| ๐ผ 5.1 Policies for information security | | | | |
| ๐ผ 5.2 Information security roles and responsibilities | | | | |
| ๐ผ 5.3 Segregation of duties | | 2 | 2 | |
| ๐ผ 5.4 Management responsibilities | | | | |
| ๐ผ 5.5 Contact with authorities | | 2 | 3 | |
| ๐ผ 5.6 Contact with special interest | | 2 | 3 | |
| ๐ผ 5.7 Threat intelligence | | | | |
| ๐ผ 5.8 Information security in project | | | | |
| ๐ผ 5.9 Inventory of information and | | 3 | 6 | |
| ๐ผ 5.10 Acceptable use of information and other associated assets | | 11 | 26 | |
| ๐ผ 5.11 Return of assets | | | | |
| ๐ผ 5.12 Classification of information | | | | |
| ๐ผ 5.13 Labelling of information | | | | |
| ๐ผ 5.14 Information transfer | | 8 | 10 | |
| ๐ผ 5.15 Access control | | 14 | 30 | |
| ๐ผ 5.16 Identity management | | 2 | 4 | |
| ๐ผ 5.17 Authentication information | | 1 | 1 | |
| ๐ผ 5.18 Access rights | | 4 | 6 | |
| ๐ผ 5.19 Information security in supplier relationships | | | | |
| ๐ผ 5.20 Addressing information security within supplier agreements | | 2 | 3 | |
| ๐ผ 5.21 Managing information security in the information and communication technology (ICT) supply chain | | | | |
| ๐ผ 5.22 Monitoring, review and change Control Control management of supplier services | | | | |
| ๐ผ 5.23 Information security for use of cloud services | | | | |
| ๐ผ 5.24 Information security incident management planning and preparation | | 2 | 3 | |
| ๐ผ 5.25 Assessment and decision on information security events | | 1 | 3 | |
| ๐ผ 5.26 Response to information security incidents | | | | |
| ๐ผ 5.27 Learning from information security incidents | | | | |
| ๐ผ 5.28 Collection of evidence | | 14 | 21 | |
| ๐ผ 5.29 Information security during disruption | | | | |
| ๐ผ 5.30 ICT readiness for business continuity | | | | |
| ๐ผ 5.31 Legal, statutory, regulatory and contractual requirements | | | | |
| ๐ผ 5.32 Intellectual property rights | | | | |
| ๐ผ 5.33 Protection of records | | 10 | 15 | |
| ๐ผ 5.34 Privacy and protection of personal identifiable information (PII) | | | | |
| ๐ผ 5.35 Independent review of information security | | | | |
| ๐ผ 5.36 Compliance with policies, rules and standards for information security | | | | |
| ๐ผ 5.37 Documented operating procedures | | | | |