Explore all 93 Annex A controls with business meaning and audit relevance
The control library is designed for risk-based learning. Filter by category, business theme, control type, or keyword, then review how each control connects to risks, evidence, and SoA logic.
Controls are selected, not worshipped
Les mesures sont sélectionnées, pas vénérées
Annex A gives options. A mature ISMS explains why each option matters in this business, which risks it addresses, and how operation will be evidenced.
Applicability must be specific
L'applicabilité doit être spécifique
A control should not be marked applicable because it sounds good. It should be applicable because the organization has a context, obligation, dependency, or risk that makes it relevant.
Evidence must show operation
La preuve doit montrer le fonctionnement
For Annex A controls, strong evidence usually combines design proof and execution proof: for example a procedure plus records, logs, tickets, or reviews.
The SoA is the bridge
La SoA est le pont
The Statement of Applicability is where Annex A stops being a catalogue and becomes a business-specific control position that an auditor can test.
Organizational
37
Policies, governance, supplier oversight, incident management, continuity, and compliance.
People
8
Awareness, hiring, offboarding, remote work, and human behavior.
Physical
14
Premises, visitors, equipment, disposal, and environmental protection.
Technological
34
Identity, logging, vulnerabilities, backups, networks, and secure development.
Search controls
Filter by category, business theme, control type, or control wording.
Filter result
93
controls visible
5.19OrganizationalSuppliers and cloudDirective
Information security in supplier relationships
Sécurité de l'information dans les relations fournisseurs
Short explanation
Treat supplier exposure as part of the security system, not as an afterthought.
Business meaning
Information security in supplier relationships matters in business terms because it makes suppliers and cloud decisions repeatable, reviewable, and easier to defend with evidence.
Example implementation
For information security in supplier relationships, a typical implementation combines a documented rule, an operational owner, and recurring evidence that the rule is actually followed.
Related risks
Unmanaged supplier exposure creates hidden security dependency. / Une exposition fournisseur non maîtrisée crée une dépendance sécurité cachée.
Service disruption or data handling gaps arise through third parties. / Des interruptions de service ou des lacunes de traitement de données apparaissent via des tiers.
Related evidence
Typical evidence: policy versions, approved procedures, governance minutes, supplier clauses, or exception records. / Preuves typiques : versions de politiques, procédures approuvées, comptes rendus de gouvernance, clauses fournisseurs ou registres d'exception.
Evidence should show who owns control 5.19, how it is performed, and how exceptions are tracked. / La preuve doit montrer qui porte la mesure 5.19, comment elle est exécutée et comment les exceptions sont suivies.