ISO 27001:2022 Annex A Controls
The ISO 27001 framework includes Annex A, which incorporates the list of controls and measurements that can be taken to establish a strong information security framework depending on the company’s context.
The overall objective of the ISO 27001 framework is to protect the confidentiality, integrity, and availability of information. The implementation enables organisations to:
Comply with ever-changing legal requirements through a single framework
Demonstrate prioritised information security and gain a competitive advantage
Prevent security incidents and avoid costly fines
Define processes and job roles and improve organisational structure
But what are the controls, and how do you use them effectively?
ISO 27001:2022: Eleven new controls
Since 2022, eleven new controls have been added to ISO 27001, which are assigned to different categories. Organisations are required to:
A.5.7 Threat intelligence
Collect and analyse data on potential threats to maintain information security
A.5.23 Information security for the use of cloud services
Define and monitor information security for the use of cloud services.
A.5.30 ICT readiness for business continuity
Create an ICT (information and communications technology) continuity plan to maintain business resilience.
A.7.4 Physical security monitoring
Implement appropriate monitoring tools to detect and prevent external and internal intrusions.
A.8.9 Configuration management
Establish policies for documenting, implementing, monitoring and auditing configurations across their network.
A.8.10 Information deletion
Manage data deletion to comply with laws and regulations.
A.8.11 Data masking
Use data masking techniques for personal identifiable information (PII) to comply with laws and regulations.
A.8.12 Data leakage prevention
Take technical measures to identify and prevent the disclosure and/or extraction of information.
A.8.16 Monitoring activities
Improve network monitoring activities to detect anomalous behaviour and respond to security events and incidents.
A.8.23 Web filtering
Enforce access controls and measures to restrict and control access to external websites.
A.8.28 Secure coding
Implement proven principles of secure coding to prevent vulnerabilities that could be caused by inadequate coding methods.
ISO 27001: 4 Control sets
To make things easier, controls in Annex A are categorised into different groups. That divides the context of the controls and the domain of the applicable risks. But what are the relevant categories and where do they apply?
There are 93 ISO 27001 Annex A controls that cover multiple areas of an organisation, and these controls are segmented into four different categories (domains).
These control sets can be selectively applied to your organisation based on the risk assessment results.
Each category can be attributed to a particular focus area within your organisation. Contrary to popular belief, they are not all IT-related.
Grouping the controls into four themes helps organisations decide who is responsible for implementing the measures and which measures apply to their respective organisation. For example, technical controls can be carried out by the IT department, while organisational controls can be carried out by your system operations team.
To achieve a better overview, here is a list of the four different categories of controls:
- Organisational controls (37 measures)
- People controls (8 measures)
- Physical controls (14 actions)
- Technological controls (34 measures)
Organisational Controls: Measurements for organisational safety
Organisational controls typically cover everything that does not fall under the topics of people, technology, or physical security. This includes things like identity management, responsibilities, and evidence collection.
New organisational controls include:
5.7: Threat Intelligence
5.23: Information security for use of cloud services
5.30: ICT readiness for business continuity
Threat Intelligence in particular is an exciting innovation in this area - as this measure goes beyond detecting malicious domain names. Threat intelligence helps organisations better understand how they can be attacked.
People controls: Staff-related measures to protect staff.
The people controls section comprises only eight controls. It focuses on how employees handle sensitive information during their daily work. This includes topics like remote work, nondisclosure agreements and screenings. Onboarding and offboarding processes, as well as responsibilities for reporting incidents, are also relevant.
Physical Controls: Physical measures for the physical protection of the organisation.
Physical controls include security monitoring, maintenance, facility security and storage media. This category is about how you protect against physical and environmental threats such as theft, natural disasters, and deliberate destruction.
The new physical controls include: 7.4: Physical security monitoring.
Technological Controls: Technological measures for technical security.
Technological controls cover the areas of authentication, encryption, and data leakage prevention. Technology must be properly secured to protect data. Various approaches, such as access rights, network security and data masking, help to achieve this.
New technology controls include:
8.1: Data masking
8.9: Configuration management
8.10: Information deletion
8.12: Data leakage prevention
8.16: Monitoring activities
8.23: Web filtering
8.28: Secure coding
In this area, one innovation is particularly important - data leakage prevention. However, web filtering is also noteworthy: this control describes how organisations should filter online traffic to prevent users from visiting potentially harmful websites.