Exploring Evidence Collection: A Perspective on ISO 27001 Annex A.5 for SMEs

Annex A.5 (Organizational Controls) of ISO/IEC 27001:2022 addresses leadership, policies, roles, responsibilities, governance, and organisational security practices. In some contexts, collecting certain types of evidence may help document aspects of an ISMS and how controls are applied.

Some SMEs and startups choose to use digital-first records, such as automated logs, and traceable documentation, showing the presence and practical application of key controls. Examples may include version-controlled policies, role assignment records, and tool-based monitoring logs.

Potential Approaches to Policy Communication and Awareness (A.5.1)

Annex A.5.1 (Information security policies) focuses on establishing and communicating information security policies to ensure staff understand their ISMS responsibilities.

To support Annex A.5 requirements, organisations may collect evidence that staff are informed about and engaged with ISMS responsibilities. Digital-first tools may be used to record acknowledgements, training activities, or communications in a traceable, time-stamped manner.

Illustrative Examples:

• Training attendance records from LMS or HRIS, which may help indicate staff participation in awareness activities.
• Screenshots or logs from internal tools such as Slack or Teams channels, which may illustrate communication of policies or risk updates.
• Workshop or onboarding session logs with participant lists, which may show how new and existing staff are introduced to ISMS responsibilities.

General Observation: Linking communication and awareness records to the Statement of Applicability (SoA) and reviewing them periodically (for example, quarterly or during onboarding) may help illustrate how information security policies are communicated and applied in practice.

Considerations for Policy and Procedure Evidence in SMEs (A.5.1)

Annex A.5.1 (Information security policies) addresses the establishment and maintenance of information security policies that provide direction and support for the ISMS.

For Annex A.5.1, organisations may maintain records that illustrate how information security policies and procedures are documented, made accessible, and referenced in day-to-day operations. SMEs and startups often use digital-first approaches to create traceable records over time, supporting visibility and consistency without implying specific outcomes.

Illustrative Examples:

• Version-controlled policies in Git, Confluence, or GRC platforms to track changes over time.
• HRIS or LMS logs indicating that employees have read or acknowledged policies.
• Offboarding tickets documenting access revocation during staff transitions.
• Records of policy and procedure updates prompted by security incidents or business changes, which may help illustrate ongoing application.

General Observation: Linking policy and procedure evidence, acknowledgment records, and offboarding activities to the Statement of Applicability (SoA), and reviewing them periodically (for example, annually or after incidents), may help illustrate how policies and procedures connect to awareness activities and operational practice over time.

Exploring Leadership Commitment and Oversight (A.5.1 – A.5.4)

Annex A.5.1 to A.5.4 focus on leadership direction, policy governance, role assignment, and oversight activities that support the operation of the ISMS.

Auditors may review evidence that top management actively participates in and supports the ISMS, demonstrating oversight and accountability. Collecting records over time can show that leadership involvement is consistent rather than prepared solely for audit purposes.

Illustrative Examples:

• GRC platform logs with timestamps showing approvals of policies or risk decisions.
• Management meeting notes in Confluence or Notion documenting ISMS discussions.
• Slack or Teams announcements highlighting policy updates, risk treatment decisions, or leadership guidance.

General Observation: Maintaining chronological and accessible records, including periodic (e.g. quarterly) leadership reviews and communications linked to policies and awareness activities, may help illustrate ongoing management engagement over time.

Approaches to Segregation of Duties in Small Teams (A.5.3)

Annex A.5.3 (Segregation of duties) generally addresses the reduction of risks associated with inappropriate or excessive access by separating conflicting duties where practical.

Segregation of duties helps prevent excessive privileges for a single individual, reducing the risk of errors or misuse. In some SME or startup environments, where one person may have “Admin” access, organisations may choose to maintain records of evidence that tasks are divided appropriately.

Potential Example Indicators:

• A Segregation of Duties (SoD) matrix showing who can approve, deploy, or modify systems.
• Peer-reviewed GitHub pull requests or code merge approvals demonstrating oversight.
• Access request and approval logs from cloud services or DevOps platforms.

General Observation: Linking SoD records to the SoA is one method used to document how privileges are distributed.

Considerations for Roles, Responsibilities, and Asset Ownership (A.5.2, A.5.9, A.5.11)

Annex A.5.2 (Roles and responsibilities), A.5.9 (Asset inventory), and A.5.11 (Return of assets) relate to defining information security roles and responsibilities, assigning ownership for information assets, and managing asset-related changes across their lifecycle.

Organisations may maintain records that illustrate how information security roles, responsibilities, and asset ownership are defined and tracked over time. For SMEs and startups, this often involves lightweight documentation that links people, assets, and lifecycle events without relying on complex tooling. Connecting roles to assets and access activities may help illustrate accountability and operational awareness in day-to-day operations.

Illustrative Examples:

• Organisational charts showing reporting lines and assigned ISMS or control ownership roles (related to A.5.2).
• Job or role descriptions referencing specific information security or asset-related responsibilities.
• Asset registers maintained in tools such as Jira, Notion, or Excel, showing ownership, classification, and status (related to A.5.9).
• Offboarding or role-change records documenting the return, reassignment, or removal of access to information assets (related to A.5.11).

