There are two approaches to structure the documents for Annex A controls:
a) Smaller companies will normally have policies and/or procedures that cover several controls with one document only – for instance, you might use:
- Access Control Policy to cover 4 controls from section A.5 and 2 controls from section A.8 (without the need to write detailed procedures)
- BYOD (Bring Your Own Device) Policy to cover organizational (A.5.14 Information transfer), human (A.6.7 Remote working), and technological (A.8.1 User endpoint devices) controls
- IT Security Policy, where you might get even more ambitious and cover controls from various sections of Annex A, since this document could serve as a security baseline for all employees: A.5.9, A.5.10, A.5.11, A.5.14, A.5.17, A.5.32, A.6.7, A.7.7, A.7.9, A.7.10, A.8.1, A.8.7, A.8.10, A.8.12, A.8.13, A.8.19, and A.8.23
b) Bigger companies usually structure the documentation in a different way:
- Major security areas will be covered with a policy – e.g., Human Resources Security Policy, Physical Security Policy, Asset Management Policy, etc.
- Each policy will have detailed procedures and/or working instructions that cover individual controls – for example, Information classification procedure (for control A.5.12), Information labeling procedure (control A.5.13), Information handling procedure (control A.5.10), etc.