ISO 27001 controls: What is Annex A:6?

Explore ISO 27001 Annex A:6 to boost your organisation’s information security and compliance. Learn key controls for internal operations and mobile work environments with insights from Citation Certification.
ISO 27001 controls: What is Annex A:6?

In our last blog, we discussed ISO Controls for Annex A:5 regarding information security. Today, we will delve into Annex A:6, which focuses on the internal organisation. The primary objective of Annex A:6 is to establish a management framework to initiate and control the implementation of an effective Information Security Management System (ISMS). It also guides the operation of information security within the organisation, promoting best practices in cybersecurity to inspire customer confidence and meet all necessary regulatory requirements.

Learning about ISMS controls is highly recommended, especially if you aim to achieve ISO 27001 certification. Let’s understand these requirements, how they can benefit your organisation, and what exactly Annex A:6 entails.

What is Annex A:6?

According to the ISO 27001 Standard, the purpose of Annex A:6 is to:



Establish a management framework to initiate and control the implementation and operation of information security within the organisation.


Annex A:6 is subdivided into two sections:

  • Annex A.6.1: Ensures that the organisation has a framework under ISO standards to implement and maintain information security within the organisation.
  • Annex A.6.2: Addresses mobile devices and remote working, designed for anyone working from home or on the go, either part-time or full-time, to follow appropriate practices.

A.6.1.1 Information Security Roles and Responsibilities

All information security roles and responsibilities must be defined and approved by management. These responsibilities can be general (e.g., protecting information) or specific (e.g., responsibility for accessing particular permissions). Here are some tips to understand Annex A.6.1.1:

  • Consider the ownership of information assets or groups of assets when identifying responsibilities.
  • Access to information security should be granted to relevant staff members, such as CEOs, Business Owners, General Managers, HR managers, and Internal auditors.
  • The auditor will look for assurance that the organisation has clearly defined who is responsible and what is appropriate according to the size and nature of the organisation.
  • For smaller organisations, it may be unrealistic to have full-time roles for these responsibilities. Instead, assign relevant authority within the organisation to hold responsibility and implement the process.


Get Your Free ISO 27001 – Information Security Management System – Gap Analysis Checklist

A.6.1.3 Contact with Authorities

The auditor or Security Officer must maintain contact with relevant authorities. When applying this control, consider the legal responsibilities of contracting authorities. Duties and responsibilities should be segregated to reduce unauthorised access within the organisation.

A.6.1.4 Contact with Special Interest Groups

A Special Interest Group (SIG) is a community within a larger organisation with a shared interest in a specific area of knowledge, learning, or technology. Members cooperate to produce solutions within their field and may communicate, meet, and organise conferences. These contacts should only have appropriate authority to access information security.

A.6.1.5 Information Security in Project Management

Information security needs to be integrated into project management, regardless of the type of project. Information security should be embedded in the organisation’s project management processes. The auditor will assess whether project participants consider information security at all stages. This should also be part of the education and awareness in line with HR Security for A.7.2.2.

A.6.2 Mobile Devices and Remote Working

Annex A.6.2 states that any organisation aiming to achieve ISO 27001 must maintain a policy for the security of teleworking and mobile devices. The electronic device could be owned by the organisation or the employee (BYOD). All mobile and networking activities should be secured to eliminate threats to information security.

For further guidance and support on achieving ISO 27001 certification and understanding Annex A:6, contact Citation Certification today. We offer comprehensive support and training to help your organisation meet all necessary requirements and achieve compliance with ISO 27001 standards.

The organisation shall determine any external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its information security management systems.

Take your business to the next level

What are you interested in?
Your data will be processed inline with our Privacy Policy.
This field is for validation purposes and should be left unchanged.