Skip to main content

Pro audit program · v1.0.0

ISO 27001 A.5 — Organisational Controls

How well your governance, supplier and incident controls map to ISO 27001:2022 Annex A.5.

  • ISO 27001 A.5 — Organisational Controls target area
  • ISO 27001 framework
  • 10 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Annex A.5 covers 37 organisational controls — policies, roles, classification, supplier security, threat intelligence, incident management. This 10-question quick check picks the highest-leverage controls auditors actually focus on. After each answer, expand the “Auditor’s view” for testing, evidence and the ideal response.

Controls (10)

  1. A.5.1 — Are information security policies defined, approved by management, published and reviewed at planned intervals?

    Medium

    A.5.1 — Are information security policies defined, approved by management, published and reviewed at planned intervals?

    How to test + evidence

    Risk: Annual review with documented sign-off shows the policy is alive — auditors discount unreviewed policies as nominal.

    Testing procedure: Inspect the policy document for version, approval signature, effective date and last review date. Verify it was distributed to all staff.

    Evidence to collect: IS policy with version history + approval signatures Annual review log with reviewer + outcome Communication record showing policy distributed Acknowledgement records from staff if collected

  2. A.5.2 / A.5.3 — Are IS roles, responsibilities and segregation of duties defined and assigned?

    Medium

    A.5.2 / A.5.3 — Are IS roles, responsibilities and segregation of duties defined and assigned?

    How to test + evidence

    Risk: Without a documented RACI, gaps and conflicts hide in the everyday process. Auditors use the matrix to trace specific activities to people.

    Testing procedure: Request the IS RACI matrix and the org chart. Test 5–10 control activities against the matrix to confirm a named accountable owner exists and that conflicting duties are split (e.g. requestor ≠ approver).

    Evidence to collect: IS RACI matrix with named individuals Org chart showing reporting lines Examples of split-duty workflows in tooling Records of role review when org structure changed

  3. A.5.7 — Is threat intelligence collected, analysed and used to inform controls? (NEW in 2022)

    Medium

    A.5.7 — Is threat intelligence collected, analysed and used to inform controls? (NEW in 2022)

    How to test + evidence

    Risk: A.5.7 is new in 2022 — auditors look for evidence intel actually changes behaviour, not just that feeds are subscribed to.

    Testing procedure: Inspect threat-intel feeds + the process by which intel is converted to detection content / patch priority / staff awareness. Sample 3 specific intel items in the period and trace through to action.

    Evidence to collect: List of threat-intel sources (free + commercial) Sample of detection rules sourced from intel Vulnerability prioritisation linked to KEV / threat actor TTPs Briefings to leadership when intel materially changes risk

  4. A.5.9 / A.5.12 — Is there an inventory of information and assets, classified by sensitivity?

    Medium

    A.5.9 / A.5.12 — Is there an inventory of information and assets, classified by sensitivity?

    How to test + evidence

    Risk: You can't protect what you don't know you have. Auditors specifically look for unmanaged shadow IT — automated discovery catches it; manual inventories miss it.

    Testing procedure: Request the asset inventory (hardware, software, data, services). Verify completeness by sampling 10 assets you observe in walkthroughs and confirming each is in the inventory with a classification.

    Evidence to collect: Asset inventory export (CSV / CMDB) Classification scheme (Confidential / Internal / Public, etc.) Last review date + reviewer Process for adding new assets

  5. A.5.15 / A.5.16 / A.5.17 / A.5.18 — Are access rights granted on a need-to-know basis, periodically reviewed and revoked on leaver?

    Medium

    A.5.15 / A.5.16 / A.5.17 / A.5.18 — Are access rights granted on a need-to-know basis, periodically reviewed and revoked on leaver?

    How to test + evidence

    Risk: Automation linked to HR is the only practical way to keep access aligned with role at scale — manual processes consistently miss movers.

    Testing procedure: Sample 25 joiners, 25 movers, 25 leavers. For each, verify the access change matched the role change and was completed within SLA. Inspect the most recent quarterly access review for in-scope systems.

