ISO 27001:2022 Annex A reorganised the controls into four themes: organisational (A.5), people (A.6), physical (A.7), and technological (A.8). The technological controls get most of the practitioner attention — patching, logging, monitoring, encryption are the visible work that fills security backlogs. The organisational controls in A.5 get less attention and more audit findings. Most of the programme weight actually sits here: policies, roles and responsibilities, supplier management, classification, incident management, continuity. Treating A.5 as administrative ceremony produces a programme that looks technically strong and fails on its foundation.
A.5.1 Policies for Information Security
The information security policy and supporting policies are not just documents to satisfy auditors. They are the explicit statement of management commitment, the framework employees use to understand expectations, and the reference point for every other control in the ISMS. Policies that are out of date, written by consultants without internal review, or filed without communication are findings waiting to happen. Strong policies are reviewed periodically, communicated visibly, and referenced operationally — when a decision needs to be made, someone consults the relevant policy.
A.5.9 Inventory of Information and Associated Assets
Asset inventory is one of the most consequential controls in the standard. Without knowing what you have, you cannot protect it, classify it, dispose of it appropriately, or assess risk against it accurately. Most organisations have asset inventories that are partial, out of date, or fragmented across multiple systems. The maturity work — building a unified inventory, keeping it current as the estate changes, integrating discovery with classification — is unglamorous and consistently high-leverage. Programmes that get the inventory right find that downstream controls become easier; programmes that do not find that every other control has an inventory weakness in its foundation.
A.5.19-23 Supplier Relationships
The supplier-related controls expanded in the 2022 revision in recognition of how much organisational risk now flows through third parties. Information security in supplier relationships, addressing information security in supplier agreements, managing information security in the ICT supply chain, monitoring and review of supplier services. The work is operationally heavy — risk assessment of suppliers, contractual provisions, ongoing monitoring, exit planning — and is consistently under-resourced relative to the actual risk concentration. Programmes that genuinely operate these controls produce different outcomes than programmes that have policies referencing them without operational follow-through.
A pattern in 27001 audits: the technical controls are strong, the organisational controls have visible findings, and the audit conclusion notes that the management system layer is the weak point. The remediation is rarely technical; it is investment in the operational discipline of the organisational controls. The hardest part is that the organisational controls require sustained attention from non-security stakeholders — legal, procurement, business unit leadership — whose engagement the security team cannot mandate.
A.5.24-28 Information Security Incident Management
Incident management spans planning and preparation, assessment and decision, response, learning, evidence collection. The 2022 revision treats it as a coherent set of controls rather than a single entry. Strong implementations operate incident management as a real capability — tested through exercises, refined through post-incident reviews, integrated with adjacent disciplines like business continuity. Weak implementations have an incident response plan filed somewhere and discover during a real incident that the plan does not match the actual environment or the actual team. The gap is operational rather than documentary.
A.5.36-37 Compliance and Documented Procedures
Compliance with legal, statutory, regulatory, and contractual requirements is one of the controls that auditors increasingly examine carefully. Organisations are expected to maintain awareness of applicable requirements, evaluate compliance, and act on findings. Programmes that have not built this systematically — relying on individual function owners to monitor their own regulatory obligations — produce gaps that surface during audits and during regulatory engagement. Strong programmes maintain a register of applicable requirements, link them to the operational processes that ensure compliance, and review compliance periodically with documented results.
Where Programme Maturity Most Often Shows
- Policies that are reviewed periodically and visibly used in operational decisions
- Asset inventory that is unified, current, and integrated with classification
- Supplier programme that operates with risk-tiered due diligence and ongoing monitoring
- Incident management capability tested through exercises, not just documented
- Compliance register linked operationally to processes that ensure conformity
- Information classification scheme actually used by employees, not just defined in policy
- Roles and responsibilities documented and reflected in how decisions actually get made
Why the Organisational Layer Carries the Programme
Technical controls without organisational underpinning produce a security capability that depends on the technical team's ongoing attention. Organisational controls operating well produce a programme that survives technical team turnover, scales with the organisation, and integrates security thinking across functions. The organisational controls are not the visible part of the programme, but they are the durable part. Investing disproportionately in A.5 maturity produces ISMSes that hold up over years; investing only in A.8 produces ISMSes that look strong this audit and fade by the next.