Organisational Controls in ISO 27001
The Essential Measures for Information Security
Information security is essential for businesses in today's rapidly evolving digital landscape. Cybercrime is on the rise, and UK businesses suffered an estimated 2.39 million cybercrime incidents and 49,000 fraud incidents in the past year. This has resulted in enormous financial losses and reputational damage.
ISO 27001 controls are the essential guide to information security. They provide a framework for organizations to develop, implement, monitor and improve their information security management system (ISMS). ISO 27001 controls are categorized into 14 domains, covering all aspects of information security, from physical and environmental security to access control and incident management.
The ISO 27001 controls were recategorized in 2022 to reflect the current information security landscape. The new categorization also includes organizational measures.
What are ISO 27001:2022 Annex A's four control categories?
ISO 27001:2022 Annex A defines 93 controls organizations can implement to improve their information security. These controls are divided into four categories:
- Organizational controls: These controls relate to the overall structure, culture, and policies of the organization, as well as its risk management and information security management system (ISMS).
- People controls: These controls focus on the people who have access to information assets, including their training, awareness, and responsibilities.
- Physical controls: These controls protect physical assets, such as buildings, equipment, and data storage facilities.
- Technological controls: These controls protect the organization's information systems and networks, including its software, hardware, and data encryption.
The four categories facilitate the planning and implementation of reference measures and the selection of the right controls. In 2022, the categories were restructured to reflect current security requirements. The core processes of ISMS management remain the same, but the controls in Annex A have been updated to reflect more modern risks and associated measures.
What are organizational controls?
Organizational controls are measures that help organizations protect their information assets by establishing a culture of security and defining clear roles and responsibilities. They are not targeted at specific personnel, or physical or technological threats, but rather at the organization as a whole.
Organizational controls include:
- Information security policy: This policy defines the principles and objectives of information security management.
- Responsibilities and authorities: Clear roles and responsibilities for information security are defined.
- Management ownership: Management understands and fulfills its role in implementing an information security strategy.
- Information classification: Information assets are classified according to their information security needs, and appropriate measures are developed.
Organizational controls provide a framework for the basic handling of information assets. They can be used to:
- Categorize information assets according to their context
- Determine and prioritize information security risks
- Define responsibilities and form management teams
- Integrate information security into all project processes
- Establish clear guidelines for project management, supplier relationships and government interactions
Get ISO 27001 certified in as little as 3 months.
Reduce manual work by up to 75%
What are ISO 27001's new organizational controls?
ISO 27001:2022 includes several new organizational controls that respond to today's increasingly complex information security challenges. These include:
- Threat intelligence: Organizations should conduct threat analysis to better understand how they can be attacked and to develop appropriate defences.
- Information security for the use of cloud services: Organizations should assess the information security risks of using cloud services and develop a plan to mitigate them.
- Information and communications technology (ICT) -readiness for business continuity: Organizations should ensure that their ICT systems are capable of ensuring business continuity in the event of an outage.
What are the organizational controls?
A comprehensive list of organizational controls from Annex A of ISO 27001
To build a functioning information security management system, organizations need to know what controls best apply to them. Here is a comprehensive overview of all organizational controls from Annex A of ISO 27001:
|
Organizational Controls |
Annex A 5.1 |
Policies for Information Security |
|
Organizational Controls |
Annex A 5.2 |
Information Security Roles and Responsibilities |
|
Organizational Controls |
Annex A 5.3 |
Segregation of Duties |
|
Organizational Controls |
Annex A 5.4 |
Management Responsibilities |
|
Organizational Controls |
Annex A 5.5 |
Contact with Authorities |
|
Organizational Controls |
Annex A 5.6 |
Contact with Special Interest Groups |
|
Organizational Controls |
Annex A 5.7 |
Threat Intelligence |
|
Organizational Controls |
Annex A 5.8 |
Information Security in Project Management |
|
Organizational Controls |
Annex A 5.9 |
Inventory of Information and Other Associated Assets |
|
Organizational Controls |
Annex A 5.10 |
Acceptable Use of Information and Other Associated Assets |
|
Organizational Controls |
Annex A 5.11 |
Return of Assets |
|
Organizational Controls |
Annex A 5.12 |
Classification of Information |
|
Organizational Controls |
Annex A 5.13 |
Labelling of Information |
|
Organizational Controls |
Annex A 5.14 |
Information Transfer |
|
Organizational Controls |
Annex A 5.15 |
Access Control |
|
Organizational Controls |
Annex A 5.16 |
Identity Management |
|
Organizational Controls |
Annex A 5.17 |
Authentication Information |
|
Organizational Controls |
Annex A 5.18 |
Access Rights |
|
Organizational Controls |
Annex A 5.19 |
Information Security in Supplier Relationships |
|
Organizational Controls |
Annex A 5.20 |
Addressing Information Security within Supplier Agreements |
|
Organizational Controls |
Annex A 5.21 |
Managing Information Security in the ICT Supply Chain |
|
Organizational Controls |
Annex A 5.22 |
Monitoring, Review and Change Management of Supplier Services |
|
Organizational Controls |
Annex A 5.23 |
Information Security for Use of Cloud Services |
|
Organizational Controls |
Annex A 5.24 |
