As part of the revised ISO 27001:2022 regulation, Annex A Control 5.6 calls for organisations to establish and maintain contacts with special interest groups.
Maintaining appropriate contacts with special interest groups, security forums, and professional associations is also important. It is pertinent to keep in mind that memberships in professional bodies, industry organisations, forums, and discussion groups are all included in this Annex A control. This is when you adjust it to your specific needs.
It is important to understand what each of these groups does and how they were established (e.g. are they for commercial purposes).
Generally, a special interest group is an association of individuals or organisations interested in a particular field. They work together to solve issues, develop solutions, and acquire knowledge in the field. In our situation, information security would be the area of expertise.
Many special interest groups include manufacturers, specialist forums, and professional associations.
Organisations are encouraged to network with special interest groups, specialist security forums, and professional associations according to Annex A control 5.6 in ISO 27001:2022 or 6.1.4 in ISO 27001:2013.
Almost every organisation today has a relationship with special interest groups. The purpose of Annex A control 5.6 is to ensure that information regarding information security flows properly among these special interest groups. This is whether they are customers, suppliers, or groups that influence the organisation.
As part of Annex A Control 5.6, the requirement, purpose, and implementation guidelines for contacting special interest groups are provided. A key aspect of improving information security capabilities is regularly engaging with relevant stakeholders and interested parties, including consumers and their representatives, suppliers, partners, and the government.
A partnership may allow both sides to benefit from each other’s knowledge of cutting-edge ideas and best practices, thus making it a win-win situation.
Furthermore, these groups may be able to provide valuable suggestions or recommendations regarding security practices, procedures, or technologies. These suggestions or recommendations can secure your system while still achieving your business goals.
Book a 30 minute chat with us and we’ll show you how
An organisation must follow the ISO 27001:2022 implementation guidelines when meeting the requirements for Annex A Control 5.6.
A special interest group or forum membership should enable members to:
As part of ISO/IEC 27000 standards, an information security management system (ISMS) must be established and maintained. Control 5.6 in Annex A is a crucial part of this process. By interacting with Special Interest Groups, you will be able to receive feedback from your peers regarding the effectiveness of your information security processes.
ISO 27001:2022, Annex A control 5.6, “Contact with Special Interest Groups,” is essentially an updated version of ISO 27001:2013 control 6.1.4.
In the case of ISO 27001:2022, the purpose of the control is stated in the standard, whereas in the 2013 edition. The purpose of Annex A control is not stated.
Additionally, both versions use different phraseologies despite having the same implementation guidelines.
With these enhancements, the standard will stay current and relevant in light of increasing security concerns and technological developments. Organisations will also benefit since compliance with the standard will be easier.
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 | Annex A 5.1.1 Annex A 5.1.2 | Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 | Annex A 6.1.5 Annex A 14.1.1 | Information Security in Project Management |
| Organisational Controls | Annex A 5.9 | Annex A 8.1.1 Annex A 8.1.2 | Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 | Annex A 8.1.3 Annex A 8.2.3 | Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 | Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 | Information Transfer |
| Organisational Controls | Annex A 5.15 | Annex A 9.1.1 Annex A 9.1.2 | Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 | Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 | Authentication Information |
| Organisational Controls | Annex A 5.18 | Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 | Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 | Annex A 15.2.1 Annex A 15.2.2 | Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 | Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 | Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 | Annex A 18.1.1 Annex A 18.1.5 | Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 | Annex A 18.2.2 Annex A 18.2.3 | Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 | Annex A 16.1.2 Annex A 16.1.3 | Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 | Annex A 11.1.2 Annex A 11.1.6 | Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 | Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 | Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 | Annex A 6.2.1 Annex A 11.2.8 | User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 | Annex A 12.6.1 Annex A 18.2.3 | Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 | Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 | Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility Programs |
| Technological Controls | Annex A 8.19 | Annex A 12.5.1 Annex A 12.6.2 | Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 | Annex A 10.1.1 Annex A 10.1.2 | Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 | Annex A 14.1.2 Annex A 14.1.3 | Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering Principles |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 | Annex A 14.2.8 Annex A 14.2.9 | Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 | Annex A 12.1.4 Annex A 14.2.6 | Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 | Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 | Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Data privacy and security, along with compliance, are typically handled by the head of information security (also called CISO).
Information Security Managers (ISMS Managers) can also handle this role, but without the buy-in of senior management, the role cannot move forward.
Those who have already implemented ISO 27001:2013 will need to update their procedures to ensure compliance with the revised standard.
Most organisations should be able to make the necessary modifications to the 2022 version without any problems, even though there will be some changes. Furthermore, certified organisations will have a two-year transition phase during which they can renew their certification to ensure that it complies with the revised standard.
You can better understand how ISO 27001:2022 will affect data security operations and ISO 27001 certification with our ISO 27001:2022 guide.
With ISMS.online, you can implement ISO 27001 Annex A controls and manage your entire ISMS with our easy-to-use system.
By providing you with tools and resources for managing information security within your organisation, ISMS.online makes ISO 27001 easier to implement. It will assist you in identifying risks, developing mitigation controls, and implementing them.
In addition to providing a management dashboard, reports, and audit logs, ISMS.online will assist you in demonstrating compliance with the standard.
Using ISMS.online provides simple, practical frameworks and templates for information security in project management, DPIA and other related assessments of personal information, e.g. Legitimate Interest Assessments (LIAs).
Among the features of our cloud-based platform are the following:
We have all of these features and more. To book a demo, please get in touch with us today.
ISMS.online is a
one-stop solution that radically speeded up our implementation.
