SecFrame Explorer
3/3
// Level 3 · Controls

Organizational Controls

Annex A.5 — 37 organisational controls covering policies, roles, supplier relationships, and incident management.

A.5.1Medium

Policies for information security

Policies for information security.

A.5.2Medium

Information security roles and responsibilities

Information security roles and responsibilities.

A.5.3Medium

Segregation of duties

Segregation of duties.

A.5.4Medium

Management responsibilities

Management responsibilities.

A.5.5Medium

Contact with authorities

Contact with authorities.

A.5.6Medium

Contact with special interest groups

Contact with special interest groups.

A.5.7Medium

Threat intelligence

Threat intelligence.

A.5.8Medium

Information security in project management

Information security in project management.

A.5.9Medium

Inventory of information and other associated assets

Inventory of information and other associated assets.

A.5.10Medium

Acceptable use of information and other associated assets

Acceptable use of information and other associated assets.

A.5.11Medium

Return of assets

Return of assets.

A.5.12Medium

Classification of information

Classification of information.

A.5.13Medium

Labelling of information

Labelling of information.

A.5.14Medium

Information transfer

Information transfer.

A.5.15Medium

Access control

Access control.

A.5.16Medium

Identity management

Identity management.

A.5.17Medium

Authentication information

Authentication information.

A.5.18Medium

Access rights

Access rights.

A.5.19Medium

Information security in supplier relationships

Information security in supplier relationships.

A.5.20Medium

Addressing information security within supplier agreements

Addressing information security within supplier agreements.

A.5.21Medium

Managing information security in the ICT supply chain

Managing information security in the ICT supply chain.

A.5.22Medium

Monitoring, review and change management of supplier services

Monitoring, review and change management of supplier services.

A.5.23Medium

Information security for use of cloud services

Information security for use of cloud services.

A.5.24Medium

Information security incident management planning and preparation

Information security incident management planning and preparation.

A.5.25Medium

Assessment and decision on information security events

Assessment and decision on information security events.

A.5.26Medium

Response to information security incidents

Response to information security incidents.

A.5.27Medium

Learning from information security incidents

Learning from information security incidents.

A.5.28Medium

Collection of evidence

Collection of evidence.

A.5.29Medium

Information security during disruption

Information security during disruption.

A.5.30Medium

ICT readiness for business continuity

ICT readiness for business continuity.

A.5.31Medium

Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements.

A.5.32Medium

Intellectual property rights

Intellectual property rights.

A.5.33Medium

Protection of records

Protection of records.

A.5.34Medium

Privacy and protection of PII

Privacy and protection of PII.

A.5.35Medium

Independent review of information security

Independent review of information security.

A.5.36Medium

Compliance with policies, rules and standards for information security

Compliance with policies, rules and standards for information security.

A.5.37Medium

Documented operating procedures

Documented operating procedures.