Table of contents
ISO 27001 Controls
The Ultimate ISO 27001 Controls Guide is the most comprehensive ISO 27001 reference guide there is. For the beginner, and the practitioner, this guide covers everything you need to know. Updated for the 2022 update with all the latest guidance and insider trade secrets that others simply do not want you to know. Not for free anyway.
In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002:2013 controls and the new and updated ISO 27002:2022 control list. What controls do you need to implement? Let’s take a deep dive. I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Controls.
ISO 27001 Controls Overview
I like the controls because they are standard controls that are easy to implement. When you buy a copy of the standard they are all laid out. Let us take a look at the ISO 27001 controls checklist. I have summarised them in the table of contents for ease of navigation.
If you want a list of both versions of the control you can download a copy here.
ISO 27001 is the international standard for information security. It has has a check list of ISO 27001 controls. These controls are set out in the ISO 27001 Annex A. Often referred to as ISO 27002.
We previously explored What is the difference between ISO 27001 and ISO 27002.
ISO 27001:2022
It is important to note that ISO 27001 itself has changed and is now referenced as ISO 27001:2022. You can read ISO 27001 2022 Everything You Need to Know for what has changed in ISO 27001. We are going to list the controls and the changes below.
ISO 27002:2022
The ISO 27001 controls are listed in the ISO 27001 Annex A. ISO 27001 Annex A references a guidance standard, ISO 27002, that lists out the controls and provides implementation guidance.
The list of controls changed in 2022 and is now referenced as ISO 27002:2022. You can read the complete guide to the ISO 27002 changes for what exactly changed in ISO 27002. We are going to list the controls and the changes below.
ISO 27001:2022 ISMS Controls
ISO 27001 is the standard that you certify against. It is a management framework. Let’s start with a look at the ISO 27001 information security management system controls. ISO 27001 is divided into clauses which act as domains or groups of related controls. Click the links to learn everything you need to know about the control.
ISO 27001 Controls Summary Table
ISO/IEC 27001:2022 | ISO/IEC 27001:2013 |
---|---|
ISO/IEC 27001:2022 Clause 4 Context of the Organisation | ISO/IEC 27001:2013 Clause 4 Context of the Organisation |
ISO/IEC 27001:2022 Clause 4.1 Understanding the organisation and its context | ISO/IEC 27001:2013 Clause 4.1 Understanding the organisation and its context |
ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties | ISO/IEC 27001:2013 Clause 4.2 Understanding the needs and expectations of interested parties |
ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management system | ISO/IEC 27001:2013 Clause 4.3 Determining the scope of the information security management system |
ISO/IEC 27001:2022 Clause 4.4 Information security management system | ISO/IEC 27001:2013 Clause 4.4 Information security management system |
ISO/IEC 27001:2022 Clause 5 Leadership | ISO/IEC 27001:2013 Clause 5 Leadership |
ISO/IEC 27001:2022 Clause 5.1 Leadership and commitment | ISO/IEC 27001:2013 Clause 5.1 Leadership and commitment |
ISO/IEC 27001:2022 Clause 5.2 Policy | ISO/IEC 27001:2013 Clause 5.2 Policy |
ISO/IEC 27001:2022 Clause 5.3 Organisational roles, responsibilities and authorities | ISO/IEC 27001:2013 Clause 5.3 Organizational roles, responsibilities and authorities |
ISO/IEC 27001:2022 Clause 6 Planning | ISO/IEC 27001:2013 Clause 6 Planning |
ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunities | ISO/IEC 27001:2013 Clause 6.1 Actions to address risks and opportunities |
ISO/IEC 27001:2022 Clause 6.1.1 General | ISO/IEC 27001:2013 Clause 6.1.1 General |
ISO/IEC 27001:2022 Clause 6.1.2 Information security risk assessment | ISO/IEC 27001:2013 Clause 6.1.2 Information security risk assessment |
ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 6.1.3 Information security risk treatment |
ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve them | ISO/IEC 27001:2013 Clause 6.2 Information security objectives and planning to achieve them |
ISO/IEC 27001:2022 Clause 6.3 Planning of Changes | NEW |
ISO/IEC 27001:2022 Clause 7 Support | ISO/IEC 27001:2013 Clause 7 Support |
ISO/IEC 27001:2022 Clause 7.1 Resources | ISO/IEC 27001:2013 Clause 7.1 Resources |
ISO/IEC 27001:2022 Clause 7.2 Competence | ISO/IEC 27001:2013 Clause 7.2 Competence |