General Observation: Linking role assignments, asset records, and offboarding evidence to the Statement of Applicability (SoA) may help document how responsibilities are allocated and maintained over time across the organisation.

External Liaison and Industry Engagement Considerations (A.5.5 – A.5.6)

Annex A.5.5 (Contact with authorities) and A.5.6 (Contact with special interest groups) relate to maintaining appropriate contact with authorities and relevant external groups for information security purposes.

SMEs and startups may need to maintain connections with authorities and security-focused groups to respond effectively to incidents or emerging risks.

Potential Example Indicators:

• A list of emergency contacts (e.g. Local Cyber Police, CERT, regulatory bodies).
• Membership records in security or industry groups, such as ISACA, OWASP, or relevant Slack / Discord communities.
• Meeting notes or communications documenting engagement or alerts received from these groups.

General Observation: Maintaining a centralised, version-controlled contact list may help illustrate organisational awareness and preparedness in a practical and traceable manner.

Potential Approaches to Threat Intelligence Application (A.5.7)

Annex A.5.7 (Threat intelligence) discusses the concept of monitoring external threats and applying that knowledge to organisational practices. Unlike A.8.8 (Technical vulnerabilities), which focuses on known vulnerabilities, A.5.7 emphasises awareness of emerging risks such as ransomware, phishing campaigns, or vendor advisories.

Suggested Illustrative Examples:

• Curated Slack or Teams channels tracking CVE alerts, vendor advisories, ISAC notices, or relevant industry security news.
• Logs from GitHub Dependabot, Snyk, or other scanning tools monitoring potential threats.
• Records of responsive actions, including patches, configuration updates, or procedural adjustments.
• Linking these activities to the Statement of Applicability (SoA) may support a continuous and traceable risk-awareness approach.

General Observation: Some organisations find that collecting both alert information and responsive actions provides a way to track threat intelligence over time.

Managing Supplier and Cloud Risk: Potential Evidence Considerations (A.5.19 – A.5.23)

Annex A.5.19 to A.5.23 focus on managing risks from suppliers and cloud services, including selecting, monitoring, and reviewing external providers to support ISMS objectives.

SMEs and startups often depend on external providers, making it important to collect and organise supplier-related evidence to support ISMS activities. Supplier evidence may help illustrate how an organisation manages third-party and cloud-related risks, identifies priority vendors, and applies controls.

Potential Example Indicators:

• Vendor tiering spreadsheet identifying suppliers with higher risk or critical business functions.
• Copies of SOC 2 reports, ISO certifications, and relevant contracts.
• Data Processing Agreements (DPAs), cloud service risk assessments, or Security Annexes for cloud and software providers.
• Records of supplier risk assessments, periodic review meetings, and any corrective actions taken, which may help document practices of follow-through on identified risks.

General Observation: Linking supplier and cloud evidence to the Statement of Applicability (SoA), maintaining records on an annual or onboarding basis, and connecting to relevant access control measures (A.5.15 or A.5.18) may provide context on how these controls relate to overall ISMS governance, operational risk management.

Exploring ICT Readiness and Business Continuity Evidence (A.5.30)

Annex A.5.30 (ICT readiness for business continuity) focuses on ICT readiness and business continuity, requiring organisations to maintain resilient systems and evidence of continuity measures to support ISMS objectives.

For SMEs and startups, showing evidence of ICT readiness and business continuity helps illustrate that critical systems are resilient and that continuity measures are maintained on an ongoing basis (Monthly / Quarterly). This type of evidence supports organisational risk management and links directly to Business Continuity (A.5.29).

Potential Example Indicators:

• Disaster Recovery (DR) test results and backup success logs (e.g. AWS Backup, Veeam), including outcomes and observations.
• Logs documenting follow-up actions or adjustments made after continuity tests, linked to continuity plans and operational risk management.
• Continuity plans with version history, annotations from plan owners, and records of updates reflecting lessons learned, connected to the Statement of Applicability (SoA) and related control A.5.29.

General Observation: Maintaining chronological, accessible, and tool-based records may help document operational practices and resilience efforts, depending on organisational needs, while clearly linking continuity activities to policies, SoA, and the broader ISMS governance framework.

Considerations for Intellectual Property Protection (A.5.32)

Annex A.5.32 (Intellectual property rights) addresses intellectual property protection, requiring organisations to manage, track, and safeguard proprietary information and assets within the ISMS.

Intellectual property (IP) is a critical asset for SMEs and startups. Demonstrating evidence of protection may help document how IP is managed and responsibilities are assigned.

Potential Example Indicators:

• NDAs (Non-Disclosure Agreements) for employees, contractors, and vendors.
• IP inventories or asset registers tracking proprietary products, designs, or code.
• Logs of periodic reviews, updates, or approvals for IP handling processes.

