Navigating ISO 27001
Organisational Controls in ISO 27001
The Essential Measures for Information Security
Information security is essential for businesses in today’s rapidly evolving digital landscape. Cybercrime is on the rise, and UK businesses suffered an estimated 2.39 million cybercrime incidents and 49,000 fraud incidents in the past year. This has resulted in enormous financial losses and reputational damage.
ISO 27001 controls are the essential guide to information security. They provide a framework for organisations to develop, implement, monitor and improve their information security management system (ISMS). ISO 27001 controls are categorized into 14 domains, covering all aspects of information security, from physical and environmental security to access control and incident management.
The ISO 27001 controls were recategorised in 2022 to reflect the current information security needs of organisations. The new categorisation also includes organisational measures.
Understanding four control categories of ISO 27001:2022 Annex A
ISO 27001:2022 Annex A defines 93 controls organisations can implement to improve their information security. These controls are divided into four categories:
- Organisational controls: These controls relate to the overall structure, culture, and policies of the organisation, as well as its risk management and information security management system (ISMS).
- People controls: These controls focus on the people who have access to the organisation's information assets, including their training, awareness, and responsibilities.
- Physical controls: These controls protect the physical assets of the organisation, such as its buildings, equipment, and data storage facilities.
- Technological controls: These controls protect the organisation's information systems and networks, including its software, hardware, and data encryption.
The four categories facilitate the planning and implementation of reference measures and the selection of the right controls for the organisation's context. In 2022, the categories have been restructured to reflect current security requirements. The core processes of ISMS management remain the same, but the controls in Annex A have been updated to reflect more modern risks and associated measures.
In this article, we focus on the organisational controls from Annex A of ISO 27001:2022.
What are organisational controls?
Organisational controls are measures that help organisations protect their information assets by establishing a culture of security and defining clear roles and responsibilities. They are not targeted at specific personnel, or physical or technological threats, but rather at the organisation as a whole.
Organisational controls include:
- Information security policy: This policy defines the principles and objectives of information security management.
- Responsibilities and authorities: Clear roles and responsibilities for information security are defined.
- Management ownership: Management understands and fulfils its role in implementing an information security strategy.
- Information classification: Information assets are classified according to their information security needs, and appropriate measures are developed.
Organisational controls provide a framework for the basic handling of information assets in an organization. They can be used to:
- Categorise information assets according to their context
- Determine and prioritise information security risks
- Define responsibilities and form management teams
- Integrate information security into all project processes
- Establish clear guidelines for project management, supplier relationships and government interactions.
Get ready for the ISO 27001 audit with up to 75% less workload
100% first-try pass rate in external audits on ISO 27001
ISO 27001: New organisational controls
ISO 27001:2022, the latest version of the ISMS, includes several new organisational controls that respond to today's increasingly complex information security challenges. These include:
- Threat intelligence: Organisations should conduct threat analysis to better understand how they can be attacked and to develop appropriate defences.
- Information security for the use of cloud services: Organisations should assess the information security risks of using cloud services and develop a plan to mitigate them.
- Information and communications technology (ICT) -readiness for business continuity: Organisations should ensure that their ICT systems are capable of ensuring business continuity in the event of an outage.
What are the organisational controls?
A comprehensive list of organisational controls from Annex A of ISO 27001
Organisational controls are an essential part of a comprehensive information security strategy. To build a functioning information security management system, organisations need to know what controls are existing. We have therefore compiled a list with a comprehensive overview of all organisational controls from Annex A of ISO 27001:
|
Organisational Controls |
Annex A 5.1 |
Policies for Information Security |
|
Organisational Controls |
Annex A 5.2 |
Information Security Roles and Responsibilities |
|
Organisational Controls |
Annex A 5.3 |
Segregation of Duties |
|
Organisational Controls |
Annex A 5.4 |
Management Responsibilities |
|
Organisational Controls |
Annex A 5.5 |
Contact with Authorities |
|
Organisational Controls |
Annex A 5.6 |
Contact with Special Interest Groups |
|
Organisational Controls |
Annex A 5.7 |
Threat Intelligence |
|
Organisational Controls |
Annex A 5.8 |
Information Security in Project Management |
|
Organisational Controls |
Annex A 5.9 |
Inventory of Information and Other Associated Assets |
|
Organisational Controls |
Annex A 5.10 |
Acceptable Use of Information and Other Associated Assets |
|
Organisational Controls |
Annex A 5.11 |
Return of Assets |
|
Organisational Controls |
Annex A 5.12 |
Classification of Information |
|
Organisational Controls |
Annex A 5.13 |
Labelling of Information |
|
Organisational Controls |
Annex A 5.14 |
Information Transfer |
|
Organisational Controls |
Annex A 5.15 |
Access Control |
|
Organisational Controls |
Annex A 5.16 |
Identity Management |
|
Organisational Controls |
Annex A 5.17 |
Authentication Information |
|
Organisational Controls |
Annex A 5.18 |
Access Rights |
|
Organisational Controls |
Annex A 5.19 |
Information Security in Supplier Relationships |
|
Organisational Controls |
