A.5 Organizational controls

A.5 Organizational controls defines the high-level governance structure required for an information-security management system, assigning responsibilities, authorities and reporting lines, and establishing policies for segregation of duties, coordination with external parties and compliance with legal and regulatory requirements. It ensures that security roles are clearly documented and that management commitment is demonstrated throughout the organization.