ISO/IEC 27001:2022 Clause 7.3 Awareness | ISO/IEC 27001:2013 Clause 7.3 Awareness |
ISO/IEC 27001:2022 Clause 7.4 Communication | ISO/IEC 27001:2013 Clause 7.4 Communication |
ISO/IEC 27001:2022 Clause 7.5 Documented information | ISO/IEC 27001:2013 Clause 7.5 Documented information |
ISO/IEC 27001:2022 Clause 7.5.1 General | ISO/IEC 27001:2013 Clause 7.5.1 General |
ISO/IEC 27001:2022 Clause 7.5.2 Creating and updating | ISO/IEC 27001:2013 Clause 7.5.2 Creating and updating |
ISO/IEC 27001:2022 Clause 7.5.3 Control of documented information | ISO/IEC 27001:2013 Clause 7.5.3 Control of documented information |
ISO/IEC 27001:2022 Clause 8 Operation | ISO/IEC 27001:2013 Clause 8 Operation |
ISO/IEC 27001:2022 Clause 8.1 Operational planning and control | ISO/IEC 27001:2013 Clause 8.1 Operational planning and control |
ISO/IEC 27001:2022 Clause 8.2 Information security risk assessment | ISO/IEC 27001:2013 Clause 8.2 Information security risk assessment |
ISO/IEC 27001:2022 Clause 8.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 8.3 Information security risk treatment |
ISO/IEC 27001:2022 Clause 9 Performance evaluation | ISO/IEC 27001:2013 Clause 9 Performance evaluation |
ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluation | ISO/IEC 27001:2013 Clause 9.1 Monitoring, measurement, analysis and evaluation |
ISO/IEC 27001:2022 Clause 9.2 Internal audit | ISO/IEC 27001:2013 Clause 9.2 Internal audit |
ISO/IEC 27001:2022 Clause 9.2.1 General | NEW |
ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme | NEW |
ISO/IEC 27001:2022 Clause 9.3 Management review | ISO/IEC 27001:2013 Clause 9.3 Management review |
ISO/IEC 27001:2022 Clause 9.3.1 General | NEW |
ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs | NEW |
ISO/IEC 27001:2022 Clause 9.3.3 Management review results | NEW |
ISO/IEC 27001:2022 Clause 10 Improvement | ISO/IEC 27001:2013 Clause 10 Improvement |
ISO/IEC 27001:2022 Clause 10.1 Continual improvement | ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective action |
ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action | ISO/IEC 27001:2013 Clause 10.2 Continual improvement |
ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls reference | ISO 27002: 2022 new version of control set |
Now lets look at each of the ISO 27001 clauses and how the break down.
ISO 27001 Clause 4 Context of Organisation
The context of organisation controls look at being able to show that you understand the organisation and its context. That you understand the needs and expectations of interested parties and that you have determining the scope of the information security management system.
ISO 27001 Context of Organisation Further Reading
- The essential guide to ISO 27001 Clause 4.1 Understanding the Organisation and its Context.
- The essential guide to ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties
- The essential guide to ISO 27001 Clause 4.3 Determining the scope of the information security management system
- The essential guide to ISO 27001 Clause 4.4 Information security management system
ISO 27001 Clause 5 Leadership
ISO 27001 wants top down leadership and to be able to evidence leadership commitment. We require Information Security Policies that say what we do. We document the organisational roles and responsibilities.
ISO 27001 Leadership Further Reading
- The essential guide to ISO 27001 Clause 5.1 Leadership and Commitment
- The essential guide to ISO 27001 Policies
- The essential guide to ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities
ISO 27001 Clause 6 Planning
Planning addresses actions to address risks and opportunities. ISO 27001 is a risk based system so risk management is a key part, with risk registers and risk processes in place. We ensure that we have objectives and measure in place for the information security management system.
ISO 27001 Planning Further Reading
- The essential guide to ISO 27001 Clause 6.1.1 Planning General
- The essential guide to ISO 27001 Clause 6.1.2 Information security risk assessment
- The essential guide to ISO 27001 Clause 6.1.3 Information security risk treatment
- The essential guide to ISO 27001 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001 Clause 7 Support
Education and awareness is put in place and a culture of security is implemented. A communication plan is created and followed. Resources are allocated and competency of resources is managed and understood. If it isn’t written down it does not exist so standard operating procedures are documented and documents are controlled.
ISO 27001 Support Further Reading
- The essential guide to ISO 27001 7.1 Resources
- The essential guide to ISO 27001 7.2 Competence
- The essential guide to ISO 27001 7.3 Awareness
- The essential guide to ISO 27001 7.4 Communication
- The essential guide to ISO 27001 7.5.1 General
- The essential guide to ISO 27001 7.5.2 Creating and updating
- The essential guide to ISO 27001 7.5.3 Control of documented information
ISO 27001 Clause 8 Operation
Operations are managed and controlled and risk assessments undertaken.
ISO 27001 Operation Further Reading
- The essential guide to ISO 27001 8.1 Operational planning and control
- The essential guide to ISO 27001 8.2 Information security risk assessment
- The essential guide to ISO 27001 8.3 Information security risk treatment
ISO 27001 Clause 9 Performance Evaluation
Monitors and measures as well as the processes of analysis and evaluation are implemented. As part of continual improvement audits are planned and executed, management reviews are undertaken following structured agendas.
ISO 27001 Performance Evaluation Further Reading
- The essential guide to ISO 27001 9.1 Monitoring, measurement, analysis and evaluation
- The essential guide to ISO 27001 9.2 Internal audit
- The essential guide to ISO 27001 9.2.1 General
- The essential guide to ISO 27001 9.2.2 Internal audit programme
- The essential guide to ISO 27001 9.3 Management review
- The essential guide to ISO 27001 9.3.1 General
- The essential guide to ISO 27001 9.3.2 Management review inputs
- The essential guide to ISO 27001 9.3.3 Management review results
ISO 27001 Clause 10 Improvement
Improvement is a foundation of The ISO 27001 standard. The ability to adapt and continually improve. We are going to look at how we manage non conformities and corrective actions and our processes for managing continual improvement.
ISO 27001 Improvement Further Reading
- The essential guide to ISO 27001 10.1 Continual improvement
- The essential guide to ISO 27001 10.2 Nonconformity and corrective action
ISO 27001:2022 Annex A Controls Checklist
ISO 27001:2022 Annex A 5: Organisational controls
ISO 27001:2022 Annex A 5.1 Policies for information security
Ensure the suitability, adequacy and effectiveness of managements direction and support for information security.
ISO 27001:2022 Annex A 5.2 Information security roles and responsibilities
Ensure a defined, approved and understood structure is in place for the implementation and operation of the information security management system.
ISO 27001:2022 Annex A 5.3 Segregation of duties
Reduce the risk of fraud, error and bypassing of information security controls.
ISO 27001:2022 Annex A 5.4 Management responsibilities
Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation
ISO 27001:2022 Annex A 5.5 Contact with authorities
The organisation should establish and maintain contact with relevant authorities.
ISO 27001:2022 Annex A 5.6 Contact with special interest groups
Ensure appropriate flow of information takes place with respect to information security.
ISO 27001:2022 Annex A 5.7 Threat intelligence – new
Provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.
ISO 27001:2022 Annex A 5.8 Information security in project management
Ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets – change
Identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.
ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets – change
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
ISO 27001:2022 Annex A 5.11 Return of assets
Protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.
ISO 27001:2022 Annex A 5.12 Classification of information
Ensure identification and understanding of protection needs of information in accordance with its importance to the organisation.
ISO 27001:2022 Annex A 5.13 Labelling of information
Facilitate the communication of classification of information and support automation of information processing and management.
ISO 27001:2022 Annex A 5.14 Information transfer
Maintain the security of information transferred within an organisation and with any external interested party.
ISO 27001:2022 Annex A 5.15 Access control
Ensure authorised access and to prevent unauthorised access to information and other associated assets.
ISO 27001:2022 Annex A 5.16 Identity management
Allow for the unique identification of individuals and systems accessing the organisations information and other associated assets and to enable appropriate assignment of access rights.
ISO 27001:2022 Annex A 5.17 Authentication information – new
Ensure proper entity authentication and prevent failures of authentication processes.
ISO 27001:2022 Annex A 5.18 Access rights – change
Ensure access to information and other associated assets is defined and authorised according to the business requirements.
ISO 27001:2022 Annex A 5.19 Information security in supplier relationships
Maintain an agreed level of information security in supplier relationships.
ISO 27001:2022 Annex A 5.20 Addressing information security within supplier agreements
Maintain an agreed level of information security in supplier relationships.
ISO 27001:2022 Annex A 5.21 Managing information security in the ICT supply chain – new
Maintain an agreed level of information security in supplier relationships.
ISO 27001:2022 Annex A 5.22 Monitoring, review and change management of supplier services – change
Maintain an agreed level of information security and service delivery in line with supplier agreements.
ISO 27001:2022 Annex A 5.23 Information security for use of cloud services – new
Specify and manage information security for the use of cloud services.
ISO 27001:2022 Annex A 5.24 Information security incident management planning and preparation – change
Ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.
ISO 27001:2022 Annex A 5.25 Assessment and decision on information security events
Ensure effective categorisation and prioritisation of information security events.
ISO 27001:2022 Annex A 5.26 Response to information security incidents
Ensure efficient and effective response to information security incidents.
ISO 27001:2022 Annex A 5.27 Learning from information security incidents
Reduce the likelihood or consequences of future incidents.
ISO 27001:2022 Annex A 5.28 Collection of evidence
Ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
ISO 27001:2022 Annex A 5.29 Information security during disruption – change
Protect information and other associated assets during disruption.
ISO 27001:2022 Annex A 5.30 ICT readiness for business continuity – new
Ensure the availability of the organisations information and other associated assets during disruption.
ISO 27001:2022 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements
Ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.
ISO 27001:2022 Annex A 5.32 Intellectual property rights
Ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
ISO 27001:2022 Annex A 5.33 Protection of records
Ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.
ISO 27001:2022 Annex A 5.34 Privacy and protection of PII
Ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.
ISO 27001:2022 Annex A 5.35 Independent review of information security
Ensure the continuing suitability, adequacy and effectiveness of the organisations approach to managing information security.
ISO 27001:2022 Annex A 5.36 Compliance with policies and standards for information security
Ensure that information security is implemented and operated in accordance with the organisation’s information security policy, topic-specific policies, rules and standards.
ISO 27001:2022 Annex A 5.37 Documented operating procedures
Ensure the correct and secure operation of information processing facilities.
ISO 27001:2022 Annex A 6: People controls
ISO 27001:2022 Annex A 6.1 Screening
Ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.
ISO 27001:2022 Annex A 6.2 Terms and conditions of employment
Ensure personnel understand their information security responsibilities for the roles for which they are considered.
ISO 27001:2022 Annex A 6.3 Information security awareness, education and training
Ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.
ISO 27001:2022 Annex A 6.4 Disciplinary process
Ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.
ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment
Protect the organisations interests as part of the process of changing or terminating employment or contracts.
ISO 27001:2022 Annex A 6.6 Confidentiality or non-disclosure agreements
Maintain confidentiality of information accessible by personnel or external parties.
ISO 27001:2022 Annex A 6.7 Remote working – new
Ensure the security of information when personnel are working remotely.
ISO 27001:2022 Annex A 6.8 Information security event reporting
Support timely, consistent and effective reporting of information security events that can be identified by personnel.
ISO 27001:2022 Annex A 7: Physical controls
ISO 27001:2022 Annex A 7.1 Physical security perimeter
Ensure physical security is in place to stop people you don’t want to allow from gaining physical access to property and assets.
ISO 27001:2022 Annex A 7.2 Physical entry controls
Protect secure areas with access points and entry control
ISO 27001:2022 Annex A 7.3 Securing offices, rooms and facilities
Ensure you prevent unauthorised physical access, damage and interference to the organisations information and other associated assets in offices, rooms and facilities.
ISO 27001:2022 Annex A 7.4 Physical security monitoring
Have a physical security perimeter to protect offices and processing facilities.
ISO 27001:2022 Annex A 7.5 Protecting against physical and environmental threats
prevent or reduce the consequences of events originating from physical and environmental threats.
ISO 27001:2022 Annex A 7.6 Working in secure areas
Ensure you protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.
ISO 27001:2022 Annex A 7.7 Clear desk and clear screen
Ensure you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
ISO 27001:2022 Annex A 7.8 Equipment siting and protection
Reduce the risks from physical and environmental threats, and from unauthorised access and damage.
ISO 27001:2022 Annex A 7.9 Security of assets off-premises
Protect equipment by siting it securely and protecting it.
