ISO27001 Controls
In this ultimate guide to ISO 27001 Controls you will learn
- What ISO 27001 controls are
- What’s new in ISO 27001:2022
- Implementation Checklists
- Audit Checklists
- The difference between ISO 27002 and ISO 27001 Annex A
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement them for ISO 27001 certification.
Table of contents
What are ISO 27001 Controls?
ISO 27001 controls are the policies, processes and technologies that you put in place to mitigate information security risks. They are based on industry best practice and they are documented in ISO 27001 Annex A.
We previously explored What is the difference between ISO 27001 and ISO 27002.
What is ISO 27001 Annex A?
ISO 27001 Annex A is a list of 93 information security controls including best practice implementation guides.
They are grouped into 4 themes:
- Organisational Controls
- People Controls
- Physical Controls
- Technical Controls
ISO 27001 Annex A is actually a standard in it’s own right called ISO 27002.
ISO 27002 is a reference and guidance standard that lists out the controls and provides implementation guidance. For more information read ISO 27001 vs ISO 27002 – The difference explained simply
How many ISO 27001 controls are there?
ISO 27001:2022 Annex A has 93 controls in four categories.
ISO 27001 Clause 5: Organisational Controls = 37 controls
ISO 27001People Controls = 8 controls
ISO 27001 Physical Controls = 14 controls
ISO 27001Technological Controls 34 controls
ISO 27001 New Controls
When the International Organization for Standardisation updated the ISO 27001:2013 standard in 2022, they added 11 new controls. They are:
- ISO 27001:2022 Annex A 5.7 Threat intelligence
- ISO 27001:2022 Annex A 5.23 Information security for use of cloud services
- ISO 27001:2022 5.30 ICT readiness for business continuity
- ISO 27001:2022 Annex A 7.4 Physical security monitoring
- ISO 27001:2022 Annex A 8.9 Configuration management
- ISO 27001:2022 Annex A 8.10 Information deletion
- ISO 27001:2022 Annex A 8.11 Data masking
- ISO 27001:2022 Annex A 8.12 Data leakage prevention
- ISO 27001:2022 Annex A 8.16 Monitoring activities
- ISO 27001:2022 Annex A 8.23 Web filtering
- ISO 27001:2022 Annex A 8.28 Secure coding
Ownership
Ownership of the ISO 27001 controls is with the organisation heads of departments that operate the processes.
It is a misconception that the ISO 27001 controls are the responsibility of IT.
Accountability for the ISO 27001 controls sits with senior leadership and the information security manager is responsible for assisting organisational leads in the effective implementation and operation of the controls.
ISO 27001 Controls List
ISO 27001 Control 5.1 Policies for Information Security
Ensure the suitability, adequacy and effectiveness of managements direction and support for information security.
ISO 27001 Annex A 5.1 Policies for information security
ISO 27001 Control 5.2 Information security roles and responsibilities
Purpose: Annex A 5.2 is a preventive control that ensures a defined, approved and understood structure is in place for the implementation and operation of the information security management system.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.2 Information security roles and responsibilities
ISO 27001 Control 5.3 Segregation of Duties
Purpose: To reduce the risk of fraud, error and bypassing of information security controls.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.3 Segregation of duties
ISO 27001 Control 5.4 Management Responsibilities
Purpose: Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organisation
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.4 Management responsibilities
ISO 27001 Control 5.5 Contact with authorities
Purpose: The organisation should establish and maintain contact with relevant authorities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.5 Contact with authorities
ISO 27001 Control 5.6 Contact with special interest groups
Purpose: To ensure appropriate flow of information takes place with respect to information security.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.6 Contact with special interest groups
ISO 27001 Control 5.7 Threat Intelligence – NEW
Purpose: To provide awareness of the organisations threat environment so that the appropriate mitigation actions can be taken.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.7 Threat intelligence
ISO 27001 Control 5.8 Information security in project management
Purpose: To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.8 Information security in project management
ISO 27001 Control 5.9 Inventory of information and other associated assets – CHANGE
Purpose: To identify the organisations information and other associated assets in order to preserve their information security and assign appropriate ownership.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.9 Inventory of information and other associated assets
ISO 27001 Control 5.10 Acceptable use of information and other associated assets
Purpose: Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.10 Acceptable use of information and other associated assets – CHANGE
ISO 27001 Control 5.11 Return of assets
Purpose: To protect the organisations assets as part of the process of changing or terminating employment, contract or agreement.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.11 Return of assets
ISO 27001 Control 5.12 Classification of information
Purpose: To ensure identification and understanding of protection needs of information in accordance with its importance to the organisation.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.12 Classification of information
ISO 27001 Control 5.13 Labelling of information
Purpose: To facilitate the communication of classification of information and support automation of information processing and management.
View the ultimate certification guide to: ISO 27001:2022 Annex 5.13 Labelling of information
ISO 27001 Control 5.14 Information transfer
Purpose: To maintain the security of information transferred within an organisation and with any external interested party.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.14 Information transfer
ISO 27001 Control 5.15 Access Control
Purpose: To ensure authorised access and to prevent unauthorised access to information and other associated assets.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.15 Access control
ISO 27001 Control 5.16 Identity Management – NEW
Purpose: To allow for the unique identification of individuals and systems accessing the organisations information and other associated assets and to enable appropriate assignment of access rights.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.16 Identity management
ISO 27001 Control 5.17 Authentication Information – NEW
Purpose: To ensure proper entity authentication and prevent failures of authentication processes.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.17 Authentication information
ISO 27001 Control 5.18 Access rights – CHANGE
Purpose: To ensure access to information and other associated assets is defined and authorised according to the business requirements.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.18 Access rights
ISO 27001 Control 5.19 Information security in supplier relationships
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.19 Information security in supplier relationships
ISO 27001 Control 5.29 Addressing information security within supplier agreements
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.20 Addressing information security within supplier agreements
ISO 27001 Control 5.21 Managing information security in the ICT supply chain – NEW
Purpose: To maintain an agreed level of information security in supplier relationships.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.21 Managing information security in the ICT supply chain
ISO 27001 Control 5.22 Monitoring, review and change management of supplier services – CHANGE
Purpose: To maintain an agreed level of information security and service delivery in line with supplier agreements.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.22 Monitoring, review and change management of supplier services
ISO 27001 Control 5.23 Information security for use of cloud services – NEW
Purpose: To specify and manage information security for the use of cloud services.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.23 Information security for use of cloud services
ISO 27001 Control 5.24 Information security incident management planning and preparation – CHANGE
Purpose: To ensure quick, effective, consistent and orderly response to information security incidents, including communication on information security events.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.24 Information security incident management planning and preparation
ISO 27001 Control 5.25 Assessment and decision on information security events
Purpose: To ensure effective categorisation and prioritisation of information security events.
View the ultimate certification guide to: ISO 27001:2021 Annex A 5.25 Assessment and decision on information security events
ISO 27001 Control 5.26 Response to information security incidents
Purpose: To ensure efficient and effective response to information security incidents.
View the ultimate certification guide to: ISO 27001:2022 Annex A Response to information security incidents
ISO 27001 Control 5.27 Learning from information security incidents
Purpose: To reduce the likelihood or consequences of future incidents.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.27 Learning from information security incidents
ISO 27001 Control 5.28 Collection of evidence
Purpose: To ensure a consistent and effective management of evidence related to information security incidents for the purposes of disciplinary and legal actions.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.28 Collection of evidence
ISO 27001 Control 5.29 Information security during disruption – CHANGE
Purpose: To protect information and other associated assets during disruption.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.29 Information security during disruption
ISO 27001 5.30 ICT readiness for business continuity – NEW
Purpose: To ensure the availability of the organisations information and other associated assets during disruption.
View the ultimate certification guide to: ISO 27001:2022 5.30 ICT readiness for business continuity
ISO 27001 Control 5.31 Identification of legal, statutory, regulatory and contractual requirements
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27001 Control 5.32 Intellectual Property Rights
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.32 Intellectual property rights
ISO 27001 Control 5.33 Protection of records
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.33 Protection of records
ISO 27001 Control 5.34 Privacy and protection of PII
Purpose: To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.34 Privacy and protection of PII
ISO 27001 Control 5.35 Independent review of information security
Purpose: To ensure the continuing suitability, adequacy and effectiveness of the organisations approach to managing information security.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.35 Independent review of information security
ISO 27001 Control 5.36 Compliance with policies and standards for information security
Purpose: To ensure that information security is implemented and operated in accordance with the organisation’s information security policy, topic-specific policies, rules and standards.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.36 Compliance with policies and standards for information security
ISO 27001 Control 5.37 Documented Operations Procedures
Purpose: To ensure the correct and secure operation of information processing facilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 5.37 Documented operating procedures
ISO 27001 Control 6.1 Screening
Purpose: To ensure all personnel are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.1 Screening
ISO 27001 Control 6.2 Terms and Condition of Employment
Purpose: To ensure personnel understand their information security responsibilities for the roles for which they are considered.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.2 Terms and conditions of employment
ISO 27001 Control 6.3 Information security awareness, education and training
Purpose: To ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.3 Information security awareness, education and training
ISO 27001 Control 6.4 Disciplinary Process
Purpose: To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.4 Disciplinary process
ISO 27001 Control 6.5 Responsibilities after termination or change of employment
Purpose: To protect the organisations interests as part of the process of changing or terminating employment or contracts.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.5 Responsibilities after termination or change of employment
ISO 27001 Control 6.6 Confidentiality or non disclosure agreements
Purpose: To maintain confidentiality of information accessible by personnel or external parties.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.6 Confidentiality or non-disclosure agreements
ISO 27001 Control 6.7 Remote working – NEW
Purpose: To ensure the security of information when personnel are working remotely.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.7 Remote Working
ISO 27001 Control 6.8 Information security event reporting
Purpose: To support timely, consistent and effective reporting of information security events that can be identified by personnel.
View the ultimate certification guide to: ISO 27001:2022 Annex A 6.8 Information Security Event Reporting
ISO 27001 Control 7.1 Physical Security Perimeter
Purpose: To ensure physical security is in place to stop unauthorised people from gaining physical access to property and assets.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.1 Physical security perimeter
ISO 27001 Control 7.2 Physical Entry
Purpose: To ensure only authorised physical access to the organisations information and other associated assets occurs.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.2 Physical entry controls
ISO 27001 Control 7.3 Securing Offices, Rooms And Facilities
Purpose: To ensure you prevent unauthorised physical access, damage and interference to the organisations information and other associated assets in offices, rooms and facilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.3 Securing offices, rooms and facilities
ISO 27001 Control 7.4 Physical Security Monitoring
Purpose: To ensure you detect and deter unauthorised physical access.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.4 Physical security monitoring
ISO 27001 Control 7.5 Protecting Against Physical and Environmental Threats
Purpose: To ensure you prevent or reduce the consequences of events originating from physical and environmental threats.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.5 Protecting against physical and environmental threats
ISO 27001 Control 7.6 Working In Secure Areas
Purpose: To ensure you protect information and other associated assets in secure areas from damage and unauthorised interference by personnel working in these areas.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.6 Working in secure areas
ISO 27001 Control 7.7 Clear Desk And Clear Screen
Purpose: To ensure you address the risks of unauthorised access, loss of and damage to information on desks, screens and in other accessible locations during and outside normal working hours.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.7 Clear desk and clear screen
ISO 27001 Control 7.8 Equipment Siting And Protection
Purpose: To reduce the risks from physical and environmental threats, and from unauthorised access and damage.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.8 Equipment siting and protection
ISO 27001 Control 7.9 Security Of Assets Off-Premises
Purpose: To prevent loss, damage, theft or compromise of off-site devices and interruption to the organisations operations.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.9 Security of assets off-premises
ISO 27001 Control 7.10 Storage Media
Purpose: To ensure only authorised disclosure, modification, removal or destruction of information on storage media.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.10 Storage media – NEW
ISO 27001 Control 7.11 Supporting Utilities
Purpose: To prevent loss, damage or compromise of information and other associated assets, or interruption to the organisations operations due to failure and disruption of supporting utilities
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.11 Supporting utilities
ISO 27001 Control 7.12 Cabling Security
Purpose: To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations related to power and communications cabling.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.12 Cabling security
ISO 27001 Control 7.13 Equipment Maintenance
Purpose: To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organisations operations caused by lack of maintenance.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.13 Equipment maintenance
ISO 27001 Control 7.14 Secure Disposal Or Re-Use Of Equipment
Purpose: To prevent leakage of information from equipment to be disposed or re-used.
