ISO 27001:2022 - A.5 Organisational Controls (Information Security Management)

Many organisations fail to approach data security as an ongoing strategic business priority.  Instead, it is often mistakenly treated as a one-off initiative.  However, experience shows that this approach is insufficient, as information security threats are constantly evolving.  To effectively address the challenges of the dynamic threat landscape, your organisation needs to adopt a clear, proactive and accountable business approach to managing its information security practices.  Such a strategy is essential; both for the security of your organisation’s data and for the continuity of the organisation itself.  As such, an information security management strategy needs to be adopted not only by the IT department or senior management team, but also by your organisation as whole. It should provide appropriate business oversight over the measures that you take to secure your information assets.

In practice, your strategy for managing information security should consist, at a minimum, of the following measures:

• Establishing and communicating clear security policies: This helps set consistent expectations with your users by defining a clear, understandable security baseline that can be easily followed and enforced
• Defining Roles and Responsibilities: Clearly assigning ownership of security measures ensures accountability and helps identify who is responsible for overseeing specific controls
• Engaging with Stakeholders: By actively engaging with stakeholders, both internal and external, you can stay informed about emerging risks and trends in the security landscape and ensure that users are following best practices when working with company data in their respective roles
• Managing security risks in your day-to-day activities and projects: This ensures that risks to your organisation’s information are continuously identified, assessed and treated, while also safeguarding the confidentiality, integrity, and availability (CIA) of your data as business-as-usual activities evolve.

According to ISO 27002:2022, the supplementary standard to ISO 27001, the controls we will discuss in this article are categorised as preventive and corrective controls.  One of those controls, A.5.7 (Threat intelligence), is also categorised as a detective control.

• Preventive controls are intended to stop an information security incident from occurring, or at least reduce the likelihood of an incident.
• Corrective controls are intended to close off or resolve a security incident or issue that has already occurred.
• Detective controls are intended to identify security threats, weaknesses or concerns when they arise, thus enabling organisations to learn about these threats in real-time.

A.5.1 – Policies for information security

For this control, you will need to have a series of documented information security policies in place.  This includes, first and foremost, an overarching information security policy, but should also include supporting policies that provide more granular detail about specific security aspects, referred to by the Standard as topic-specific policies.  Typically, these will include policies relating to the acceptable use of company assets, as well as access control, human resources, business continuity, incident management, change management, risk management, and supplier management.  These can either be contained within the same document as your information security policy, or they can be held separately.  Topic-specific policies should be approved by a member of your management team (e.g., the CEO/Managing Director, the CISO, or the COO), although this can be delegated to mid-level management if appropriate.  Your information security policy is the only exception to this, as ISO 27001 requires this policy to be approved by senior management.  You will also need to ensure that the manager(s) approving the policies have suitable competence or knowledge of the subject matters at hand.

It is important to ensure that your polices are shared with and accepted by your employees and other relevant parties (e.g., suppliers, contractors, child-company staff).  In order to provide evidence of this, it would be beneficial to maintain records of which parties have read your policies and which have not.  This could be documented within an Excel spreadsheet or generated on a HR/training platform.

To learn more about ISO 27001 requirements for your information security policy and how to produce one that is fully conformant to the Standard, read our blog on Developing an ISO 27001 Information Security Policy.

A.5.2 – Information security roles and responsibilities

This control is aimed at ensuring there is a suitable accountability structure in your organisation in relation to information security.  Here, you should be looking to produce a list of key roles that are relevant to information security.  The responsibilities associated with these roles should be formally documented, along with the information security responsibilities of ordinary employees.  A common practice is to document the information security roles of the CEO/managing director, the CISO/security manager, the IT manager, your asset owners, risk owners, and the responsibilities of ordinary employees.  Employees’ responsibilities usually include aspects such as protecting confidential information from unauthorised disclosure, reporting security incidents as soon as they are observed, and only using company assets in a way deemed acceptable to the organisation.

When being audited, you need to demonstrate that roles and responsibilities have been clearly allocated and communicated.  This can be best evidenced by documenting employees’ responsibilities in job descriptions, terms and conditions of employment, and non-disclosure agreements (NDAs) as well as through regular security awareness training.  Responsibility allocation can also be demonstrated by including a dedicated ‘responsibilities’ section in each of your policies, processes and procedures.

This control is typically audited in tandem with Clause 5.3 of ISO 27001, which similarly requires senior management to assign and communicate ‘responsibilities and authorities relevant to information security’, and to allocate the responsibilities of reporting on the performance of the ISMS.  In addition to the above, the auditor will typically expect to see that your organisation has appointed an official ISMS manager or ISMS owner.  The role of ensuring ISMS conformance can be allocated to an existing employee as an additional responsibility to their current role (such as your CISO, Security Manager, or another appropriate individual), or it can be a stand-alone role.  Additionally, it will be expected that this individual is providing regular updates to senior management on the effectiveness of the ISMS controls, as well as highlighting any outputs or concerns that need to be addressed.  This can be carried out at your organisation’s management review meetings (required by Clause 9.3 of the Standard), or through regular meetings with your internal security committee, which should consist of some members of the senior management team.

