ISO 27001:2022 Annex A Control 5.6

Contact With Special Interest Groups

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

As part of the revised ISO 27001:2022 regulation, Annex A Control 5.6 calls for organisations to establish and maintain contacts with special interest groups.

Maintaining appropriate contacts with special interest groups, security forums, and professional associations is also important. It is pertinent to keep in mind that memberships in professional bodies, industry organisations, forums, and discussion groups are all included in this Annex A control. This is when you adjust it to your specific needs.

It is important to understand what each of these groups does and how they were established (e.g. are they for commercial purposes).

What Are Special Interest Groups?

Generally, a special interest group is an association of individuals or organisations interested in a particular field. They work together to solve issues, develop solutions, and acquire knowledge in the field. In our situation, information security would be the area of expertise.

Many special interest groups include manufacturers, specialist forums, and professional associations.

Organisations are encouraged to network with special interest groups, specialist security forums, and professional associations according to Annex A control 5.6 in ISO 27001:2022 or 6.1.4 in ISO 27001:2013.

How Does ISO 27001:2022 Annex A 5.6 Work?

Almost every organisation today has a relationship with special interest groups. The purpose of Annex A control 5.6 is to ensure that information regarding information security flows properly among these special interest groups. This is whether they are customers, suppliers, or groups that influence the organisation.

As part of Annex A Control 5.6, the requirement, purpose, and implementation guidelines for contacting special interest groups are provided. A key aspect of improving information security capabilities is regularly engaging with relevant stakeholders and interested parties, including consumers and their representatives, suppliers, partners, and the government.

A partnership may allow both sides to benefit from each other’s knowledge of cutting-edge ideas and best practices, thus making it a win-win situation.

Furthermore, these groups may be able to provide valuable suggestions or recommendations regarding security practices, procedures, or technologies. These suggestions or recommendations can secure your system while still achieving your business goals.

Getting Started and Meeting the Requirements of Annex A 5.6

An organisation must follow the ISO 27001:2022 implementation guidelines when meeting the requirements for Annex A Control 5.6.

A special interest group or forum membership should enable members to:

  • Stay up-to-date with the latest security information and learn about best practices.
  • Maintain a current understanding of the information security environment.
  • Stay up-to-date on the latest alerts, advisories, and patches related to attacks and vulnerabilities.
  • Get expert advice on information security.
  • Inform each other about the latest technologies, products, services, threats, or vulnerabilities.
  • In the event of an information security incident, provide appropriate liaison points.

As part of ISO/IEC 27000 standards, an information security management system (ISMS) must be established and maintained. Control 5.6 in Annex A is a crucial part of this process. By interacting with Special Interest Groups, you will be able to receive feedback from your peers regarding the effectiveness of your information security processes.

What Are the Changes and Differences From ISO 27001:2013?

ISO 27001:2022, Annex A control 5.6, “Contact with Special Interest Groups,” is essentially an updated version of ISO 27001:2013 control 6.1.4.

In the case of ISO 27001:2022, the purpose of the control is stated in the standard, whereas in the 2013 edition. The purpose of Annex A control is not stated.

Additionally, both versions use different phraseologies despite having the same implementation guidelines.

With these enhancements, the standard will stay current and relevant in light of increasing security concerns and technological developments. Organisations will also benefit since compliance with the standard will be easier.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

How Is This Process Managed?

Data privacy and security, along with compliance, are typically handled by the head of information security (also called CISO).

Information Security Managers (ISMS Managers) can also handle this role, but without the buy-in of senior management, the role cannot move forward.

How Does This Affect Organisations?

Those who have already implemented ISO 27001:2013 will need to update their procedures to ensure compliance with the revised standard.

Most organisations should be able to make the necessary modifications to the 2022 version without any problems, even though there will be some changes. Furthermore, certified organisations will have a two-year transition phase during which they can renew their certification to ensure that it complies with the revised standard.

You can better understand how ISO 27001:2022 will affect data security operations and ISO 27001 certification with our ISO 27001:2022 guide.

How ISMS.Online Helps

With ISMS.online, you can implement ISO 27001 Annex A controls and manage your entire ISMS with our easy-to-use system.

By providing you with tools and resources for managing information security within your organisation, ISMS.online makes ISO 27001 easier to implement. It will assist you in identifying risks, developing mitigation controls, and implementing them.

In addition to providing a management dashboard, reports, and audit logs, ISMS.online will assist you in demonstrating compliance with the standard.

Using ISMS.online provides simple, practical frameworks and templates for information security in project management, DPIA and other related assessments of personal information, e.g. Legitimate Interest Assessments (LIAs).

For Your Early ISMS Success, We Combine Knowledge and Technology

Among the features of our cloud-based platform are the following:

  • Document management system with an easy-to-use interface and extensive customisation capabilities.
  • Pre-written documentation templates that are polished and well-written.
  • Process for conducting internal audits that are simplified.
  • A method of communicating with stakeholders and management that is efficient.
  • A workflow module to streamline the implementation process.

We have all of these features and more. To book a demo, please get in touch with us today.

ISMS.online is a
one-stop solution that radically speeded up our implementation.

Evan Harris
Founder & COO, Peppy

Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.