General Observation: Linking IP evidence to relevant policies, role assignments, and the Statement of Applicability (SoA) may help demonstrate a traceable and consistent approach to managing intellectual property.

Potential Approaches to Personal Data Protection (A.5.34)

Annex A.5.34 (Privacy and protection of PII) focuses on personal data protection, requiring organisations to implement practices that safeguard personally identifiable information (PII) in line with ISMS objectives.

Personal data, including PII, is often one of the most valuable and sensitive assets for SMEs. Evidence demonstrating its protection may help record how personal data handling practices are implemented.

Potential Example Indicators:

• A PII inventory or Record of Processing Activities (RoPA) documenting how personal data is collected, stored, and processed.
• Logs of periodic privacy reviews or updates.
• Consent tracking and documentation for data subjects where required.

General Observation: Linking privacy evidence to relevant policies, training, operational procedures, and the SoA may help demonstrate traceable, repeatable, and may support operational management of personal data.

Observing Links Between Policies, Training, and Operations

Evidence often works best when it tells a connected story rather than existing in silos. Linking evidence across policies, training, and operational actions may help illustrate how controls are applied in practice. For example:

1. A policy (A.5.1) exists.
2. Staff have completed training referencing the policy (A.5.1).
3. Offboarding records indicate access revocations aligned with the policy (A.5.11).

This approach illustrates how evidence across policies, training, and operational activities can be connected to show how controls are applied and monitored over time.

Observation: Some organisations find that mapping evidence to the SoA adds context on how controls are applied and monitored.

Common Observations of Evidence Challenges

SMEs sometimes face challenges when collecting evidence for Annex A.5 controls. Recognising common pitfalls may help teams develop a more consistent approach:

Note: Combining these practices may help SMEs create a more coherent evidence flow, linking policies, actions, and operational records.

Example Evidence Considerations for Annex A.5 (ISO/IEC 27001:2022)

This checklist provides examples of evidence that SMEs may use to support Annex A.5 organisational controls. It highlights digital-first, traceable records and indicates how evidence may connect across policies, roles, and operational activities. Frequency suggestions indicate how often evidence may be reviewed or updated, reflecting ongoing operational awareness rather than a one-time activity.

Note: These are examples of typical review frequencies; organisations may adjust based on size, risk profile, or internal processes.

Potential Practical Steps for Evidence Organisation

SMEs and startups may find it helpful to focus on activities that create traceable, digital-first evidence for Annex A.5 organisational controls. Commonly observed organisational activities include:

1. Prioritise high-risk controls first – Focusing on high-risk controls first is a common strategy in many ISMS frameworks.
2. Use of templates – Policy, SoA mapping, and role assignment templates may support consistency and reduce administrative effort.
3. Connect evidence logically from policies to practice – Linking records across policies, training, and operational actions can help illustrate how controls are applied.
4. Utilising digital, timestamped records – Digital logs from HRIS, GRC, or version control platforms may provide better traceability than printed documents.
5. Regular collection of evidence – Capturing records continuously or periodically may reflect ongoing operational awareness.

Observation: Adapting these steps to your team size and risk profile may help prioritise effort without creating unnecessary documentation.

Concluding Thoughts and General Considerations

Collecting evidence for ISO/IEC 27001:2022 Annex A.5 may help SMEs and startups demonstrate that organisational controls are active, digital-first, and linked to operational practices. High-risk controls, such as information and asset inventories (A.5.9), cloud services (A.5.23), threat intelligence (A.5.7), and ICT continuity (A.5.30), may be prioritised.

Using templates and timestamped digital records may make evidence easier to manage and reference. Teams may consider regular review of evidence and updates to reflect changes in policies, roles, and operational activities.

Next Step: Explore various ISO 27001 templates to see what might fit your team's unique needs.

Next Article: In Common ISO 27001 Audit Artefacts: Observations on SME Preparations, we explore how SMEs and startups document operational activities clearly and efficiently, illustrating practical approaches to recording policies, roles, and processes.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:

Start Here: Complete Guide

• ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

Practical Checklists and Essential Documents – Detailed Guides by Topic

• ISO 27001 Without a Dedicated Compliance Team: What Small Teams Can Do – A pragmatic look at how startups can distribute security "hats" among existing staff and use templates to manage an ISMS without a full-time compliance hire.
• ISO 27001 for Small Teams: What to DIY and What to Outsource (The Hybrid Guide) – Practical guidance for SMEs on dividing ISO 27001 tasks between internal teams and external support to maintain oversight and efficiency.
• ISO 27001 Incident Management Workflow: A Practical Template for SMEs – Step-by-step guidance for small teams to handle security events, preserve records, and maintain a structured approach.
  
• Common ISO 27001 Audit Artefacts: Observations on SME Preparations – Practical guidance for SMEs to organise ISO 27001 audit artefacts and support traceable ISMS evidence.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.

This article also mentions examples of commonly used tools. Chill Compliance does not endorse any vendor and has no commercial or affiliate relationship with the providers listed. These examples are for general information only, and readers may wish to evaluate each tool independently, as features and pricing can vary.