A.5.3 – Segregation of duties

The aim of this control is to reduce the risk of conflicts of interest by ensuring no members of your organisation hold two or more conflicting duties or areas of responsibility.  This will be different for every organisation, but examples of such conflicts may include:

• The duty of developing software updates and the duty of deploying them
• The role of CEO and the role of data protection officer
• The duty of processing payments and the duty of approving payments
• The duty of managing your ISMS and the duty of auditing it.

Small organisations can face challenges in implementing segregation of duties due to low headcount.  In such cases, you should attempt to mitigate the risk of such conflicts through measures such as system monitoring, audit trails, and general management oversight.

A.5.4 – Management responsibilities

In order to conform to this control, you need to be able to demonstrate that your management team is leading by example in relation to information security by actively promoting information security awareness among existing personnel.  When being audited, you may be asked to share your organisation’s security awareness training materials, and whether you maintain any logs of employees who have completed their ISMS training or received their ISMS briefings.  Such training should be provided when an employee joins the organisation and reinforced through regular refresher sessions.  Additionally, if an employee’s competency is found to be lacking during their employment, auditors may enquire about the measures your organisation has taken to address and compensate for these gaps.

The auditor will also be checking whether intentional violations of your information security policies have been followed up with an investigation or a disciplinary hearing, if appropriate.  They may also ask whether you have a whistleblowing policy, through which employees can report security incidents or violations anonymously.  If you do, you may need to explain who is responsible for reviewing whistleblowing complaints.

A.5.5 – Contact with authorities

In order to demonstrate conformance to this control, you will need to show you have identified any interested parties that have authority or influence over your organisation or are relied upon in an advisory capacity. Usually, this will include government agencies, law enforcement, investors (if applicable), parent companies, regulatory bodies, or business associations whose members have shared commitments or values.  You also need to evidence that you have acknowledged your information security obligations to these authorities.  Such obligations may include reporting security incidents or business continuity events within a specified timeframe, adhering to contractual requirements relating to confidentiality, or reporting major changes to your security programme (e.g., if you expand the scope of your ISMS, you will need to notify your certification body).

If your organisation is owned by a parent company or by an investment group, you may be asked by an auditor whether these entities have imposed any information security requirements on your organisation (e.g., confidentiality or transparency clauses in your contractual agreements) and may request evidence that you are conforming to those requirements.

Conformance to this control is often demonstrated by maintaining a list or register of your organisation’s legal, regulatory and supervisory authorities.  Alternatively, these authorities can be documented in your general list of interested parties relevant to your ISMS (as required by Clause 4.2 of ISO 27001).  Regardless, your relationship with these authorities should be reviewed regularly to ensure continued relevance (and compliance where necessary).  Contact information for these authorities must also be kept up to date.

A.5.6 – Contact with special interest groups

For this control, you need to evidence that you have identified relevant interested parties who can supply intelligence to support the improvement of your ISMS and help you stay informed about emerging security risks and trends.  Such interested parties include government cybersecurity agencies, security associations or forums, or reputable security magazines and newsletters

Like A.5.4, conformance to this control can be evidenced by maintaining a list or register of special interest groups that your organisation is either in contact with, a corporate member of, or receiving regular correspondence from.  Alternatively, you can document these groups in your list of interested parties.  You can also demonstrate conformance by having email subscriptions with any of the above groups.  Regardless of how this is achieved, your relationship with special interest groups should be reviewed regularly to ensure continued relevance.  Contact information for special interest groups must also be kept up to date.

A.5.7 – Threat intelligence

Here, you need to be able to demonstrate that your organisation actively gathers information from reliable sources about current security threats and the threat actors behind them.  This may include:

• Strategic Intelligence: Information about who the attackers are (e.g., hacktivists, insiders, script-kiddies, or state-sponsored groups), and the types of attack being conducted
• Tactical Intelligence: Information about the methodologies used by the attackers, as well as the tools that are currently being used to conduct their attacks
• Operational Intelligence: Information about specific attacks that have occurred, including attacks attempted or successfully conducted against your own organisation, as well as others.

Threat intelligence information can come from security newsletters, associations, government agencies, or from an in-house or third-party security operations centre (SOC).  

Having gathered this information, you will then need to determine whether any of these findings present a risk to your organisation, and whether risk mitigation is needed to reduce the impact or likelihood of such risks.  This can be achieved by using automated tools, reporting on findings at management reviews, or by having a security committee that meets regularly to discuss such findings.

A.5.7 – Information security in project management

Project management involves establishing a temporary group of people to create something (e.g., a new process, activity or technology) that will eventually be integrated into your organisation’s day-to-day practices. To ensure conformance to this control, you will need to evidence that information security practices are embedded in your organisation’s approach to project management. This includes:

• Assigning roles and responsibilities prior to and during the project (see A.5.2)
• Managing information security risks that relate to the project or its output.
• Ensuring appropriate access control, so that only authorised persons can access information about the project
• Identifying organisational information involved in the project and level of protection it requires
• Ensuring (for ICT projects) that there is a fallback option in case the project output causes an incident (e.g., a system crash due to an update or a data loss when switching from old to new systems).

‍

Just as it is important for organisations to have good information security practices, it is also important for those practices to be appropriately governed and improved where necessary.  By adopting an information security management strategy and tailoring it to your business requirements, your organisation can ensure that the measures you take to secure your data continue to be relevant and effective, whilst helping you to stay ahead of the curve.