Control library

Explore all 93 Annex A controls with business meaning and audit relevance

The control library is designed for risk-based learning. Filter by category, business theme, control type, or keyword, then review how each control connects to risks, evidence, and SoA logic.

Controls are selected, not worshipped

Les mesures sont sélectionnées, pas vénérées

Annex A gives options. A mature ISMS explains why each option matters in this business, which risks it addresses, and how operation will be evidenced.

Applicability must be specific

L'applicabilité doit être spécifique

A control should not be marked applicable because it sounds good. It should be applicable because the organization has a context, obligation, dependency, or risk that makes it relevant.

Evidence must show operation

La preuve doit montrer le fonctionnement

For Annex A controls, strong evidence usually combines design proof and execution proof: for example a procedure plus records, logs, tickets, or reviews.

The SoA is the bridge

La SoA est le pont

The Statement of Applicability is where Annex A stops being a catalogue and becomes a business-specific control position that an auditor can test.

Organizational

Policies, governance, supplier oversight, incident management, continuity, and compliance.

People

Awareness, hiring, offboarding, remote work, and human behavior.

Physical

Premises, visitors, equipment, disposal, and environmental protection.

Technological

Identity, logging, vulnerabilities, backups, networks, and secure development.

Search controls

Filter by category, business theme, control type, or control wording.

Business themeControl type

Filter result

controls visible

5.1OrganizationalGovernance and complianceDirective

Policies for information security

Politiques de sécurité de l'information

Short explanation

Set the direction and rules for information security.

Business meaning

Policies for information security matters in business terms because it makes governance and compliance decisions repeatable, reviewable, and easier to defend with evidence.

Example implementation

For policies for information security, a typical implementation combines a documented rule, an operational owner, and recurring evidence that the rule is actually followed.

Related risks

Weak governance creates inconsistent control execution and unclear accountability. / Une gouvernance faible crée une exécution incohérente des mesures et une responsabilité floue.
Unclear rules or exceptions make security decisions hard to defend in audits. / Des règles ou exceptions floues rendent les décisions sécurité difficiles à défendre en audit.

Related evidence

Typical evidence: policy versions, approved procedures, governance minutes, supplier clauses, or exception records. / Preuves typiques : versions de politiques, procédures approuvées, comptes rendus de gouvernance, clauses fournisseurs ou registres d'exception.
Evidence should show who owns control 5.1, how it is performed, and how exceptions are tracked. / La preuve doit montrer qui porte la mesure 5.1, comment elle est exécutée et comment les exceptions sont suivies.