ISO 27001 Controls

ISO 27001 Controls
ISO 27001 Controls

ISO 27001 is made up of 2 parts – the information security management system ( ISMS ) which is ISO 27001 and the 114 Annex A controls that is also referred to as ISO 27002. In this section we look at the 114 Annex A controls.

ISO 27002 / Annex A

This is a list of controls that a business is expected to review for applicability and implement. The controls are straight forward and cover the basics that a business should implement. The controls are added as an Annex to ISO 27001 and therefore are a requirement of the standard.

Statement of Applicability

The first step is to review the controls and decide if they are applicable or not. This is referred to as a Statement of Applicability. This sets the scope and what will be audited in the certification process. You need a compelling reason not to implement a particular control and should document why it is not applicable.

List of ISO 27001 controls

The following is a list of the 114 controls

5Information security policies 
5.1Management direction for information securityTo provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
5.1.1Policies for information securityA set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
5.1.2Review of the policies for information securityThe policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
6Organisation of information security 
6.1Internal organisationObjective: To establish a management framework to initiate and control the implementation and operation of information security within the organisation.
6.1.1Information security roles and responsibilitiesAll information security responsibilities shall be defined and allocated.
6.1.2Segregation of dutiesConflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets.
6.1.3Contact with authoritiesAppropriate contacts with relevant authorities shall be maintained
6.1.4Contact with special interest groupsAppropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
6.1.5Information security in project managementInformation security shall be addressed in project management, regardless of the type of the project.
6.2Mobile devices and teleworkingObjective: To ensure the security of teleworking and use of mobile devices.
6.2.1Mobile device policyA policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
6.2.2TeleworkingA policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.
7Human resource security 
7.1Prior to EmploymentObjective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
7.1.1ScreeningBackground verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
7.1.2Terms and conditions of employmentThe contractual agreements with employees and contractors shall state their and the organisation’s responsibilities for information security.
7.2During employmentObjective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
7.2.1Management responsibilitiesManagement shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organisation.
7.2.2Information security awareness, education and trainingAll employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.
7.2.3Disciplinary processThere shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
7.3Termination or change of employmentObjective: Does the organisation ensure that employees, contractors and third party users exit the organisation or change employment in an orderly manner?
7.3.1Termination or change of employment responsibilitiesInformation security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.
8Asset management 
8.1Responsibility for assetsObjective: To identify organisational assets and define appropriate protection responsibilities.
8.1.1Inventory of assetsAssets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
8.1.2Ownership of assetsAssets maintained in the inventory shall be owned.
8.1.3Acceptable use of assetsRules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.
8.1.4Return of assetsAll employees and external party users shall return all of the organisational assets in their possession upon termination of their employment, contract or agreement.
8.2Information classificationObjective: Does the organisation ensure that information receives an appropriate level of protection?
8.2.1Classification of informationInformation shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
8.2.2Labelling of informationAn appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.
8.2.3Handling of assetsProcedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.
8.3Media handlingObjective: Management of removable media
8.3.1Management of removable mediaProcedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organisation.
8.3.2Disposal of mediaMedia shall be disposed of securely when no longer required, using formal procedures.
8.3.3Physical media transferMedia containing information shall be protected against unauthorised access, misuse or corruption during transportation.
9Access control 
9.1Business requirements for access controlObjective: To limit access to information and information processing facilities.
9.1.1Access control policyAn access control policy shall be established, documented and reviewed based on business and information security requirements.
9.1.2Access to networks and network servicesUsers shall only be provided with access to the network and network services that they have been specifically authorised to use
9.2User access managementObjective: To ensure authorised user access and to prevent unauthorised access to systems and services.
9.2.1User registration and de­registrationA formal user registration and de­registration process shall be implemented to enable assignment of access rights.
9.2.2User access provisioningA formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
9.2.3Management of privileged access rightsThe allocation and use of privileged access rights shall be restricted and controlled.
9.2.4Management of secret authentication information of usersThe allocation of secret authentication information shall be controlled through a formal management process.
9.2.5Review of user access rightsAsset owners shall review users’ access rights at regular intervals
9.2.6Removal or adjustment of access rightsThe access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
9.3User responsibilitiesObjective: To make users accountable for safeguarding their authentication information.