ISO 27001:2022 Annex A 7.10 Storage media – new
Protect storage media.
ISO 27001:2022 Annex A 7.11 Supporting utilities
Prevent loss, damage or compromise of information and other associated assets, or interruption to the organisations operations due to failure and disruption of supporting utilities.
ISO 27001:2022 Annex A 7.12 Cabling security
Prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations related to power and communications cabling.
ISO 27001:2022 Annex A 7.13 Equipment maintenance
Prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.
ISO 27001:2022 Annex A 7.14 Secure disposal or re-use of equipment
Prevent leakage of information from equipment to be disposed or re-used.
ISO 27001:2022 Annex A 8: Technological controls
ISO 27001:2022 Annex A 8.1 User endpoint devices – new
Protect information against the risks introduced by using user endpoint devices.
ISO 27001:2022 Annex A 8.2 Privileged access rights
Ensure only authorised users, software components and services are provided with privileged access rights.
ISO 27001:2022 Annex A 8.3 Information access restriction
Ensure only authorised access and to prevent unauthorised access to information and other associated assets.
ISO 27001:2022 Annex A 8.4 Access to source code
Prevent the introduction of unauthorised functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.
ISO 27001:2022 Annex A 8.5 Secure authentication
Ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted.
ISO 27001:2022 Annex A 8.6 Capacity management
Ensure the required capacity of information processing facilities, human resources, offices and other facilities.
ISO 27001:2022 Annex A 8.7 Protection against malware
Ensure information and other associated assets are protected against malware.
ISO 27001:2022 Annex A 8.8 Management of technical vulnerabilities
Ensure information and other associated assets are protected from the exploitation of technical vulnerabilities.
ISO 27001:2022 Annex A 8.9 Configuration management
Ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes.
ISO 27001:2022 Annex A 8.10 Information deletion – new
Make sure you are deleting data when it is no longer required in a way that it cannot be recovered.
ISO 27001:2022 Annex A 8.11 Data masking – new
Ensure you limit the exposure of sensitive data including PII, and you comply with legal, statutory, regulatory and contractual requirements.
ISO 27001:2022 Annex A 8.12 Data leakage prevention – new
Detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.
ISO 27001:2022 Annex A8.13 Information backup
Enable recovery from loss of data or systems.
ISO 27001:2022 Annex A8.14 Redundancy of information processing facilities
Ensures the continuous operation of information processing facilities.
ISO 27001:2022 Annex A8.15 Logging
Record events, generate evidence, ensure the integrity of log information, prevent against unauthorised access, identify information security events that can lead to an information security incident and to support investigations.
ISO 27001:2022 Annex A 8.16 Monitoring activities
Detect anomalous behaviour and potential information security incidents.
ISO 27001:2022 Annex A 8.17 Clock synchronisation
Enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
ISO 27001:2022 Annex A 8.18 Use of privileged utility programs
Ensure the use of utility programs does not harm system and application controls for information security.
ISO 27001:2022 Annex A 8.19 Installation of software on operational systems
Ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.
ISO 27001:2022 Annex A 8.20 Network controls
Protect information in networks and its supporting information processing facilities from compromise via the network.
ISO 27001:2022 Annex A 8.21 Security of network services
Ensure security in the use of network services.
ISOISO 27001:2022 Annex A 8.22 Segregation in networks
Split the network in security boundaries and to control traffic between them based on business needs.
ISO 27001:2022 Annex A 8.23 Web filtering – new
Protect systems from being compromised by malware and to prevent access to unauthorised web resources.
ISO 27001:2022 Annex A 8.24 Use of cryptography
Ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
ISO 27001:2022 Annex A 8.25 Secure development lifecycle
Ensure information security is designed and implemented within the secure development life cycle of software and systems.
ISO 27001:2022 Annex A 8.26 Application security requirements – new
Ensure all information security requirements are identified and addressed when developing or acquiring applications.
ISO 27001:2022 Annex A 8.27 Secure system architecture and engineering principles – new
Ensure information systems are securely designed, implemented and operated within the development life cycle.
ISO 27001:2022 Annex A 8.28 Secure Coding
Ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
ISO 27001:2022 Annex A 8.29 Security testing in development and acceptance
Validate if information security requirements are met when applications or code are deployed to the production environment.
ISO 27001:2022 Annex A 8.30 Outsourced development
Ensure information security measures required by the organisation are implemented in outsourced system development.