Information Security Incident Management Planning and Preparation |
|
Organizational Controls |
Annex A 5.25 |
Assessment and Decision on Information Security Events |
|
Organizational Controls |
Annex A 5.26 |
Response to Information Security Incidents |
|
Organizational Controls |
Annex A 5.27 |
Learning From Information Security Incidents |
|
Organizational Controls |
Annex A 5.28 |
Collection of Evidence |
|
Organizational Controls |
Annex A 5.29 |
Information Security During Disruption |
|
Organizational Controls |
Annex A 5.30 |
ICT Readiness for Business Continuity |
|
Organizational Controls |
Annex A 5.31 |
Legal, Statutory, Regulatory and Contractual Requirements |
|
Organizational Controls |
Annex A 5.32 |
Intellectual Property Rights |
|
Organizational Controls |
Annex A 5.33 |
Protection of Records |
|
Organizational Controls |
Annex A 5.34 |
Privacy and Protection of PII |
|
Organizational Controls |
Annex A 5.35 |
Independent Review of Information Security |
|
Organizational Controls |
Annex A 5.36 |
Compliance With Policies, Rules and Standards for Information Security |
|
Organizational Controls |
Annex A 5.37 |
Documented Operating Procedures |
How to implement organizational controls for information security
You've got an overview of controls—now you need to select the right controls and implement them. This is a process that can be broken down into several steps:
- Assess the status quo:
The first step is to assess the current state of your organization's information security. This includes identifying the relevant risks and assessing the effectiveness of existing controls.
You can use a variety of methods to conduct this assessment, such as:
- Internal audits: An internal audit is a systematic examination of your organization's information security policies and procedures, conducted by your own staff.
- External audits: An external audit is conducted by an independent third party.
- Selection of the right controls:
Once you've assessed the status quo, you can select the right controls to implement. It is important to consider the risks and requirements of your organization.
The selection of controls can be carried out using a risk management process. This process includes the following steps:
- Identify the risks: The risks to the organization's information security are identified.
- Assessing the risks: The risks are assessed in terms of their likelihood of occurrence and their potential for damage.
- Risk mitigation measures: Measures are selected to minimize the risks.
- Implement the controls:
Once you have selected the appropriate controls, you need to implement them effectively. This step can vary depending on the control.
For example, the implementation of an information security policy may include the following steps:
- Policy development: the policy is drafted by a team of experts.
- Policy approval: the policy is approved by senior management.
- Communicating the policy: The policy is communicated to all employees.
-
- Monitoring and improvement:
Once you've implemented the controls, you need to monitor their effectiveness on a regular basis. This step will help identify any areas where the controls need to be improved.
You can monitor the effectiveness of the controls using a variety of methods, such as:
- Audits: Conducting regular audits to verify compliance with the controls.
- Reporting: Reporting on the results of monitoring activities.
- Corrective actions: Taking corrective action when the effectiveness of controls is not assured.
- Monitoring and improvement:
Tips for implementing organizational controls:
- Start with the most critical controls. Not all controls are created equal. Some are more important than others. Start with the most important controls and work your way forward step by step.
- Involve all stakeholders. Implementing organizational controls is a team effort. Involve all stakeholders to make sure that the controls are implemented successfully.
- Communicate the controls. Make sure that everyone knows and understands the controls.
- Measure effectiveness. Measure the effectiveness of the controls on a regular basis to ensure they are achieving their objectives.
Organizational controls to strengthen your information security posture
Organizational controls play a vital role in building an ISMS by safeguarding information. They help organizations fundamentally improve their information security and protect themselves against cyber-attacks.
The new organizational controls in ISO 27001:2022 take into account today's information security challenges and provide additional opportunities for organizations to improve their information security.
A comprehensive overview of organizational controls facilitates and structures the selection of the right measures and helps to take into account the context of your organization.
Find the right controls and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.
Frequently asked questions
What are organizational controls in ISO 27001 Annex A?
Organizational controls define how information security is governed and managed at an organizational level. They cover areas such as policies, roles and responsibilities, risk management, supplier relationships, and incident handling. These controls ensure that information security is embedded into business processes rather than treated as a purely technical issue.
Are all Annex A organizational controls mandatory for ISO 27001 certification?
No. ISO 27001 follows a risk-based approach, meaning organizations only need to implement controls that are relevant to their risks, legal obligations, and business context. Any controls that are excluded must be justified in the Statement of Applicability (SoA).
What kind of evidence is required to demonstrate compliance with organizational controls?
Auditors typically expect documented policies, defined roles and responsibilities, risk assessment records, supplier agreements, incident response procedures, and evidence of management oversight. The focus is on showing that controls are not only documented but also implemented and reviewed regularly.
How often should organizational controls be reviewed or updated?
Organizational controls should be reviewed regularly—typically at least once a year—or whenever significant changes occur, such as new legal requirements, business restructuring, or changes in risk exposure. Regular reviews help ensure controls remain effective and aligned with the organisation’s objectives.
_EasiestSetup_EaseOfSetup.svg)