9.3.1Use of secret authentication informationUsers shall be required to follow the organisation’s practices in the use of secret authentication information.
9.4System and application access controlObjective: To prevent unauthorised access to systems and applications.
9.4.1Information access restrictionAccess to information and application system functions shall be restricted in accordance with the access control policy.
9.4.2Secure log­on proceduresWhere required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
9.4.3Password management systemPassword management systems shall be interactive and shall ensure quality passwords.
9.4.4Use of privileged utility programsThe use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
9.4.5Access control to program source codeAccess to program source code shall be restricted.
10Cryptography 
10.1Cryptographic controlsObjective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
10.1.1Policy on the use of cryptographic controlsA policy on the use of cryptographic controls for protection of information shall be developed and implemented.
10.1.2Key managementA policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.
11Physical and environmental security 
11.1Secure areasObjective: To prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.
11.1.1Physical security perimeterSecurity perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.
11.1.2Physical entry controlsSecure areas shall be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
11.1.3Securing offices, rooms and facilitiesPhysical security for offices, rooms and facilities shall be designed and applied.
11.1.4Protecting against external and environmental threatsPhysical protection against natural disasters, malicious attack or accidents shall be designed and applied.
11.1.5Working in secure areasProcedures for working in secure areas shall be designed and applied.
11.1.6Delivery and loading areasAccess points such as delivery and loading areas and other points where unauthorised persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorised access.
11.2EquipmentObjective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
11.2.1Equipment siting and protectionEquipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.
11.2.2Supporting utilitiesEquipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
11.2.3Cabling securityPower and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.
11.2.4Equipment maintenanceEquipment shall be correctly maintained to ensure its continued availability and integrity.
11.2.5Removal of assetsEquipment, information or software shall not be taken off­site without prior authorisation.
11.2.6Security of equipment and assets off premisesSecurity shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises.
11.2.7Secure disposal or reuse of equipmentAll items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
11.2.8Unattended user equipmentUsers shall ensure that unattended equipment has appropriate protection.
11.2.9Clear desk and clear screen policyA clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
12Operations security 
12.1Objective: Operational procedures and responsibilitiesObjective: To ensure correct and secure operations of information processing facilities.
12.1.1Documented operating proceduresOperating procedures shall be documented and made available to all users who need them.
12.1.2Change managementChanges to the organisation, business processes, information processing facilities and systems that affect information security shall be controlled.
12.1.3Capacity managementThe use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.
12.1.4Separation of development, testing and operational environmentsDevelopment, testing, and operational environments shall be separated to reduce the risks of unauthorised access or changes to the operational environment.
12.2Protection from malwareObjective: To ensure that information and information processing facilities are protected against malware.
12.2.1Controls against malwareDetection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
12.3BackupObjective: To protect against loss of data.
12.3.1Information backupBackup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.
12.4Logging and monitoringObjective: To record events and generate evidence.
12.4.1Event loggingEvent logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
12.4.2Protection of log informationLogging facilities and log information shall be protected against tampering and unauthorised access.
12.4.3Administrator and operator logsSystem administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
12.4.4Clock synchronisationThe clocks of all relevant information processing systems within an organisation or security domain shall be synchronised to a single reference time source.
12.5Control of operational softwareObjective: To ensure the integrity of operational systems.
12.5.1Installation of software on operational systemsProcedures shall be implemented to control the installation of software on operational systems.
12.6Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities.
12.6.1Management of technical vulnerabilitiesEvent logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
12.6.2Restrictions on software installationRules governing the installation of software by users shall be established and implemented.
12.7Information systems audit considerationsObjective: To minimise the impact of audit activities on operational systems.
12.7.1Information systems audit controlsAudit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.
13Communications security 
13.1Network security managementObjective: To ensure the protection of information in networks and its supporting information processing facilities.
13.1.1Network controlsNetworks shall be managed and controlled to protect information in systems and applications.
13.1.2Security of network servicesSecurity mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.
13.1.3Segregation in networksGroups of information services, users and information systems shall be segregated on networks.
13.2Information transferObjective: To ensure the protection of information in networks and its supporting information processing facilities.
13.2.1Information transfer policies and proceduresFormal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