ISO 27001:2022 Annex A 8.31 Separation of development, test and production environments
Protect the production environment and data from compromise by development and test activities.
ISO 27001:2022 Annex A 8.32 Change management
Preserve information security when executing changes.
ISO 27001:2022 Annex A 8.33 Test information
Ensure relevance of testing and protection of operational information used for testing.
ISO 27001:2022 Annex A 8.34 Protection of information systems during audit and testing – new
Minimise the impact of audit and other assurance activities on operational systems and business processes.
ISO 27001:2013 Annex A Controls Checklist
ISO 27002: 2013 is the old version of the Annex A controls and was replaced and updated in 2022. As business is still being assessed and certified against ISO 27002: 2013 we will do a deep dive into those controls.
There are 114 controls in the 2013 version of the control list. Lets break them down. Helpfully the controls start at number 5.
ISO 27001:2013 Annex A 5: Information Security Policies
| 2 controls
ISO 27001 Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organisation through having policies for information security and those policies being reviewed. You can see the ISO 27001 policies and the headline Information Security Policy by clicking the links.
ISO 27001:2013 Annex A 6: Organisation of Information Security
| 7 controls
A management framework for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.
ISO 27001:2013 Annex A 7: Human resource security
| 6 controls
Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of pre employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarise as the starter, leaver, mover process.
ISO 27001:2013 Annex A 8: Asset management
| 10 controls
You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers.The asset management policy looks at ownership of assets, acceptable use, return of assets. There are controls on information classification and labelling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.
ISO 27001:2013 Annex A 9: Access control
| 14 controls
Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.
ISO 27001:2013 Annex A10: Cryptography
| 2 controls
2 controls, so how hard can this be. A policy on cryptographic controls and a key management process.
ISO 27001:2013 Annex A 11: Physical and environmental security
|15 controls
You are going to manage this mainly by having the right scope and probably out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.
ISO 27001:2013 Annex A 12: Operations security
| 14 controls
If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronisation, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.
ISO 27001:2013 Annex A 13: Communications security
| 7 controls
Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.
ISO 27001:2013 Annex A 14: System acquisition, development and maintenance
| 13 controls
You do software development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.
ISO 27001:2013 Annex A 15: Supplier relationships
| 5 controls
I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation. Have a third party supplier policy and a third party supplier register.
ISO 27001:2013 Annex A 16: Information security incident management
| 7 controls
What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents. An incident and corrective action log is a must.
ISO 27001:2013 Annex A 17: Information security aspects of business continuity management
| 4 controls
Having a plan, testing it, proving you tested it and having it all written down is the order of the day here. Business Continuity will keep you going when things go wrong.
ISO 27001:2013 Annex A 18: Compliance
| 8 controls
You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.
ISO 27001 Controls FAQ
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Yes, you can save the ISO 27001 controls spreadsheet that comes as part of our implementation in PDF format.
Yes. They are an Annex to the ISO 27001 standard.
ISO 27002 is a guidance standard to ISO 27001 Annex A. ISO 27002 sets out each control with implementation guidance for you to consider when implementing the control. ISO 27002 was updated in 2022 and is officially called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information
security controls
There are 93 controls in ISO 27001:2022.
There are 93 controls in ISO 27002:2022.
The ISO 27001:2022 Annex A controls are not mandatory but they are a list of controls that commonly mitigate information security risks. Once you have conducted your information security risk assessment you will pick the controls from ISO 27001 Annex A that mitigate risk. In addition you will review client requirements and legal and regulatory requirements to ensure that any controls required are also included.
Yes, ISO 27001 Annex A Control 5.23 Information security for use of cloud services is a new control for cloud security.
Yes. They are summarised here and you should purchase a copy of the standard for the details. The checklist forms part of our deliverables.
Yes. This is included in our ISO 27001 implementation.
There are 114 controls in ISO 27002:2013.
There are 114 controls in ISO 27001:2013.
Yes, if you are operating the 2013 version of the standard. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
The actual list of controls is in the ISO 27001 standard which you should purchase.
ISO 27001 Annex A is broken down into 4 control domains. These domains group together controls into logical domains.
ISO 27001:2022 Annex A 5 Organisational controls
ISO 27001:2022 Annex A 6 People controls
ISO 27001:2022 Annex A 7 Physical controls
ISO 27001:2022 Annex A 8 Technological controls