Table of contents
Introduction
I am going to show you what ISO 27001 Annex A Controls are and for each control I am going to
- Show you what is new
- Detail what has changed in the 2022 update
- Give you real world examples
- Do a walkthrough
- Give you an implementation guide per control
- Show you how to comply
- Tell you what the top 3 mistakes people make so you can avoid them
- Where applicable give you ISO 27001 templates to save time and money
You will lean exactly what you need to do to satisfy each ISO 27001 Annex A Control for you to achieve ISO 27001 certification.
I am Stuart Barker the ISO 27001 Ninja and this is the ultimate ISO 27001 Annex A Controls Reference Guide.
What is it?
ISO 27001 Annex A is a list of controls for a business to consider implementing that are designed to address risks to information security. The choice of controls depends on the scope of your ISO 27001 certification and the risks that your organisation faces.
The list of controls comes with suggested guidance. This is not a checklist to tick off and meet rather it is suggestions on how the controls could be implemented. People often get this wrong. The level to which you implement the Annex A controls is down to you. As long as you can justify it based on risk management and organisation need.
Purpose
The purpose of ISO 27001 Annex A Controls is to mitigate the risk to the organisation in terms of confidentiality, integrity and availability of data. These are the tenants that make up the definition of information security. It’s provided as a best practice list and is seen as the minimum set of controls an organisation should consider.
What are the 2022 changes to ISO 27001 Annex A?
We cover the detail in The Complete Guide To The Changes To ISO/IEC 27002:2022. In summary, the structure of the controls has changed, some have been removed, some added and some crashed together.
Implementation Guide
To implement the ISO 27001 Annex A Controls you will
- Define your scope
- Identify your risks
- Choose the controls that you need
- Record the list of controls on the ISO 27001 Statement of Applicability
- Implement and evidence the controls
Detailed implementation guides are provided per control in each control guide below.
ISO 27001:2022 Annex A Controls Reference Guide
Organisational Controls
ISO 27001 Annex A 5.18 Access rights – change
People Controls
Physical Controls
Technology Controls
ISO 27001 Annex A Controls FAQ
The controls have now been structured into 4 domains
1. Organisational Controls (ISO 27001:2002 Annex A 5.1 – 5.37)
2. People Controls (ISO 27001:2002 Annex A 6.1 – 6.9)
3. Physical Controls (ISO 27001:2002 Annex A 7.1 – 5.13)
4. Technological Controls (ISO 27001:2002 Annex A 8.1 – 8.34)
They have removed the term ‘Code of Practice’
The structure of the document has changed
Some controls have been merged, some deleted and new controls have been introduced.
ISO 27001:2022 lists 93 controls compared to the 114 controls in ISO 27001:2013
The list of brand new controls in ISO 27001:2022 Annex A is:
Threat intelligence
Information security for use of Cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
There are 5 types of ‘attribute’ that apply to control to make them easier to categorise and they are:
1. Control type (Preventive, Detective, Corrective)
2. Information security properties (Confidentiality, Integrity, Availability)
3. Cyber security concepts (Identify, Protect, Detect, Respond, Recover)
4. Operational capabilities (Governance, Asset Management, Information Protection, Human Resources Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationship Security, Legal and Compliance, Information Security Event Management, Information Security Assurance.)
5. Security domains (Governance and Ecosystem, Protection, Defence, Resilience)
Control type is an attribute value added to each control to allow controls to be viewed from the perspective of risk, showing how and when the control modifies the risk. It is made up of 3 values being:
Preventive: the control prevents an information security incident
Detective: the control acts when a information security incident happens
Corrective: the control acts after and information security incident happens
This is the attribute value the sets out which characteristic of information security the control helps. There are 3 values taken from the definition of information security being:
Confidentiality
Integrity
Availability
This is the attribute value that aligns controls to the cybersecurity concepts as set out in ISO/IEC TS 27110. In the realms of the academics here but there are 5 values being:
Identify
Protect
Detect
Respond
Recover
This is the attribute value that assigns controls to security domains. There are 4 security domains being:
Governance and Ecosystem – includes Information System Security Governance and Risk Management, Ecosystem of cybersecurity management
Protection – includes IT Security Architecture, IT Security Administration, Identity and Access Management, IT Security Maintenance, Physical and Environmental Security
Defence – includes Detection, Computer Security Incident Management
Resilience – include Continuity of Operations, Crisis Management
Organisational controls include laws and regulations and the operations of the organisation in relations to information security. Examples of these controls include organisational structure, information security policies, processes and procedures.
There are 37 ISO 27001:2022 Annex A Organisational Controls
They are ISO 27001:2022 Annex A 5.1 to 5.37
People controls relate to the human aspect of information security. Examples of these controls include background checks on employees, screening and terms of employment.
There are 8 ISO 27001:2022 Annex A People Controls
They are ISO 27001:2022 Annex A 6.1 to 6.8
Physical controls relate to physical assets. Entry to buildings, perimeters, clear desk, secure areas are all examples of these controls.
There are 14 ISO 27001:2022 Annex A Physical Controls
They are ISO 27001:2022 Annex A 7.1 to 7.13
Technological controls are software and hardware that work to protect the information security. These include technologies around end point protection, configuration management, data leakage prevention, network security – as examples.
There are 34 ISO 27001:2022 Annex A Technological Controls
They are ISO 27001:2022 Annex A 8.1 to 8.33