13.2.2Agreements on information transferAgreements shall address the secure transfer of business information between the organisation and external parties.
13.2.3Electronic messagingInformation involved in electronic messaging shall be appropriately protected.
13.2.4Confidentiality or non-disclosure agreementsRequirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented.
14System acquisition, development and maintenance
14.1Security requirements of information systemsObjective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
14.1.1Information security requirements analysis and specificationThe information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.
14.1.2Securing application services on public networksInformation involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorised disclosure and modification.
14.1.3Protecting application services transactionsInformation involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.
14.2Security in development and support processesObjective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
14.2.1Secure development policyRules for the development of software and systems shall be established and applied to developments within the organisation.
14.2.2System change control proceduresChanges to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
14.2.3Technical review of applications after operating platform changesWhen operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organisational operations or security.
14.2.4Restrictions on changes to software packagesModifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.
14.2.5Secure system engineering principlesPrinciples for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
14.2.6Secure development environmentorganisations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
14.2.7Outsourced developmentThe organisation shall supervise and monitor the activity of outsourced system development.
14.2.8System security testingTesting of security functionality shall be carried out during development.
14.2.9System acceptance testingAcceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions
14.3Test dataObjective: To ensure the protection of data used for testing.
14.3.1Protection of test dataTest data shall be selected carefully, protected and controlled.
15Supplier Relationships 
15.1Information security in supplier relationshipsObjective: To ensure protection of the organisation’s assets that is accessible by suppliers.
15.1.1Information security policy for supplier relationshipsInformation security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets shall be agreed with the supplier and documented.
15.1.2Addressing security within supplier agreementsAll relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.
15.1.3Information and communication technology supply chainAgreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.
15.2Supplier service delivery managementObjective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
15.2.1Monitoring and review of supplier servicesOrganisations shall regularly monitor, review and audit supplier service delivery.
15.2.2Managing changes to supplier servicesChanges to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re­assessment of risks.
16Information security incident management
16.1Management of information security incidents and improvementsObjective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
16.1.1Responsibilities and proceduresManagement responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.
16.1.2Reporting information security eventsInformation security events shall be reported through appropriate management channels as quickly as possible.
16.1.3Reporting information security weaknessesEmployees and contractors using the organisation’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.
16.1.4Assessment of and decision on information security eventsInformation security events shall be assessed and it shall be decided if they are to be classified as information security incidents.
16.1.5Response to information security incidentsInformation security incidents shall be responded to in accordance with the documented procedures.
16.1.6Learning from information security incidentsKnowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.
16.1.7Collection of evidenceThe organisation shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
17Information security aspects of business continuity management
17.1 Information security continuityObjective: Information security continuity should be embedded in the organisation’s business continuity management systems.
17.1.1Planning information security continuityThe organisation shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
17.1.2Implementing information security continuityThe organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
17.1.3Verify, review and evaluate information security continuityThe organisation shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
17.2RedundanciesObjective: To ensure availability of information processing facilities.
17.2.1Availability of information processing facilitiesInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
18Compliance 
18.1 Compliance with legal and contractual requirementsObjective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements
18.1.1Identification of applicable legislation and contractual requirementsAll relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organisation.
18.1.2Intellectual property rightsAppropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
18.1.3Protection of recordsRecords shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislatory, regulatory, contractual and business requirements.
18.1.4Privacy and protection of personally identifiable informationPrivacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.
18.1.5Regulation of cryptographic controlsCryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
18.2Information security reviewsObjective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements
18.2.1Independent review of information securityThe organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
18.2.2Compliance with security policies and standardsManagers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
18.2.3Technical compliance reviewInformation systems shall be regularly reviewed for compliance with the organisation’s information security policies and standards.
Scroll to Top