Navigating ISO 27001

Organisational Controls in ISO 27001

The Essential Measures for Information Security

Get your free guide


Get your free guide

Information security is essential for businesses in today’s rapidly evolving digital landscape. Cybercrime is on the rise, and UK businesses suffered an estimated 2.39 million cybercrime incidents and 49,000 fraud incidents in the past year. This has resulted in enormous financial losses and reputational damage.

ISO 27001 controls are the essential guide to information security. They provide a framework for organisations to develop, implement, monitor and improve their information security management system (ISMS). ISO 27001 controls are categorized into 14 domains, covering all aspects of information security, from physical and environmental security to access control and incident management.

The ISO 27001 controls were recategorised in 2022 to reflect the current information security needs of organisations. The new categorisation also includes organisational measures.

Understanding four control categories of ISO 27001:2022 Annex A

ISO 27001:2022 Annex A defines 93 controls organisations can implement to improve their information security. These controls are divided into four categories:

  • Organisational controls: These controls relate to the overall structure, culture, and policies of the organisation, as well as its risk management and information security management system (ISMS).

  • People controls: These controls focus on the people who have access to the organisation's information assets, including their training, awareness, and responsibilities.

  • Physical controls: These controls protect the physical assets of the organisation, such as its buildings, equipment, and data storage facilities.

  • Technological controls: These controls protect the organisation's information systems and networks, including its software, hardware, and data encryption.

The four categories facilitate the planning and implementation of reference measures and the selection of the right controls for the organisation's context. In 2022, the categories have been restructured to reflect current security requirements. The core processes of ISMS management remain the same, but the controls in Annex A have been updated to reflect more modern risks and associated measures.

In this article, we focus on the organisational controls from Annex A of ISO 27001:2022. 


What are organisational controls?

Organisational controls are measures that help organisations protect their information assets by establishing a culture of security and defining clear roles and responsibilities. They are not targeted at specific personnel, or physical or technological threats, but rather at the organisation as a whole.

Organisational controls include:

  • Information security policy: This policy defines the principles and objectives of information security management.

  • Responsibilities and authorities: Clear roles and responsibilities for information security are defined.

  • Management ownership: Management understands and fulfils its role in implementing an information security strategy.

  • Information classification: Information assets are classified according to their information security needs, and appropriate measures are developed.

Organisational controls provide a framework for the basic handling of information assets in an organization. They can be used to:

  • Categorise information assets according to their context

  • Determine and prioritise information security risks

  • Define responsibilities and form management teams

  • Integrate information security into all project processes

  • Establish clear guidelines for project management, supplier relationships and government interactions.

Get ready for the ISO 27001 audit with up to 75% less workload

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

ISO 27001: New organisational controls

ISO 27001:2022, the latest version of the ISMS, includes several new organisational controls that respond to today's increasingly complex information security challenges. These include:

  • Threat intelligence: Organisations should conduct threat analysis to better understand how they can be attacked and to develop appropriate defences.

  • Information security for the use of cloud services: Organisations should assess the information security risks of using cloud services and develop a plan to mitigate them.

  • Information and communications technology (ICT) -readiness for business continuity: Organisations should ensure that their ICT systems are capable of ensuring business continuity in the event of an outage.


What are the organisational controls?

A comprehensive list of organisational controls from Annex A of ISO 27001

Organisational controls are an essential part of a comprehensive information security strategy. To build a functioning information security management system, organisations need to know what controls are existing. We have therefore compiled a list with a comprehensive overview of all organisational controls from Annex A of ISO 27001:

Organisational Controls

Annex A 5.1

Policies for Information Security

Organisational Controls

Annex A 5.2

Information Security Roles and Responsibilities

Organisational Controls

Annex A 5.3

Segregation of Duties

Organisational Controls

Annex A 5.4

Management Responsibilities

Organisational Controls

Annex A 5.5

Contact with Authorities

Organisational Controls

Annex A 5.6

Contact with Special Interest Groups

Organisational Controls

Annex A 5.7

Threat Intelligence

Organisational Controls

Annex A 5.8

Information Security in Project Management

Organisational Controls

Annex A 5.9

Inventory of Information and Other Associated Assets

Organisational Controls

Annex A 5.10

Acceptable Use of Information and Other Associated Assets

Organisational Controls

Annex A 5.11

Return of Assets

Organisational Controls

Annex A 5.12

Classification of Information

Organisational Controls

Annex A 5.13

Labelling of Information

Organisational Controls

Annex A 5.14

Information Transfer

Organisational Controls

Annex A 5.15

Access Control

Organisational Controls

Annex A 5.16

Identity Management

Organisational Controls

Annex A 5.17

Authentication Information

Organisational Controls

Annex A 5.18

Access Rights

Organisational Controls

Annex A 5.19

Information Security in Supplier Relationships

Organisational Controls

Annex A 5.20

Addressing Information Security within Supplier Agreements

Organisational Controls

Annex A 5.21

Managing Information Security in the ICT Supply Chain

Organisational Controls

Annex A 5.22

Monitoring, Review and Change Management of Supplier Services

Organisational Controls

Annex A 5.23

Information Security for Use of Cloud Services

Organisational Controls

Annex A 5.24

Information Security Incident Management Planning and Preparation

Organisational Controls

Annex A 5.25

Assessment and Decision on Information Security Events

Organisational Controls

Annex A 5.26

Response to Information Security Incidents

Organisational Controls

Annex A 5.27

Learning From Information Security Incidents

Organisational Controls

Annex A 5.28

Collection of Evidence

Organisational Controls

Annex A 5.29

Information Security During Disruption

Organisational Controls

Annex A 5.30

ICT Readiness for Business Continuity

Organisational Controls

Annex A 5.31

Legal, Statutory, Regulatory and Contractual Requirements

Organisational Controls

Annex A 5.32

Intellectual Property Rights

Organisational Controls

Annex A 5.33

Protection of Records

Organisational Controls

Annex A 5.34

Privacy and Protection of PII

Organisational Controls

Annex A 5.35

Independent Review of Information Security

Organisational Controls

Annex A 5.36

Compliance With Policies, Rules and

Organisational Controls

Annex A 5.37

Documented Operating Procedures Standards for Information Security

How to implement organisational controls for information security 

You've got an overview of controls - now you need to select the right controls and implement them in your organisation. How do you do this? Implementing organisational controls is a process that can be broken down into several steps:

  1. Assess the status quo:

    The first step is to assess the current state of your organisation's information security. This includes identifying the relevant risks and assessing the effectiveness of existing controls.

    You can use a variety of methods to conduct this assessment, such as:

    • Internal audits: An internal audit is a systematic examination of your organisation's information security policies and procedures, conducted by your own staff.

    • External audits: An external audit is conducted by an independent third party.

  2. Selection of the right controls:

    Once you’ve assessed the status quo, you can select the right controls to implement. It is important to consider the risks and requirements of your organisation.

    The selection of controls can be carried out using a risk management process. This process includes the following steps:

    • Identify the risks: The risks to the organisation's information security are identified.

    • Assessing the risks: The risks are assessed in terms of their likelihood of occurrence and their potential for damage.

    • Risk mitigation measures: Measures are selected to minimise the risks.

  3. Implement the controls:

    Once you have selected the appropriate controls, you need to implement them effectively. This step can vary depending on the control.

    For example, the implementation of an information security policy may include the following steps:

    • Policy development: the policy is drafted by a team of experts.

    • Policy approval: the policy is approved by senior management.

    • Communicating the policy: The policy is communicated to all employees.

  4. Monitoring and improvement:

    Once you’ve implemented the controls, you need to monitor their effectiveness on a regular basis. This step will help identify any areas where the controls need to be improved.

    You can monitor the effectiveness of the controls using a variety of methods, such as:

    • Audits: Conducting regular audits to verify compliance with the controls.

    • Reporting: Reporting on the results of monitoring activities.

    • Corrective actions: Taking corrective action when the effectiveness of controls is not assured.


Tips for implementing organizational controls:

  • Start with the most critical controls. Not all controls are created equal. Some controls are more important than others. Start with the most important controls and work your way forward step by step.

  • Involve all stakeholders. Implementing organisational controls is a team effort. Involve all stakeholders to make sure that the controls are implemented successfully.

  • Communicate the controls. Make sure that everyone knows and understands the controls.

  • Measure effectiveness. Measure the effectiveness of the controls on a regular basis to ensure they are achieving their objectives.


Organisational controls to strengthen your information security posture

Organisational controls play a vital role in ISMS by safeguarding information. They help organisations to fundamentally improve their information security and protect themselves against cyber-attacks.

The new organisational controls in ISO 27001:2022 take into account today's information security challenges and provide additional opportunities for organisations to improve their information security.

A comprehensive overview of organisational controls facilitates and structures the selection of the right measures and helps to take into account the context of your organisation.

Find the right controls for your organisation and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Book a demo




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.