ISO 27001 Annex A controls - A detailed guide

ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their information security processes, formalise operations and build trust among customers and stakeholders.

There are 114 ISO 27001 Annex A controls that cover multiple areas of an organisation, and these controls are segmented into 14 different categories (domains).

These control sets can be selectively applied to your organisation based on the risk assessment results.

The 14 control domains of ISO 27001 controls are:

1. Information Security Policies: 
2. Organisation of Information Security
3. Human Resources Security
4. Asset Management
5. Access Control
6. Cryptography
7. Physical and Environmental Security
8. Operational Security
9. Communications Security
10. Systems Acquisition, Development and Maintenance
11. Supplier Relationships
12. Information Security Incident Management
13. Information Security aspects of Business Continuity Management
14. Compliance

Though not compulsory, ISO 27001 is a widely used and internationally recognised certification that demonstrates a commitment to the protection of confidential information. The ISO 27001 framework spans across all domains of an organisation, focusing on its people, processes and technology through a carefully chosen list of security controls.

This guide provides you with an understanding of the 14 different domains (or categories) of ISO 27001 controls and the focus of each category in relation to your organisation’s ISMS.

In This Guide:

• What is the ISO 27001 Annex A?
• What is ISO 27001 and why should a company adopt it?

• Is there a difference between ISO 27001 and ISO 27002? 
• How many ISO 27001 controls are there?
• What are the 14 categories of ISO 27001 controls?
• How can I implement ISO 27001 Annex A controls?
• Why should an organisation adopt ISO 27001?
• How can an organisation become ISO 27001 certified?
• Conclusion
• FAQs

What is the ISO 27001 Annex A?

ISO 27001 Annex A is arguably the most well-known annex of all the ISO standards, as it contains an essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen the security of information assets.

The ISO 27001 controls are outlined in ISO 27001 Annex A, also known as ISO 27002. These are standard controls that should be simple to put in place because they are all outlined in the ISO 27001 standard.

Tip: To better understand the differences between ISO 27001 and ISO 27002 read our article: ISO 27001 vs. ISO 27002 - How are they different

A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from – you can pick and select from the 114 measures specified in Annex A that are relevant to your organisation’s scope.

What is ISO 27001, and why should a company adopt it?

ISO 27001 is a universal framework for managing information security. The certification is considered an international standard and guides your business’s information security management system (ISMS).

This framework safeguards the confidentiality, integrity and availability of the sensitive consumer information you collect, and compliance prevents unauthorized access, breaches and regulatory fines. Moreover, achieving ISO 27001 certification not only ensures robust information security but also aligns with the requirements of NIS2 (Cybersecurity), emphasising its importance in the current digital landscape.

Is there a difference between ISO 27001 and ISO 27002?

ISO 27001's Annex A does not go into great depth regarding each control. In general, each control has a one-line explanation, which provides you with an idea of what you need to accomplish but not how to execute it.

This is why ISO 27002 was created. It follows the same format as ISO 27001 Annex A. Each control from Annex A is included in ISO 27002, but it includes a far more extensive description of how to put it into practice. However, when it comes to managing information security, ensure your organisation follows both ISO 27001 and ISO 27002 standards.

ISO 27002 consists of 93 controls as opposed to ISO 27001's 114 controls. However, when it comes to managing information security, ensure your organisation follows both ISO 27001 and ISO 27002 standards.

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

How many ISO 27001 controls are there?

There are 114 ISO 27001 Annex A controls that cover multiple areas of an organisation, and these controls are segmented into 14 different categories (domains).

These control sets can be selectively applied to your organisation based on the risk assessment results.

The overall objective of the ISO 27001 framework is to protect the confidentiality, integrity, and availability of information. The implementation enables organisations to:

• Comply with ever-changing legal requirements through a single framework
• Demonstrate prioritised information security and gain a competitive advantage
• Prevent security incidents and avoid paying fines
• Define processes and job roles and improve organisational structure

Each category can be attributed to a particular focus area within your organisation. Contrary to popular belief, they are not all IT-related. The following is a breakdown of what each section is focused on.

Before we explore each category of ISO 27001 certification, here is a quick breakdown of Annex A control sets and which areas of your organisation they relate to:

What are the 14 domains of ISO 27001 controls?

Here is a comprehensive list of the 14 control domains:

1. Annex A.5 - Information Security Policies | 2 controls

Objective:

• To ensure that policies regarding information security are written in accordance with your organisation's requirements.
  
  

2. Annex A.6 - Organisation of Information Security | 7 controls

Objective:

• To establish a management framework and assign information security roles for how the controls will be implemented.
• To adopt security guidelines for when employees access, process and store information while working out-of-office.
  
  

3. Annex A.7 - Human Resource Security | 6 controls

Objective:

• To ensure that all parties (employees and contractors) understand their requirements and responsibilities before, during and after their term of employment.
• This involves conducting background checks, adhering to information security policies, conducting necessary training and implementing a formal disciplinary process in order to protect the organisation’s interests.
  
  

4. Annex A.8 - Asset Management | 10 controls

Objective:

• To identify, classify and prevent the disclosure of information and assets.
• This involves defining acceptable use, implementing a classification scheme, outlining procedures for handling assets and implementing procedures to securely dispose of media.
  
