How to Automate ISO 27001 A.5 Organizational Controls Evidence with Screenshots
ISO 27001 auditors require concrete evidence for Annex A.5 organizational controls, from policy approvals to access management. This guide explains how to automate ISO 27001 evidence collection and where traditional GRC tools fall short.
How to Automate ISO 27001 A.5 Organizational Controls Evidence with Screenshots
Getting your ISO 27001 certification requires proving your ISMS actually works in practice. Auditors demand concrete evidence for every Annex A control listed in your Statement of Applicability. While some technical controls are easy to verify via API, Annex A.5 organizational controls—like policy enforcement, asset management, and access reviews—often require manual screenshots or document exports. Relying on manual collection slows down audits and introduces human error. Automating ISO 27001 evidence collection ensures your documentation is always ready and properly formatted. This guide breaks down what auditors expect for A.5 controls and how to capture that proof automatically.
What Evidence Do ISO 27001 Auditors Require for A.5 Organizational Controls?
Auditors require proof that your organizational policies are defined, approved, communicated, and actively enforced. For A.5 controls, this means providing policy documents, asset inventories, access review logs, and supplier security assessments.
The 2022 update to ISO 27001 consolidated the old standard into four themes. Clause A.5 (Organizational Controls) is the largest, containing 37 distinct controls. You don't just hand the auditor a stack of PDFs and call it a day. They want to see the operational reality of those policies.
Here is how the core A.5 evidence requirements break down in practice:
| Control Category | Key Controls | Required Evidence Artifacts |
|---|---|---|
| Policies & Procedures | A.5.1, A.5.8 | Document version history, management approval signatures, employee acknowledgment logs. |
| Asset Management | A.5.9, A.5.10, A.5.14 | Hardware/software inventory databases, acceptable use agreements, information classification matrices. |
| Access Management | A.5.15, A.5.16, A.5.18 | Role-based access control (RBAC) matrices, user provisioning tickets, quarterly access review screenshots. |
| Supplier Security | A.5.19 - A.5.23 | Vendor risk assessments, signed DPAs, cloud configuration monitoring dashboards. |
If a control is included in your Statement of Applicability (SoA), you need a specific piece of evidence proving it operates as designed.
How Do You Automate Evidence for A.5 Access Control (A.5.15)?
You automate A.5.15 evidence by connecting identity providers and core applications to a continuous monitoring tool. The system should automatically capture screenshots of role configurations, user lists, and access review approvals on a set schedule.
Access control is heavily scrutinized during a Stage 2 audit. The auditor will pick a sample of new hires, terminations, and role changes, then ask you to prove that access was granted or revoked according to your policy.
Doing this manually means digging through Jira tickets, matching them to Okta logs, and taking screenshots of the admin panels in your custom internal tools to prove that "User X" actually has the "Read-Only" role.
Automation changes this workflow. Instead of scrambling before the audit, you set up a system to capture the exact UI state of your access panels monthly. When the auditor asks for the sample, you hand them a timestamped PDF showing the exact configuration of permissions on the day the change was made.
What Evidence Proves Supplier and Cloud Security (A.5.19 - A.5.23)?
To prove supplier security, auditors expect vendor risk assessments, signed DPAs, and evidence that you monitor cloud service configurations. You need documentation showing how you evaluate vendors before onboarding and how you review their security posture annually.
Control A.5.23 (Information security for use of cloud services) was a major addition in the 2022 standard. Auditors now explicitly check how you govern your cloud environment.
Practical evidence for these controls includes:
- Screenshots of your AWS GuardDuty or Google Cloud Security Command Center dashboards
- Exported logs from your vendor management system showing approval dates
- Visual proof of your cloud provider's SOC 2 or ISO 27001 certificates filed in your repository
- Jira workflows showing that a new SaaS tool went through security review before a corporate credit card was used
What ISO 27001 A.5 Evidence Cannot Be Automated with GRC Tools?
Traditional GRC tools track the status of organizational controls but cannot capture the visual UI evidence required for custom internal tools, manual vendor approval workflows, or specific cloud service configurations.
Most compliance platforms rely entirely on APIs. They connect to your AWS environment or your HR system and check if a setting is toggled. That works perfectly for technical controls like encryption (A.8.24).
But A.5 controls are deeply organizational. An API cannot read the context of a Slack thread where the CTO approved an emergency vendor. An API cannot take a screenshot of your proprietary back-office admin panel to prove segregation of duties.
Because of this limitation, teams using traditional GRC platforms still spend dozens of hours manually taking screenshots for their A.5 controls and uploading them as "custom evidence."
To actually automate the organizational side of ISO 27001, you need tools that operate at the visual layer. AI agents and workflow recorders can navigate custom UIs, capture the exact visual state of an admin panel, and generate the timestamped PDFs that auditors expect, bridging the gap that API-only tools leave behind.
How Should You Format Annex A Evidence for the Auditor?
Format your evidence as timestamped PDFs or secure exports mapped directly to your Statement of Applicability (SoA). Every file should clearly state the control ID, the date of capture, and the system being tested.
Auditors care about completeness and accuracy. If you hand them a cropped JPEG of an access list with no date and no URL visible, they will reject it. They need to know the evidence hasn't been tampered with.
When generating evidence automatically, ensure your system captures:
- The full system time and date
- The URL or application window context
- The specific user logged in who is capturing the evidence
- The exact control ID the evidence satisfies
A clean, structured evidence pack builds trust with your auditor. When they see that your A.5 organizational controls are documented with the same rigor as your technical infrastructure, the audit moves much faster.
Learn More About ISO 27001 Evidence Automation
For a complete guide to preparing your ISMS for certification, see our guide on how to automate ISO 27001 evidence collection, including how to handle technical and physical controls alongside Annex A.5.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.