View the ultimate certification guide to: ISO 27001:2022 Annex A 7.14 Secure disposal or re-use of equipment
ISO 27001 Control 8.1 User Endpoint Devices
Purpose: To protect information against the risks introduced by using user endpoint devices.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.1 User endpoint devices – NEW
ISO 27001 Control 8.2 Privileged Access Rights
Purpose: To ensure only authorised users, software components and services are provided with privileged access rights.
View the ultimate certification guide to: ISO 27001:2022 8.2 Annex A Privileged access rights
ISO 27001 Control 8.3 Information Access Restriction
Purpose: To ensure only authorised access and to prevent unauthorised access to information and other associated assets.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.3 Information access restriction
ISO 27001 Control 8.4 Access To Source Code
Purpose: To prevent the introduction of unauthorised functionality, avoid unintentional or malicious changes and to maintain the confidentiality of valuable intellectual property.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.4 Access to source code
ISO 27001 Control 8.5 Secure Authentication
Purpose: To ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.5 Secure authentication
ISO 27001 Control 8.6 Capacity Management
Purpose: To ensure the required capacity of information processing facilities, human resources, offices and other facilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.6 Capacity management
ISO 27001 Control 8.7 Protection Against Malware
Purpose: To ensure information and other associated assets are protected against malware.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.7 Protection against malware
ISO 27001 Control 8.8 Management of Technical Vulnerabilities
Purpose: To ensure information and other associated assets are protected from the exploitation of technical vulnerabilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.8 Management of technical vulnerabilities
ISO 27001 Control 8.9 Configuration Management
Purpose: To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorised or incorrect changes.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.9 Configuration management
ISO 27001 Control 8.10 Information Deletion
Purpose: To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.10 Information deletion – NEW
ISO 27001 Control 8.11 Data Masking
Purpose: To ensure you limit the exposure of sensitive data including PII, and you comply with legal, statutory, regulatory and contractual requirements.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.11 Data masking – NEW
ISO 27001 Control 8.12 Data Leakage Prevention
Purpose: To detect and prevent the unauthorised disclosure and extraction of information by individuals or systems.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.12 Data leakage prevention – NEW
ISO 27001 Control 8.13 Information Backup
Purpose: To enable recovery from loss of data or systems.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.13 Information backup
ISO 27001 Control 8.14 Redundancy of information processing facilities
Purpose: To ensure the continuous operation of information processing facilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.14 Redundancy of information processing facilities
ISO 27001 Control 8.15 Logging
Purpose: To record events, generate evidence, ensure the integrity of log information, prevent against unauthorised access, identify information security events that can lead to an information security incident and to support investigations.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.15 Logging
ISO 27001 Control 8.16 Monitoring Activities
Purpose: To detect anomalous behaviour and potential information security incidents.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.16 Monitoring activities
ISO 27001 Control 8.17 Clock Synchronisation
Purpose: To enable the correlation and analysis of security-related events and other recorded data, and to support investigations into information security incidents.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.16 Clock synchronisation
ISO 27001 Control 8.18 Use of Privileged Utility Programs
Purpose: To ensure the use of utility programs does not harm system and application controls for information security.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.18 Use of privileged utility programs
ISO 27001 Control 8.19 Installation of Software on Operational Systems
Purpose: To ensure the integrity of operational systems and prevent exploitation of technical vulnerabilities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.19 Installation of software on operational systems
ISO 27001 Control 8.20 Network Security
Purpose: To protect information in networks and its supporting information processing facilities from compromise via the network.
View the ultimate certification guide to: ISO 27001:2022 Annex. A8.20 Network controls
ISO 27001 Control 8.21 Security of Network Services
Purpose: To ensure security in the use of network services.
