
Safeguard and securely maintain important records to prevent loss, destruction, or falsification. Records can be physical or digital (e.g. audit logs, contracts, system logs, personnel files).
Implementation
Implement a records management policy that defines retention periods and protection measures for various record types. Use access controls to restrict who can view or modify critical records. Ensure backups exist for vital records and that records are stored in tamper-resistant formats when needed (e.g. write-once media for audit logs). Align this with ISO 27001 Clause 7.5 (documented information) which requires control of documents and records.
5.34 Privacy and Protection of Personally Identifiable Information (PII)
Ensure that personal data is handled in accordance with applicable privacy laws and is protected against unauthorized access.
Implementation
If your organization processes personal data, implement a privacy program in line with frameworks like GDPR or CCPA. This includes data minimization, obtaining consent or other legal basis for processing, providing data subject rights, and securing PII via encryption, access restrictions, and pseudonymization where appropriate. Conduct privacy impact assessments for new personal data processing activities. Many ISO 27001-certified organizations integrate a privacy policy and maybe even certify to ISO 27701 (Privacy Information Management) to address this control comprehensively.
5.35 Independent Review of Information Security
Have independent reviews (audits) of the ISMS conducted at planned intervals. These reviews ensure the ISMS is effectively implemented and meeting the organization’s needs.
Implementation
Schedule internal ISMS audits at least annually, covering all key areas over a cycle. “Independent” doesn’t necessarily mean external – it can be an internal auditor or team that is independent of the area being audited. For small firms, it might be beneficial to hire external consultants to perform a mock audit or compliance review. Document the audit findings and management’s actions on those findings. Additionally, management reviews (Clause 9.3) and external certification audits fulfill this control’s intent of independent scrutiny.
5.36 Compliance with Security Policies and Standards
Managers must regularly review and ensure that their teams comply with internal security policies, rules, and standards. This is about ongoing internal compliance checks outside of formal audits.
Implementation
Department managers can perform routine spot-checks – for example, check quarterly that their staff are following clean desk policy, or verify that team laptops have up-to-date patches as per policy. Some organizations use automated tools (like compliance monitoring software or endpoint management systems) to assist with this. The key is to document these managerial reviews and corrective actions taken when non-compliance is found, demonstrating continuous enforcement of the ISMS at the operational level.
Operational Security Procedures (A.5.37)
Ensure that important operational activities are carried out securely and consistently by documenting procedures. This control, carried over and expanded from the 2013 standard’s operations domain, requires organizations to have standard operating procedures (SOPs) that support secure system operations. Examples include procedures for backup, system maintenance, user account management, change management, and audit log review.
Implementation
Identify key IT and security processes and create written procedures or runbooks for each. These should detail the steps to perform the task and the security considerations (e.g. a backup procedure should include verifying backup integrity and storing backups securely offsite). Keep procedures updated as systems change. Also, ensure that following these procedures minimizes the risk of errors and that any audits or checks (like system audits) are done in a way that doesn’t compromise business operations. Train relevant staff on these SOPs so they are followed consistently.
Building a Robust ISMS with Organizational Controls
ISO/IEC 27002:2022 Clause 5’s 37 organizational controls provide a comprehensive foundation for information security governance.
They ensure that an organization addresses not only technical defenses but also the people and process aspects – policies, organizational structure, third-party management, incident readiness, and compliance – which collectively “weave security into every layer of operations”.
Implementing these controls helps organizations of all sizes create a holistic and resilient ISMS that can adapt to changing threats and business needs.