    Evidence to collect: JML procedure document Sample of provisioning + deprovisioning tickets Quarterly access review reports with reviewer sign-off Remediation records for flagged accounts

  6. A.5.19 / A.5.20 — Are IS requirements addressed in supplier relationships and agreements?

    Medium

    A.5.19 / A.5.20 — Are IS requirements addressed in supplier relationships and agreements?

    How to test + evidence

    Risk: Supply-chain risk is now an explicit audit focus area. Onboarding-only assessments don't catch suppliers that degrade over time — continuous monitoring does.

    Testing procedure: Sample 25 suppliers (weighted to critical). For each: security questionnaire on file, contractual IS clauses executed, ongoing monitoring (rating, periodic re-assessment).

    Evidence to collect: Supplier register with criticality + scope Onboarding security questionnaires Standard IS contractual clauses + executed examples Continuous monitoring tooling output

  7. A.5.23 — Is there a process for the secure use of cloud services? (NEW in 2022)

    Medium

    A.5.23 — Is there a process for the secure use of cloud services? (NEW in 2022)

    How to test + evidence

    Risk: A.5.23 is new in 2022. Auditors specifically test that cloud is treated as a first-class control area — not absorbed into "general IT".

    Testing procedure: Inspect the cloud security policy + the cloud asset inventory. Verify CSPM coverage of major providers and the tenant security baselines (MFA, conditional access, audit logging).

    Evidence to collect: Cloud security policy Cloud asset inventory (AWS / Azure / GCP / SaaS) CSPM dashboard export Tenant baseline documentation per provider

  8. A.5.24 / A.5.25 / A.5.26 / A.5.27 — Is incident management planned, with assessment, response and lessons-learned processes?

    Medium

    A.5.24 / A.5.25 / A.5.26 / A.5.27 — Is incident management planned, with assessment, response and lessons-learned processes?

    How to test + evidence

    Risk: Lessons learned closed and reflected in updated playbooks is what separates a learning org from a reactive one. Auditors specifically look for action closure.

    Testing procedure: Inspect IR plan + scenario playbooks. Sample 3 real incidents from the period and trace through detection → triage → containment → recovery → lessons learned. Check actions are tracked to closure.

    Evidence to collect: IR plan with version + approval Scenario playbooks (ransomware, BEC, data exfil, etc.) Incident records with timeline + decisions Post-incident review template + completed examples Action tracker with completion status

  9. A.5.29 / A.5.30 — Is information security maintained during disruption and is ICT readiness for business continuity tested? (A.5.30 NEW)

    Medium

    A.5.29 / A.5.30 — Is information security maintained during disruption and is ICT readiness for business continuity tested? (A.5.30 NEW)

    How to test + evidence

    Risk: A.5.30 is new in 2022 — explicit ICT readiness is now required, not just a generic BCP. Annual testing is the bar; longer gaps are findings.

    Testing procedure: Inspect BCP + ICT-DR plans for RTO/RPO definitions. Verify the most recent test (full or partial) with results, lessons learned, and any plan updates.

    Evidence to collect: BCP with RTO/RPO per critical process ICT-DR plan with technical recovery steps Most recent DR test report Updated plans reflecting lessons learned

  10. A.5.31 / A.5.34 / A.5.35 — Are legal/regulatory/privacy obligations identified and IS subject to independent review?

    Medium

    A.5.31 / A.5.34 / A.5.35 — Are legal/regulatory/privacy obligations identified and IS subject to independent review?

    How to test + evidence

    Risk: Independent review (A.5.35) is the explicit requirement — self-assessment alone doesn't satisfy. Audit functions in larger orgs typically own this.

    Testing procedure: Inspect the legal/regulatory register. Verify it covers GDPR/PII, sectoral regulations and contractual obligations. Confirm an independent audit (internal or external) of IS in the audit period.

    Evidence to collect: Legal/regulatory register with applicable laws Privacy impact assessments / records of processing Internal audit reports for IS External audit reports if applicable