Auditing ISO 27001:2022 – Organizational Controls

Name: Auditing ISO 27001:2022 – Organizational Controls
Rating: 4.8 (7 reviews)

Master the audit of governance, risk, compliance, and supplier controls in ISO 27001 Annex A Clause 5 – with checklists

Role Play

Created byDr. Amar Massoud

Last updated 6/2026

English

What you'll learn

Audit all 37 Annex A Clause 5 controls with precision
Assess ISMS organizational policies, governance, and risk alignment
Apply audit techniques using real-world scenarios and checklists
Evaluate supplier, compliance, and incident readiness controls effectively

Course content

7 sections • 47 lectures • 3h 43m total length

Introduction7:17
Framework and tools4:57
Case Study Company Introduction2:31

Information Security Governance and Direction2:23
Control 5.1 – Policies for Information Security4:31
Information Security Policy Evaluation
Control 5.2: Information Security Roles and Responsibilities4:47
Evaluating Information Security Roles and Responsibilities
Control 5.3 – Segregation of Duties4:54
Assessing Segregation of Duties in High-Risk Processes
Control 5.4 – Management Responsibilities4:56
Evaluating Management Commitment to the ISMS
Control 5.5: Contact with Authorities5:02
Evaluating External Authority Contact Readiness
Control 5.6 – Contact with Special Interest Groups4:36
Audit Exercise – Evaluating Engagement with Special Interest Groups

Information Security Policy and Strategic Alignment2:08
Control 5.7 – Threat Intelligence5:03
Applying Threat Intelligence in an ISO 27001 Audit Context
Control 5.8: Information Security in Project Management4:41
Auditing Information Security in Business and IT Projects
Control 5.9: Inventory of Information and Associated Assets5:01
Auditing the Completeness and Accuracy of the Information Asset Inventory
Control 5.10 – Acceptable Use of Information and Other Associated Assets4:37
Control 5.10 – Acceptable Use of Information and Other Associated Assets

Risk and Change Management2:20
5.11 Return of assets4:46
Auditing the Return of Assets Process for Offboarding
5.12 Classification of information5:25
Evaluating the Effectiveness of Information Classification Practices
5.13 Labelling of information5:46
Assessing Labelling Practices for Classified Information
5.14 Information transfer5:45
Evaluating Secure Information Transfer Practices
5.15 Access control5:31
Auditing Access Control Policy and Enforcement
5.16 Identity management5:33
Auditing Identity Lifecycle and Governance Practices
5.17 Authentication information5:48
Evaluating the Protection of Authentication Information
5.18 Access rights5:17
Auditing Access Rights Lifecycle and Enforcement
5.19 Information security in supplier relationships3:56
Auditing Supplier Security Relationships and Controls
5.20 Addressing information security within supplier agreements4:54
Auditing the Inclusion of Security Terms in Supplier Contracts

Supplier Management and Third-Party Risks2:05
5.21 Managing information security in the ICT supply chain4:27
Evaluating ICT Supply Chain Security Practices
5.22 Monitoring and review of supplier services4:42
Auditing Supplier Service Monitoring and Review Practices
5.23 Managing changes to supplier services4:56
Discover how ISO 27001:2022 control 5.23 governs changes to supplier services, aligning cloud procurement with risk appetite and defining shared responsibilities to protect data across procurement to exit.
Auditing Change Management in Supplier Services

Compliance and Legal Responsibility2:35
5.24 Information security incident management planning and preparation4:46
Auditing Incident Management Planning and Readiness
5.25 Assessment and decision on information security events4:50
Triage and Escalation Audit: Assessing Security Events
5.26 Response to information security incidents6:26
Audit of Incident Response Execution and Readiness
5.27 Learning from information security incidents5:59
Auditing Lessons Learned from Security Incidents
5.28 Collection of evidence5:42
Auditing Evidence Collection Practices for Security Incidents
5.29 Information security during disruption6:18
Audit Information Security Continuity During Business Disruptions
5.30 ICT readiness for business continuity6:08
Evaluate ICT Continuity Preparedness and Alignment with Business Needs
Control 5.31 – Legal, Statutory, Regulatory, and Contractual Require5:19
Audit Legal and Contractual Compliance Integration in ISMS
5.32 Intellectual property rights5:25
Auditing Intellectual Property Rights Compliance and Controls
5.33 Protection of records6:12
Auditing Record Protection Across the Lifecycle
5.34 Privacy and protection of personally identifiable information (PII)6:19
Auditing PII Privacy Controls in a Multi-Jurisdictional Environment
5.35 Independent review of information security5:09
Evaluating the Independence and Effectiveness of ISMS Reviews
5.36 Compliance with policies, rules and standards for information security5:36
Auditing Policy Compliance and Enforcement Mechanisms
5.37 Information systems audit considerations5:08
Auditing the Planning and Execution of Information Systems Audits

Requirements

Basic understanding of ISO/IEC 27001:2022 structure and principles
Familiarity with management systems and information security terminology
No prior auditing experience required, but useful for practical application
Optional: access to ISO/IEC 27001:2022 standard for deeper engagement

Description

Are you a cybersecurity auditor, ISO 27001 professional, or compliance officer looking to master the audit of ISO/IEC 27001:2022 organizational controls? This course gives you a step-by-step, practical approach to auditing all 37 controls in Annex A Clause 5, which focuses on the organizational domain of information security.

“Auditing ISO 27001:2022 – Organizational Controls” is the first course in a four-part series that fully covers ISO 27001:2022 Annex A. You will learn how to plan, perform, and document audits for controls related to governance, information security policies, risk management, compliance, supplier relationships, and more.

Through professionally structured content, this course includes:

Clear explanations of all 37 Clause 5 controls grouped into logical audit domains
Detailed audit checklists for each control, ready for real use
Scenario-based walkthroughs using our model company, InfoSure Ltd.
Assignments and case studies that strengthen practical auditing skills
Slide notes with 300–350 word auditor-centric narratives for advanced learning

Each control is presented using a consistent structure:

Control explanation
Auditor checklist
Application to InfoSure Ltd.
Hands-on assignment

Whether you're an internal auditor, lead auditor, or ISO consultant, this course provides the methodology, tools, and documentation techniques required to conduct thorough, effective ISO 27001 audits. You’ll learn to spot compliance gaps, interview stakeholders, request evidence, and report findings with confidence.

By the end of this course, you’ll be able to plan and perform audits of ISO 27001 Clause 5 organizational controls with a high level of assurance and accuracy. You’ll also be better prepared to integrate Clause 5 audits into your larger ISMS internal audit program.

Who this course is for:

Information Security Auditors and ISO 27001 Internal Audit Teams
Compliance Officers and GRC Professionals seeking audit expertise
ISMS Managers and Risk Management Consultants
Anyone preparing for ISO 27001 Lead Auditor or Implementer certification

Auditing ISO 27001:2022 – Organizational Controls

What you'll learn

Explore related topics

Course content

Introduction3 lectures • 15min

Information Security Governance and Direction7 lectures • 31min

Information Security Policy and Strategic Alignment5 lectures • 22min

Lesson 16 - Risk and Change Management11 lectures • 55min

Lesson 27 - Supplier Management and Third-Party Risks4 lectures • 16min

Compliance and Legal Responsibility15 lectures • 1hr 22min

Conclusion3 lectures • 3min

Requirements

Description

Who this course is for: