ISO 27001 Hub
Organizations
I am a business and I want to implement ISO 27001 myself
Achieve certification in weeks, not months. The complete practitioner-led toolkit for DIY compliance.
Get the Toolkit
Professionals
I am a consultant and I want to implement for clients
Scale your practice with professional-grade, re-brandable templates and multi-client licensing.
Scale Your Business
Compliance happens where the work happens.
GRC platforms sell you a dashboard and an annual subscription. We give you the expertise to build a security culture that actually lives in your business, not in a piece of software you’ll never look at.
- Practitioner-led, not platform-led
- No expensive annual SaaS “tax”
- Built for how humans actually work
- Audit-ready in weeks, not months
Are you new to ISO 27001?
Let’s start by answering the top 5 questions new people have.
ISO 27001 is the international standard for an information security management system. Learn more in ISO 27001 Explained Simply
ISO 27001 Certification starts at £5,000 but there are many things to consider. Learn more in Certification Cost Explained Simply
ISO 27001 certification is the process of being externally audited against the requirements of the standard. Learn more in Certification Explained Simply
ISO 27001 policies are statements of what you do for information security. See a list of mandatory ISO 27001 policies here.
ISO 27001 documents are the mandatory records that prove your management system works. The mandatory list of documents can be found here.
The ISO 27001 Implementation Hub
How to implement ISO 27001 Clauses
How to implement ISO 27001 Organisational Controls
| Control ID | Control Title | Description | Guide | Visual |
|---|---|---|---|---|
| Annex A 5.1 | Policies for information security | Define and approve security policies at the management level. This control sets the strategic direction for information security, ensuring alignment with business goals. It mandates that policies are communicated to all employees and relevant external parties to ensure compliance and awareness of organisational security objectives. | Read Annex A 5.1 Guide | 
|
| Annex A 5.2 | Information Security Roles and Responsibilities | Allocate specific security tasks to individuals. This control prevents accountability gaps by ensuring that responsibilities for assets and security processes are clearly defined and assigned. It establishes a structured approach to risk management, ensuring every aspect of security has a designated owner. | Read Annex A 5.2 Guide | 
|
| Annex A 5.3 | Segregation of duties | Separate conflicting responsibilities to prevent fraud. This control mitigates the risk of error or misuse by ensuring no single individual has total control over a critical process. It mandates splitting execution, authorisation, and verification tasks to create an internal system of checks and balances. | Read Annex A 5.3 Guide | 
|
| Annex A 5.4 | Management responsibilities | Require leadership to actively support security. This control mandates that management provides necessary resources and ensures personnel adhere to established policies. It emphasises that a strong security culture starts at the top, requiring ongoing commitment and direction from senior leadership. | Read Annex A 5.4 Guide | 
|
| Annex A 5.5 | Contact with authorities | Establish communication channels with regulators and law enforcement. This control ensures the organisation is prepared to report security incidents or seek legal advice during a breach. It enables a rapid, legally compliant response to major security events and ensures adherence to reporting obligations. | Read Annex A 5.5 Guide | 
|
| Annex A 5.6 | Contact with special interest groups | Engage with security forums and professional communities. This control encourages participation in industry groups to stay updated on emerging threats and best practices. It ensures the organisation benefits from collective intelligence and early warnings regarding industry-specific risks and technological advancements. | Read Annex A 5.6 Guide | 
|
| Annex A 5.7 | Threat intelligence | Collect and analyse data on security threats. This control mandates gathering intelligence on attack vectors and motives to inform risk decisions. By understanding the evolving threat landscape, organisations can proactively adjust their defences to mitigate specific risks before they are exploited by attackers. | Read Annex A 5.7 Guide | 
|
| Annex A 5.8 | Information security in project management | Integrate security risks into project lifecycles. This control ensures that information security is addressed from the start of any project, preventing costly retrofits. It mandates defining security requirements early to ensure that all project deliverables are secure by design and aligned with organisational standards. | Read Annex A 5.8 Guide | 
|
| Annex A 5.9 | Inventory of information and other associated assets | Identify and list all critical assets. This control creates the foundation for risk assessment by requiring a detailed inventory of information and physical assets. It ensures that all valuable items are known, owned, and protected according to their importance and criticality to business operations. | Read Annex A 5.9 Guide | 
|
| Annex A 5.10 | Acceptable use of information and other associated assets | Define strict rules for asset usage. This control establishes clear policies regarding how employees and external parties may use organisational technology and data. It protects assets from misuse, damage, or unauthorised access by setting explicit boundaries and expectations for professional behaviour. | Read Annex A 5.10 Guide | 
|
| Annex A 5.11 | Return of assets | Mandate the retrieval of equipment upon termination. This control ensures that all organisational assets and information are returned when an employee or contractor leaves. It prevents data leakage and unauthorised access by ensuring hardware and intellectual property remain securely within the organisation’s control. | Read Annex A 5.11 Guide | 
|
| Annex A 5.12 | Classification of information | Categorise data based on value and sensitivity. This control requires information to be classified to ensure appropriate protection levels are applied. It optimises security resources by focusing strong defences on critical and confidential data while meeting legal and regulatory requirements. | Read Annex A 5.12 Guide | 
|
| Annex A 5.13 | Labelling of information | Mark data to prevent mishandling. This control ensures that information is clearly labelled according to its classification scheme. Visual and electronic labels help personnel and automated systems identify sensitive data, preventing accidental disclosure or unauthorised access to confidential records. | Read Annex A 5.13 Guide | 
|
| Annex A 5.14 | Information transfer | Secure data in transit. This control establishes formal policies for transferring information to external parties. It prevents interception, copying, or modification by mandating the use of encryption, secure protocols, and strict agreements whenever sensitive data moves outside the organisation’s secure perimeter. | Read Annex A 5.14 Guide | 
|
| Annex A 5.15 | Access control | Restrict access based on business needs. This control requires a formal policy to manage access rights to information and facilities. By enforcing the principle of least privilege, it ensures users only access data necessary for their roles, minimising internal threats and data exposure. | Read Annex A 5.15 Guide | 
|
| Annex A 5.16 | Identity management | Manage the full lifecycle of user identities. This control covers the registration, provisioning, and de-provisioning of user IDs. It ensures that only valid, authorised users have identities within the system and that these identities are uniquely linked to specific individuals for accountability. | Read Annex A 5.16 Guide | 
|
| Annex A 5.17 | Authentication information | Protect secrets used for verifying identity. This control governs the management of passwords, tokens, and biometric data. It mandates strict confidentiality for authentication credentials and requires system controls like complexity and rotation to prevent unauthorised access via credential theft. | Read Annex A 5.17 Guide | 
|
| Annex A 5.18 | Access rights | Review and revoke user permissions regularly. This control involves the provisioning, modification, and removal of access rights. It ensures permissions are adjusted when roles change and revoked immediately upon termination, preventing “permission creep” and unauthorised access by former employees. | Read Annex A 5.18 Guide | 
|
| Annex A 5.19 | Information security in supplier relationships | Enforce security standards with external partners. This control ensures that suppliers agree to and adhere to the organisation’s security requirements. It mitigates supply chain risk by establishing a baseline of security that must be met before suppliers can access organisational data or systems. | Read Annex A 5.19 Guide | 
|
| Annex A 5.20 | Addressing information security within supplier agreements | Embed security obligations in formal contracts. This control mandates that information security requirements are documented in supplier agreements. It provides a legal framework for enforcement, covering data protection, the right to audit, and incident reporting to protect the organisation legally and operationally. | Read Annex A 5.20 Guide | 
|
| Annex A 5.21 | Managing information security in the ICT supply chain | Secure the technology supply chain. This control addresses risks associated with ICT products and services. It requires agreements with suppliers to ensure the integrity of hardware and software components, preventing the introduction of compromised or malicious technology into the critical infrastructure. | Read Annex A 5.21 Guide | 
|
| Annex A 5.22 | Monitoring, review and change management of supplier services | Audit supplier performance regularly. This control requires the ongoing review of supplier service delivery against security agreements. It ensures that changes to services are managed securely and that any deficiencies or security incidents are identified and rectified promptly. | Read Annex A 5.22 Guide | 
|
| Annex A 5.23 | Information security for use of cloud services | Establish criteria for secure cloud usage. This control sets requirements for selecting, using, and exiting cloud services. It ensures the shared responsibility model is understood and that cloud providers offer adequate controls to protect organisational data in multi-tenant environments. | Read Annex A 5.23 Guide | 
|
| Annex A 5.24 | Information security incident management planning and preparation | Prepare for security breaches. This control requires establishing procedures and responsibilities for managing information security incidents. It ensures the organisation is ready to detect, report, assess, and respond to incidents effectively, minimising damage and operational downtime. | Read Annex A 5.24 Guide | 
|
| Annex A 5.25 | Assessment and decision on information security events | Triage security events effectively. This control mandates a process to determine if an observed event constitutes a security incident. It ensures proper classification so that genuine threats trigger the incident response plan while false positives are filtered out to avoid alert fatigue. | Read Annex A 5.25 Guide | 
|
| Annex A 5.26 | Response to information security incidents | Execute incident response procedures. This control dictates that confirmed incidents must be responded to according to documented plans. It ensures containment, eradication, and recovery actions are taken promptly to limit the impact on confidentiality, integrity, and availability of data. | Read Annex A 5.26 Guide | 
|
| Annex A 5.27 | Learning from information security incidents | Analyse incidents to prevent recurrence. This control requires a post-incident review to identify root causes and improve future responses. It turns security failures into opportunities for strengthening defences, updating policies, and preventing the same type of attack from succeeding again. | Read Annex A 5.27 Guide | 
|
| Annex A 5.28 | Collection of evidence | Preserve forensic data legally. This control ensures that evidence related to security incidents is gathered and stored in a way that is legally admissible. It enables the organisation to pursue disciplinary action or legal prosecution by maintaining the chain of custody and integrity of digital evidence. | Read Annex A 5.28 Guide | 
|
| Annex A 5.29 | Information security during disruption | Maintain security controls during disasters. This control ensures that information security measures continue to function or are replaced by equivalent controls during a crisis. It prevents security compromises from occurring while the organisation operates in emergency mode or while business continuity plans are active. | Read Annex A 5.29 Guide | 
|
| Annex A 5.30 | ICT readiness for business continuity | Ensure IT systems support recovery goals. This control requires that ICT systems have sufficient resilience to support business continuity objectives. It ensures that redundant systems, backups, and failover mechanisms are tested and available to meet defined recovery time (RTO) and recovery point (RPO) objectives. | Read Annex A 5.30 Guide | 
|
| Annex A 5.31 | Identification of legal, statutory, regulatory and contractual requirements | Document all compliance obligations. This control mandates the explicit identification and documentation of all relevant laws and regulations. It prevents non-compliance penalties by ensuring the organisation understands its specific legal obligations regarding data protection, intellectual property, and industry standards. | Read Annex A 5.31 Guide | 
|
| Annex A 5.32 | Intellectual property rights | Ensure compliance with IP laws. This control protects the organisation from litigation regarding software piracy or copyright infringement. It ensures compliance with legal restrictions on the use of third-party material and safeguards the organisation’s own proprietary assets and intellectual property. | Read Annex A 5.32 Guide | 
|
| Annex A 5.33 | Protection of records | Secure records against loss and falsification. This control safeguards organisational records from destruction and unauthorised access. It ensures that statutory, regulatory, and contractual requirements for record retention and secure disposal are met, preserving organisational memory and legal standing. | Read Annex A 5.33 Guide | 
|
| Annex A 5.34 | Privacy and protection of PII | Safeguard Personally Identifiable Information. This control ensures compliance with privacy laws like GDPR or CCPA. It mandates technical and organisational measures to protect personal data, respecting the rights of data subjects and preventing privacy breaches that could lead to heavy fines and reputational damage. | Read Annex A 5.34 Guide | 
|
| Annex A 5.35 | Independent review of information security | Conduct objective security assessments. This control requires an impartial review of the organisation’s approach to information security. By using independent auditors, the organisation verifies that its controls are implemented effectively and remain suitable for the evolving risk landscape. | Read Annex A 5.35 Guide | 
|
| Annex A 5.36 | Compliance with policies and standards for information security | Verify adherence to internal rules. This control mandates regular reviews of information processing systems against security policies. It ensures that managers regularly check that their teams are strictly adhering to established rules, correcting non-compliance before it leads to security incidents. | Read Annex A 5.36 Guide | 
|
| Annex A 5.37 | Documented operating procedures | Standardise operations through documentation. This control requires the creation of detailed procedures for information processing facilities. It ensures consistency, reduces the risk of human error during operations, and provides a critical reference for training staff and resolving incidents efficiently. | Read Annex A 5.37 Guide | 
|
How to implement ISO 27001 People Controls
| Control ID | Control Title | Description | Guide | Visual |
|---|---|---|---|---|
| Annex A 6.1 | Screening | Verify the background of all candidates before employment. This control mitigates insider threats by ensuring that employees, contractors, and suppliers are trustworthy and suitable for their roles. It mandates checks proportionate to the classification of information to be accessed, ensuring due diligence is performed prior to access. | Read Annex A 6.1 Guide | 
|
| Annex A 6.2 | Terms and conditions of employment | Establish clear contractual obligations regarding information security. This control ensures that employees and contractors understand their legal responsibilities for confidentiality and data protection before access is granted. It solidifies the organisation’s legal position and sets explicit expectations for acceptable behaviour and non-disclosure requirements. | Read Annex A 6.2 Guide | 
|
| Annex A 6.3 | Information security awareness, education and training | Educate personnel on their specific security roles and evolving threats. This control mandates regular, relevant training to reduce human error, often the weakest link in security. By fostering a security-conscious culture, organisations ensure staff are equipped to recognise phishing, handle data correctly, and follow policies. | Read Annex A 6.3 Guide | 
|
| Annex A 6.4 | Disciplinary process | Enforce a formal disciplinary process for security violations. This control provides a structured framework to address data breaches caused by negligence or malicious intent. It acts as a critical deterrent, ensuring consistent consequences are applied, thereby reinforcing the seriousness of information security policies across the organisation. | Read Annex A 6.4 Guide | 
|
| Annex A 6.5 | Responsibilities after termination or change of employment | Protect organisational assets during personnel transitions. This control dictates that security responsibilities remain valid even after employment ends. It ensures the immediate return of assets, removal of access rights, and ongoing confidentiality obligations to prevent data leakage during the critical offboarding or role-change phase. | Read Annex A 6.5 Guide | 
|
| Annex A 6.6 | Confidentiality or non-disclosure agreements | Bind employees and external parties to secrecy through legal agreements. This control requires the identification and review of Non-Disclosure Agreements (NDAs) to protect proprietary information. It establishes a legal recourse for data theft and ensures all parties legally acknowledge their duty to maintain confidentiality. | Read Annex A 6.6 Guide | 
|
| Annex A 6.7 | Remote working | Secure information accessed outside the physical office. This control establishes policies for teleworking to protect data on unsecured networks and personal devices. It addresses physical security at home and secure connectivity, ensuring that remote work flexibility does not compromise the organisation’s information security posture. | Read Annex A 6.7 Guide | 
|
| Annex A 6.8 | Information security event reporting | Enable rapid incident response through mandatory reporting channels. This control requires employees to report observed security weaknesses or events immediately. It serves as the organisation’s early warning system, allowing for quick containment of threats and preventing minor anomalies from escalating into major data breaches. | Read Annex A 6.8 Guide | 
|
How to implement ISO 27001 Physical Controls
| Control ID | Control Title | Description | Guide | Visual |
|---|---|---|---|---|
| Annex A 7.1 | Physical security perimeter | Establish secure barriers to protect sensitive information. This control requires defining and constructing robust perimeters—such as walls, gates, or card-controlled entry points—to prevent unauthorised physical access to facilities where critical data and assets are stored, creating the first line of defence against intrusion. | Read Annex A 7.1 Guide | 
|
| Annex A 7.2 | Physical entry controls | Restrict entry to secure areas through authentication mechanisms. This control mandates the implementation of access systems, such as badging, biometrics, or manned reception desks, ensuring that only authorised personnel can enter specific zones and maintaining an audit trail of physical movement. | Read Annex A 7.2 Guide | 
|
| Annex A 7.3 | Securing offices, rooms and facilities | Harden workspaces to prevent unauthorised access and protect assets. This control focuses on the physical security of offices and server rooms, requiring measures like locked doors, window protection, and strategic layout design to safeguard information from theft, damage, or eavesdropping. | Read Annex A 7.3 Guide | 
|
| Annex A 7.4 | Physical security monitoring | Detect unauthorised physical access using continuous surveillance. This control requires the deployment of monitoring systems, such as CCTV cameras, intrusion alarms, and motion sensors, to provide real-time visibility and recorded audit trails of all physical activities within secure perimeters. | Read Annex A 7.4 Guide | 
|
| Annex A 7.5 | Protecting against physical and environmental threats | Shield infrastructure from natural and man-made disasters. This control necessitates protective measures against hazards like fire, flood, earthquakes, and civil unrest. It ensures critical equipment is situated and hardened to withstand environmental risks, guaranteeing business continuity and data availability. | Read Annex A 7.5 Guide | 
|
| Annex A 7.6 | Working in secure areas | Regulate personnel behaviour within high-security zones. This control establishes strict protocols for working in designated secure areas, including supervision requirements and restrictions on photography or recording, to prevent the accidental or malicious compromise of sensitive information housed within those specific locations. | Read Annex A 7.6 Guide | 
|
| Annex A 7.7 | Clear desk and clear screen | Prevent data leakage through visual exposure. This control mandates that sensitive documents be locked away when not in use and that computer screens be locked when unattended. It reduces the risk of unauthorised viewing, theft, or “shoulder surfing” in shared office environments. | Read Annex A 7.7 Guide | 
|
| Annex A 7.8 | Equipment siting and protection | Position hardware strategically to minimise risks. This control involves placing equipment to protect it from environmental threats and unauthorised access, while also ensuring that display screens are positioned to prevent overlooking by unauthorised persons, thereby securing both the physical asset and the data displayed. | Read Annex A 7.8 Guide | 
|
| Annex A 7.9 | Security of assets off-premises | Secure devices and data taken outside the organisation. This control sets requirements for protecting assets like laptops and mobile devices used remotely. It mandates physical protection, encryption, and strict usage policies to prevent theft, loss, or compromise while equipment is in transit or home offices. | Read Annex A 7.9 Guide | 
|
| Annex A 7.10 | Storage media | Manage the lifecycle of physical media to prevent data breaches. This control governs the management of removable media, hard drives, and tapes. It requires establishing procedures for the classification, handling, transportation, and eventual secure destruction of media to ensure data remains confidential throughout its physical existence. | Read Annex A 7.10 Guide | 
|
| Annex A 7.11 | Supporting utilities | Ensure continuous power and utility supply for critical systems. This control protects against failures in electricity, telecommunications, or HVAC systems. It mandates the implementation of uninterruptible power supplies (UPS) and backup generators to prevent data corruption or loss of availability during utility outages. | Read Annex A 7.11 Guide | 
|
| Annex A 7.12 | Cabling security | Protect power and data cables from interception or damage. This control requires that cabling infrastructure be shielded from physical tampering and environmental damage. It mitigates the risks of wiretapping and accidental disconnection, ensuring the integrity and availability of the organisation’s network communication. | Read Annex A 7.12 Guide | 
|
| Annex A 7.13 | Equipment maintenance | Maintain hardware availability and integrity through regular servicing. This control ensures that equipment is serviced according to manufacturer specifications and that maintenance activities are supervised. It prevents failure due to wear and tear and protects against unauthorised modifications during repair processes. | Read Annex A 7.13 Guide | 
|
| Annex A 7.14 | Secure disposal or re-use of equipment | Sanitise hardware before disposal or reassignment. This control mandates the irreversible deletion of data from storage devices prior to selling, discarding, or re-using equipment. It ensures that sensitive information cannot be recovered by third parties after the hardware leaves the organisation’s control. | Read Annex A 7.14 Guide | 
|
How to implement ISO 27001 Technology Controls
| Control ID | Control Title | Description | Guide | Visual |
|---|---|---|---|---|
| Annex A 8.1 | User Endpoint Devices | Protect devices used to access information. This control establishes requirements for securing laptops, smartphones, and tablets to prevent unauthorised access. It ensures that endpoints are hardened, encrypted, and monitored, reducing the risk of data theft or malware entry through vulnerable user devices. | Read Annex A 8.1 Guide | 
|
| Annex A 8.2 | Privileged Access Rights | Restrict high-level access to authorised users only. This control mandates the allocation and review of privileged access rights based on the principle of least privilege. By strictly managing who can override system controls, organisations minimise the blast radius of insider threats and compromised administrator accounts. | Read Annex A 8.2 Guide | 
|
| Annex A 8.3 | Information Access Restriction | Limit data availability based on business needs. This control ensures that access to information and application functions is restricted according to the established access control policy. It prevents unauthorised viewing or manipulation of sensitive data by enforcing granular access rules aligned with specific job responsibilities. | Read Annex A 8.3 Guide | 
|
| Annex A 8.4 | Access To Source Code | Secure the intellectual property and integrity of software. This control strictly limits read and write access to program source code and associated items. It prevents unauthorised changes, theft of proprietary algorithms, and the introduction of malicious code or backdoors into the organisation’s software assets. | Read Annex A 8.4 Guide | 
|
| Annex A 8.5 | Secure Authentication | Verify user identity with robust mechanisms. This control requires the implementation of strong authentication technologies, such as Multi-Factor Authentication (MFA), to validate users before granting access. It mitigates the risk of credential theft and ensures that only legitimate users can access critical systems and data. | Read Annex A 8.5 Guide | 
|
| Annex A 8.6 | Capacity Management | Monitor resource usage to prevent system failure. This control ensures that information processing facilities have sufficient capacity to meet current and future business needs. By projecting requirements and tuning systems, organisations avoid service interruptions caused by overloads, ensuring high availability and performance continuity. | Read Annex A 8.6 Guide | 
|
| Annex A 8.7 | Protection Against Malware | Deploy defence mechanisms against malicious software. This control mandates the implementation of detection, prevention, and recovery controls to protect against malware. It involves using antivirus software, raising awareness, and scanning incoming files to prevent infection and the subsequent loss or corruption of organisational data. | Read Annex A 8.7 Guide | 
|
| Annex A 8.8 | Management of Technical Vulnerabilities | Identify and patch system weaknesses promptly. This control requires obtaining information about technical vulnerabilities in use and evaluating the exposure to apply appropriate measures (patching). It proactively closes security gaps before attackers can exploit them, maintaining the integrity and security of the IT infrastructure. | Read Annex A 8.8 Guide | 
|
| Annex A 8.9 | Configuration Management | Standardise security settings across systems. This control ensures that configurations for hardware, software, and networks are defined, documented, and enforced. By preventing unauthorised changes and “configuration drift,” organisations maintain a consistent security posture and reduce the attack surface available to potential intruders. | Read Annex A 8.9 Guide | 
|
| Annex A 8.10 | Information Deletion | Erase data securely when no longer needed. This control mandates that information stored in information systems, devices, or storage media is deleted when it is no longer required. It ensures compliance with privacy laws (like GDPR) and prevents the retrieval of sensitive data from decommissioned or repurposed assets. | Read Annex A 8.10 Guide | 
|
| Annex A 8.11 | Data Masking | Obscure sensitive data to protect privacy. This control requires the use of data masking, pseudonymisation, or anonymisation techniques in accordance with the organisation’s access control policy. It allows data to be used for testing or analysis without exposing personally identifiable information (PII) or critical business secrets. | Read Annex A 8.11 Guide | 
|
| Annex A 8.12 | Data Leakage Prevention | Detect and block unauthorised data exfiltration. This control involves applying measures to network, endpoint, and email systems to identify and stop the unauthorised transfer of sensitive information. It acts as a safety net against accidental sharing or malicious theft of intellectual property and regulated data. | Read Annex A 8.12 Guide | 
|
| Annex A 8.13 | Information Backup | Guarantee data recovery through regular backups. This control mandates the creation and testing of backup copies of information, software, and system images. It ensures that the organisation can restore operations quickly following a ransomware attack, hardware failure, or physical disaster, minimising downtime and data loss. | Read Annex A 8.13 Guide | 
|
| Annex A 8.14 | Redundancy of Information Processing Facilities | Ensure high availability via failover systems. This control requires identifying business requirements for availability and implementing redundant components or architectures. By eliminating single points of failure, organisations ensure that critical systems remain operational even during component failures or maintenance windows. | Read Annex A 8.14 Guide | 
|
| Annex A 8.15 | Logging | Record system activities for audit and analysis. This control mandates the generation, protection, and analysis of logs recording user activities, exceptions, faults, and information security events. It provides the forensic evidence needed to investigate incidents and verify the effectiveness of security controls. | Read Annex A 8.15 Guide | 
|
| Annex A 8.16 | Monitoring Activities | Detect anomalous behaviour in real-time. This control involves monitoring networks, systems, and applications for unusual behaviour that could indicate a security incident. It enables rapid response to threats by correlating events and alerting security teams to potential breaches or policy violations. | Read Annex A 8.16 Guide | 
|
| Annex A 8.17 | Clock Synchronisation | Synchronise system clocks to a single reference time. This control ensures that the clocks of all relevant information processing systems are synchronised to a trusted time source. Accurate time stamping is critical for log analysis, forensic investigations, and the proper functioning of time-dependent security protocols like Kerberos. | Read Annex A 8.17 Guide | 
|
| Annex A 8.18 | Use of Privileged Utility Programs | Restrict the use of powerful system tools. This control strictly limits and monitors the use of utility programs that can override system and application controls. By controlling these tools, organisations prevent unauthorised changes to data or software and reduce the risk of privilege escalation. | Read Annex A 8.18 Guide | 
|
| Annex A 8.19 | Installation of Software on Operational Systems | Control software deployment to production environments. This control establishes procedures to govern the installation of software on operational systems. It prevents the introduction of unauthorised, untested, or malicious software that could compromise system stability or security integrity. | Read Annex A 8.19 Guide | 
|
| Annex A 8.20 | Network Security | Secure networks to protect connected services. This control requires the management and control of networks to protect information in systems and applications. It involves implementing firewalls, intrusion detection, and encryption to safeguard data in transit and prevent unauthorised network access. | Read Annex A 8.20 Guide | 
|
| Annex A 8.21 | Security of Network Services | Define security requirements for network providers. This control ensures that security mechanisms, service levels, and management requirements for all network services (whether in-house or outsourced) are identified and included in service agreements to maintain data confidentiality and availability. | Read Annex A 8.21 Guide | 
|
| Annex A 8.22 | Segregation of Networks | Divide networks to contain potential breaches. This control mandates the separation of groups of information services, users, and information systems on networks (e.g. via VLANs). It limits lateral movement by attackers and prevents unauthorised access between critical business systems and public-facing or guest networks. | Read Annex A 8.22 Guide | 
|
| Annex A 8.23 | Web Filtering | Block access to malicious or non-compliant websites. This control involves managing access to external websites to reduce exposure to malicious content. By filtering web traffic, organisations prevent employees from accessing phishing sites, malware distribution points, or illegal content that could compromise the network. | Read Annex A 8.23 Guide | 
|
| Annex A 8.24 | Use of Cryptography | Encrypt data to ensure confidentiality and integrity. This control defines rules for the effective use of cryptography, including key management. It ensures that sensitive information is rendered unreadable to unauthorised parties and protects data both at rest and in transit against interception and tampering. | Read Annex A 8.24 Guide | 
|
| Annex A 8.25 | Secure Development Life Cycle | Integrate security into every phase of software development. This control mandates that information security rules are applied throughout the software development lifecycle (SDLC). It ensures that security is designed in from the start, rather than bolted on later, reducing vulnerabilities in the final product. | Read Annex A 8.25 Guide | 
|
| Annex A 8.26 | Application Security Requirements | Define security needs before building or buying software. This control requires identifying, specifying, and approving information security requirements when developing or acquiring applications. It ensures that software meets the organisation’s security standards regarding authentication, input validation, and transaction protection. | Read Annex A 8.26 Guide | 
|
| Annex A 8.27 | Secure Systems Architecture and Engineering Principles | Build systems on a secure foundation. This control establishes principles for engineering secure systems and applies them to all information system development activities. It ensures a consistent approach to defence-in-depth, least privilege, and failure handling across the organisation’s technology stack. | Read Annex A 8.27 Guide | 
|
| Annex A 8.28 | Secure Coding | Write code that resists attack. This control mandates the application of secure coding principles to software development. It aims to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS) by ensuring developers follow best practices and sanitise inputs during the coding process. | Read Annex A 8.28 Guide | 
|
| Annex A 8.29 | Security Testing in Development and Acceptance | Validate security controls before deployment. This control requires defining and implementing security testing processes within the development lifecycle. It involves stress testing, penetration testing, and code review to verify that new systems or changes do not introduce security weaknesses into the production environment. | Read Annex A 8.29 Guide | 
|
| Annex A 8.30 | Outsourced Development | Supervise third-party software creation. This control ensures that the organisation directs, monitors, and reviews the activities related to outsourced system development. It guarantees that external vendors adhere to the same security standards and coding practices as internal teams, preventing supply chain vulnerabilities. | Read Annex A 8.30 Guide | 
|
| Annex A 8.31 | Separation of Development, Test and Production Environments | Isolate environments to prevent accidental changes. This control requires the separation of development, testing, and production environments. It prevents untested code from breaking live systems and ensures that live data is not used insecurely in testing environments, maintaining system stability and data confidentiality. | Read Annex A 8.31 Guide | 
|
| Annex A 8.32 | Change Management | Control changes to IT infrastructure. This control mandates a formal process for managing changes to information processing facilities and systems. It ensures that all changes are assessed, authorised, prioritised, planned, and tested to minimise the risk of disruption or security incidents caused by unmanaged alterations. | Read Annex A 8.32 Guide | 
|
| Annex A 8.33 | Test Information | Protect operational data during testing. This control requires the careful selection, protection, and management of test information. It generally prohibits using live PII or sensitive operational data for testing unless properly sanitised or masked, ensuring that testing activities do not lead to data breaches. | Read Annex A 8.33 Guide | 
|
| Annex A 8.34 | Protection of information systems during audit testing | Minimise disruption during security audits. This control ensures that audit tests and other assurance activities are planned and agreed upon to minimise the impact on business operations. It prevents audits from accidentally causing downtime or compromising the availability and integrity of the systems being tested. | Read Annex A 8.34 Guide | 
|
Own Your ISMS, Don’t Rent It
Stop Spanking £10,000s on consultants and ISMS online platforms.
Free ISO 27001 Training
Why pay for quality ISO 27001 training when you can access these simple, easy to follow free ISO 27001 tutorials on all aspects of the ISO 27001 standard.
About the author