Annex A Controls

Annex A Controls

A.5.15 through A.5.18 — Access Control Done Properly

Control A.5.15: Access Control Policy That Actually Works Control A.5.15 requires establishing and implementing rules for controlling physical and logical access to information and other associated assets based on business and information security requirements. The key word here is "implementing" — I've seen

Annex A Controls

A.5.11 through A.5.14 — Asset Returns Classification Labeling and Transfer

A.5.11 — Return of Assets: The Termination Control That Reveals Everything Control A.5.11 requires that "personnel and other interested parties should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement." Simple on paper, catastrophic

Annex A Controls

A.5.9 and A.5.10 — Asset Inventory and Acceptable Use

The Foundation That Makes or Breaks Your ISMS Every organization I audit claims they have an asset inventory. About 20% actually have something useful. The rest have either a dusty spreadsheet last updated when someone remembered it existed, an automatically generated list from a scanning tool that nobody reviews, or

Annex A Controls

A.5.8 Information Security in Project Management

Here's what I learned from fifteen years of auditing project security implementations: the organizations that succeed at Control 5.8 don't treat it as a security control at all. They treat it as project hygiene. The ones that fail? They bolt security onto their existing project

Annex A Controls

A.5.7 Threat Intelligence — What Auditors Actually Expect

The Three Layers That Matter Control 5.7 requires organizations to collect and analyze information relating to information security threats to produce threat intelligence. The standard deliberately defines three distinct layers of threat intelligence that must be considered, and understanding these layers is crucial to meeting audit expectations: * Strategic threat

Annex A Controls

A.5.5 and A.5.6 — Contact with Authorities and Special Interest Groups

Understanding the Real Purpose These two controls — A.5.5 Contact with Authorities and A.5.6 Contact with Special Interest Groups — consistently rank among the most superficially implemented requirements I encounter during audits. Organizations mark them as "implemented" while maintaining nothing more than a bookmark folder labeled

Annex A Controls

Annex A.5.1 through A.5.4 — Information Security Policies and Roles

The Policy Framework That Actually Works: A.5.1 Through A.5.4 Decoded Three weeks before their certification audit, a mid-sized financial services firm proudly presented their information security policy—a 47-page document that looked impressive until I asked the CISO a simple question: "When was the last