  

5. Annex A.9 - Access Control | 14 controls

Objective:

• To limit access to and prevent unauthorised access of information, and hold individuals accountable for protecting authentication information (such as PINs and passwords).
• This involves implementing an access control policy, controlling access rights, defining the use of secret authentication information and restricting any programs with override capabilities.
  
  

6. Annex A.10 - Cryptography | 2 controls

Objective:

• To ensure encryption and key management is used to maintain the confidentiality, integrity and authenticity of important information.
• This involves outlining, through a cryptographic policy, the use and validity period of cryptographic keys.
  
  

7. Annex A.11 - Physical and Environmental Security | 15 controls

Objective:

• To prevent unauthorised access to information that may cause loss or interruption to operations.
• To prevent the compromise of assets through loss, damage or theft.
• This involves defining and implementing a physical security perimeter, securing areas involved in transport (such as loading bays), regularly servicing equipment and protecting equipment when taken off office premises.
  
  

8. Annex A.12 - Operational Security | 14 controls

Objective:

• To ensure the integrity of information processing facilities and operational systems, protecting these facilities from malware, preventing the loss of data, maintaining consistency across activity logs, mitigating potential technical risks and minimising disruptions brought on by audit activities.
• This involves documenting operating procedures (such as changes to organisational processes), separating operational environments, implementing anti-malware software and making users aware of what constitutes acceptable use, following an agreed backup policy, monitoring software installation and regularly evaluating risks.
  
  

9. Annex A.13 - Communications Security | 7 controls

Objective:

• To monitor the internal and external transfer of information.
• This involves implementing information transfer policies across all communication facilities (such as email, social media and internal messaging platforms).
  
  

10. Annex A.14 - System Acquisition, Development and Maintenance | 13 controls

Objective:

• To ensure that information security requirements are established across the lifecycle of information systems and included when updating existing systems or implementing new systems.
• To ensure that data being used for testing is only accessed by authorised personnel.
• This involves protecting information that passes through public networks to prevent misrouting, alteration or unauthorised disclosure, establishing secure development areas, and regularly testing security facilities.
  
  

11. Annex A.15 - Supplier Relationships | 5 controls

Objective:

• To ensure that any valuable assets that can be accessed by suppliers remain protected, and maintain an agreed level of information security.
• This involves establishing formal agreements that address potential risks and regularly monitoring and auditing suppliers.
  
  

12. Annex A.16 - Information Security Incident Management | 7 controls

Objective:

• To ensure that any information security incidents are managed effectively and consistently.
• This involves reporting any weaknesses through the appropriate management channels as quickly as possible, responding to these incidents in line with established procedures and preserving evidence.
  
  

13. Annex A.17 - Information Security Aspects of Business Continuity Management | 4 controls

Objective:

• To ensure the continuation of information security and that these measures are in line with your organisation's continuity plans.
• To ensure the availability of information processing facilities.
  
  

14. Annex A.18 - Compliance | 8 controls

Objective:

• To avoid information security breaches of a legal, statutory, regulatory or contractual nature and ensure that information security is carried out according to organisational requirements
• This involves identifying compliance requirements, protecting against any implications (loss, theft etc.) according to these requirements, ensuring the protection of sensitive information and regularly reviewing the compliance of information systems.

How can I implement ISO 27001 Annex A controls?

Annex A can be used as a checklist of ISO 27001 controls. Organisations are not required to implement all 114 controls but are expected to identify and apply the most suitable controls for their organisation. The process of selecting applicable controls begins with risk assessment and treatment, after which you are required to measure how successful the controls were in achieving information security objectives.

Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of persons.

The process of gathering all required documentation and becoming ISO 27001 compliant can be difficult, which is why you and your organisation may benefit from the expertise of an ISO 27001 consultant.

Why should an organisation adopt ISO 27001?

Not all organisations choose to adopt ISO 27001 certification, but many use it as a framework to keep their ISMS safe from the risk of information security breaches.

ISO 27001 compliance proves to parties involved (such as customers and stakeholders) that an organisation has prioritised the implementation of information security best practices.

Essentially, an ISO 27001 certification makes it simpler to satisfy regulatory obligations, demonstrates your organisation’s reliability to partners, and demonstrates your dedication to maintaining the highest standards of information security. It increases the value of your brand, resulting in win-win situations.

How can an organisation become ISO 27001 certified?

It is a two-stage process that takes around three months on average. With over 25 proven ISO 27001 policies and over 25 industry best practices ISO 27001 papers, DataGuard gives you a comprehensive information security management system suited to your particular needs.

Conclusion

An airtight ISMS consists of security measures that cover all aspects of an organisation: its people, processes and technology.

Selecting and implementing the right Annex A controls takes time and our consultants are equipped with the industry expertise to ensure the success of your ISMS.

FAQs

How do you audit ISO 27001 controls?

There are two main types of ISO 27001 audits; internal and external. An internal audit is to be carried out by your employees and consists of the following steps:

1. Documentation review
2. Management review
3. Field review
4. Analysis
5. Report

Meanwhile, an external audit will be carried out by a third-party auditor or certification body and has different stages:

1. Stage 1 audit
2. Stage 2 audit
3. Surveillance audit
4. Recertification audit

How many controls are there in ISO 27002?

ISO 27002 consists of 93 controls. The standard follows the same format as ISO 27001 but contains more details about implementing the controls.

Sign up for a free no-obligation consultation, and begin the process of ISO 27001 compliance. Get in touch with one of our experts!