Annex A 5.20 |
Addressing Information Security within Supplier Agreements |
|
Organisational Controls |
Annex A 5.21 |
Managing Information Security in the ICT Supply Chain |
|
Organisational Controls |
Annex A 5.22 |
Monitoring, Review and Change Management of Supplier Services |
|
Organisational Controls |
Annex A 5.23 |
Information Security for Use of Cloud Services |
|
Organisational Controls |
Annex A 5.24 |
Information Security Incident Management Planning and Preparation |
|
Organisational Controls |
Annex A 5.25 |
Assessment and Decision on Information Security Events |
|
Organisational Controls |
Annex A 5.26 |
Response to Information Security Incidents |
|
Organisational Controls |
Annex A 5.27 |
Learning From Information Security Incidents |
|
Organisational Controls |
Annex A 5.28 |
Collection of Evidence |
|
Organisational Controls |
Annex A 5.29 |
Information Security During Disruption |
|
Organisational Controls |
Annex A 5.30 |
ICT Readiness for Business Continuity |
|
Organisational Controls |
Annex A 5.31 |
Legal, Statutory, Regulatory and Contractual Requirements |
|
Organisational Controls |
Annex A 5.32 |
Intellectual Property Rights |
|
Organisational Controls |
Annex A 5.33 |
Protection of Records |
|
Organisational Controls |
Annex A 5.34 |
Privacy and Protection of PII |
|
Organisational Controls |
Annex A 5.35 |
Independent Review of Information Security |
|
Organisational Controls |
Annex A 5.36 |
Compliance With Policies, Rules and |
|
Organisational Controls |
Annex A 5.37 |
Documented Operating Procedures Standards for Information Security |
How to implement organisational controls for information security
You've got an overview of controls - now you need to select the right controls and implement them in your organisation. How do you do this? Implementing organisational controls is a process that can be broken down into several steps:
- Assess the status quo:
The first step is to assess the current state of your organisation's information security. This includes identifying the relevant risks and assessing the effectiveness of existing controls.
You can use a variety of methods to conduct this assessment, such as:
- Internal audits: An internal audit is a systematic examination of your organisation's information security policies and procedures, conducted by your own staff.
- External audits: An external audit is conducted by an independent third party.
- Internal audits: An internal audit is a systematic examination of your organisation's information security policies and procedures, conducted by your own staff.
- Selection of the right controls:
Once you’ve assessed the status quo, you can select the right controls to implement. It is important to consider the risks and requirements of your organisation.
The selection of controls can be carried out using a risk management process. This process includes the following steps:
- Identify the risks: The risks to the organisation's information security are identified.
- Assessing the risks: The risks are assessed in terms of their likelihood of occurrence and their potential for damage.
- Risk mitigation measures: Measures are selected to minimise the risks.
- Identify the risks: The risks to the organisation's information security are identified.
- Implement the controls:
Once you have selected the appropriate controls, you need to implement them effectively. This step can vary depending on the control.
For example, the implementation of an information security policy may include the following steps:
- Policy development: the policy is drafted by a team of experts.
- Policy approval: the policy is approved by senior management.
- Communicating the policy: The policy is communicated to all employees.
- Policy development: the policy is drafted by a team of experts.
- Monitoring and improvement:
Once you’ve implemented the controls, you need to monitor their effectiveness on a regular basis. This step will help identify any areas where the controls need to be improved.
You can monitor the effectiveness of the controls using a variety of methods, such as:
- Audits: Conducting regular audits to verify compliance with the controls.
- Reporting: Reporting on the results of monitoring activities.
- Corrective actions: Taking corrective action when the effectiveness of controls is not assured.
- Audits: Conducting regular audits to verify compliance with the controls.
Tips for implementing organizational controls:
- Start with the most critical controls. Not all controls are created equal. Some controls are more important than others. Start with the most important controls and work your way forward step by step.
- Involve all stakeholders. Implementing organisational controls is a team effort. Involve all stakeholders to make sure that the controls are implemented successfully.
- Communicate the controls. Make sure that everyone knows and understands the controls.
- Measure effectiveness. Measure the effectiveness of the controls on a regular basis to ensure they are achieving their objectives.
Organisational controls to strengthen your information security posture
Organisational controls play a vital role in ISMS by safeguarding information. They help organisations to fundamentally improve their information security and protect themselves against cyber-attacks.
The new organisational controls in ISO 27001:2022 take into account today's information security challenges and provide additional opportunities for organisations to improve their information security.
A comprehensive overview of organisational controls facilitates and structures the selection of the right measures and helps to take into account the context of your organisation.
Find the right controls for your organisation and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.
up to 50%
Cheaper than external consultants
up to 300%
Increase your opt-in rate with Consent & Preference Management
3 months
Get audit-ready in as little as three months
100%
First-try pass rate in external audits on ISO 27001 and TISAX®
Saves up to 100 hours
of manual work to get ISO 27001 certified or TISAX® labels
Customers trust us
P I C
PRIVACY
External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts
INFOSEC
Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit
COMPLIANCE
Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses
Templates
ISO 27001:2022 requirements
Trusted and used by companies
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.