View the ultimate certification guide to: ISO 27001:2022:2022 Annex A 8.21 Security of network services
ISO 27001 Control 8.22 Segregation of Networks
Purpose: To split the network in security boundaries and to control traffic between them based on business needs.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.22 Segregation in networks
ISO 27001 Control 8.23 Web Filtering
Purpose: To protect systems from being compromised by malware and to prevent access to unauthorised web resources.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.23 Web filtering – NEW
ISO 27001 Control 8.24 Use of Cryptography
Purpose: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information according to business and information security requirements, and taking into consideration legal, statutory, regulatory and contractual requirements related to cryptography.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.24 Use of cryptography
ISO 27001 Control 8.25 Secure Development Life Cycle
Purpose: To ensure information security is designed and implemented within the secure development life cycle of software and systems.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.25 Secure development lifecycle
ISO 27001 Control 8.26 Application Security Requirements
Purpose: To ensure all information security requirements are identified and addressed when developing or acquiring
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.26 Application security requirements – NEW
ISO 27001 Control 8.27 Secure Systems Architecture and Engineering Principles
Purpose: To ensure information systems are securely designed, implemented and operated within the development life cycle.
View the ultimate certification guide to: ISO 27001:2022 Annex. A8.27 Secure system architecture and engineering principles – NEW
ISO 27001 Control 8.28 Secure Coding
Purpose: To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.28 Secure coding
ISO 27001 Control 8.29 Security Testing in Development and Acceptance
Purpose: To validate if information security requirements are met when applications or code are deployed to the production environment.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.29 Security testing in development and acceptance
ISO 27001 Control 8.30 Outsourced Development
Purpose: To ensure information security measures required by the organisation are implemented in outsourced system development.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.30 Outsourced development
ISO 27001 Control 8.31 Separation of Development, Test and Production Environments
Purpose: To protect the production environment and data from compromise by development and test activities.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.31 Separation of development, test and production environments
ISO 27001 Control 8.32 Change Management
Purpose: To preserve information security when executing changes.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.32 Change management
ISO 27001 Control 8.33 Test Information
Purpose: To ensure relevance of testing and protection of operational information used for testing.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.33 Test information
ISO 27001 Control 8.34 Protection of information systems during audit testing
Purpose: To minimise the impact of audit and other assurance activities on operational systems and business processes.
View the ultimate certification guide to: ISO 27001:2022 Annex A 8.34 Protection of information systems during audit and testing – NEW
ISO 27001 Controls List Excel
The simplest way to set out the ISO 27001 controls is in Excel. A complete list of all controls is then used to create the ISO 27001 Statement of Applicability.
Download the ISO 27001:2022 controls list excel.
ISO 27001 Controls FAQ
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Yes, you can save the ISO 27001 controls spreadsheet that comes as part of our implementation in PDF format.
Yes. They are an Annex to the ISO 27001 standard.
ISO 27002 is a guidance standard to ISO 27001 Annex A. ISO 27002 sets out each control with implementation guidance for you to consider when implementing the control. ISO 27002 was updated in 2022 and is officially called ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information
security controls
There are 93 controls in ISO 27001:2022.
There are 93 controls in ISO 27002:2022.
The ISO 27001:2022 Annex A controls are not mandatory but they are a list of controls that commonly mitigate information security risks. Once you have conducted your information security risk assessment you will pick the controls from ISO 27001 Annex A that mitigate risk. In addition you will review client requirements and legal and regulatory requirements to ensure that any controls required are also included.
Yes, ISO 27001 Annex A Control 5.23 Information security for use of cloud services is a new control for cloud security.
Yes. They are summarised here and you should purchase a copy of the standard for the details. The checklist forms part of our deliverables.
Yes. This is included in our ISO 27001 implementation.
There are 114 controls in ISO 27002:2013.
There are 114 controls in ISO 27001:2013.
Yes, if you are operating the 2013 version of the standard. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
The actual list of controls is in the ISO 27001 standard which you should purchase.
ISO 27001 Annex A is broken down into 4 control domains. These domains group together controls into logical domains.
ISO 27001:2022 Annex A 5 Organisational controls
ISO 27001:2022 Annex A 6 People controls
ISO 27001:2022 Annex A 7 Physical controls
ISO 27001:2022 Annex A 8 Technological controls
