The complete guide to ISO 27001 Controls
ISO 27001 has a check list of ISO 27001 controls. These controls are set out in the ISO 27001 Annex A. Often referred to as ISO 27002. I like the controls because they are standard controls that are easy to implement. When you buy a copy of the standard they are all laid out. Let us take a look at the ISO 27001 controls checklist. I have summarised them in the table of contents for ease of navigation. If you want to download a copy of the controls then you can find them listed in either the Audit Worksheets or the Statement of Applicability. This list will be used several times in several ISO 27001 ISMS documents.
Table of contents
- ISO 27001 Controls Checklist
- Annex A.5 – Information Security Policies | 2 controls
- Annex A.6 – Organisation of Information Security | 7 controls
- Annex A.7 – Human resource security | 6 controls
- Annex A.8 – Asset management | 10 controls
- Annex A.9 – Access control | 14 controls
- Annex A.10 – Cryptography | 2 controls
- Annex A.11 – Physical and environmental security |15 controls
- Annex A.12 – Operations security | 14 controls
- Annex A.13 – Communications security | 7 controls
- Annex A.14 – System acquisition, development and maintenance | 13 controls
- Annex A.15 – Supplier relationships | 5 controls
- Annex A.16 – Information security incident management | 7 controls
- Annex A.17 – Information security aspects of business continuity management | 4 controls
- Annex A.18 – Compliance | 8 controls
- ISO 27001 Controls FAQ
- Read Next
Changes to ISO 27002 / Annex A
Before we look at the current control set it is worth mentioning that in 2022 the control set is changing. If you want to see what the new controls are, what the changes are and what the differences are then you can read more in the Ultimate Guide to the ISO 27001 Changes for 2002.
ISO 27002 / Annex A Controls Downloads
ISO 27001 Controls Checklist
The following is the ISO 27001 Controls checklist the 114 controls in summary. Lets break them down. Helpfully the controls start at number 5.
Annex A.5 – Information Security Policies | 2 controls
ISO 27001 Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organisation through having policies for information security and those policies being reviewed. You can see the ISO 27001 policies and the headline Information Security Policy by clicking the links.
Annex A.6 – Organisation of Information Security | 7 controls
A management frame work for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.
Annex A.7 – Human resource security | 6 controls
Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of pre employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarise as the starter, leaver, mover process.
Annex A.8 – Asset management | 10 controls
You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers.The asset management policy looks at ownership of assets, acceptable use, return of assets. There are controls on information classification and labelling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.
Annex A.9 – Access control | 14 controls
Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.
Annex A.10 – Cryptography | 2 controls
Annex A.11 – Physical and environmental security |15 controls
You are going to manage this mainly by having the right scope and probably out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.
Annex A.12 – Operations security | 14 controls
If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronisation, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.
Annex A.13 – Communications security | 7 controls
Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.
Annex A.14 – System acquisition, development and maintenance | 13 controls
You do software development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.
Annex A.15 – Supplier relationships | 5 controls
I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation. Have a third party supplier policy and a third party supplier register.
Annex A.16 – Information security incident management | 7 controls
What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents. An incident and corrective action log is a must.
Annex A.17 – Information security aspects of business continuity management | 4 controls
Having a plan, testing it, proving you tested it and having it all written down is the order of the day here. Business Continuity will keep you going when things go wrong.
Annex A.18 – Compliance | 8 controls
You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.
ISO 27001 Controls FAQ
Yes. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
The actual list of controls is in the ISO 27001 standard which you should purchase.
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Yes. They are summarised here and you should purchase a copy of the standard for the details. The checklist forms part of our deliverables.
Yes. This is included in our ISO 27001 implementation.
Yes, you can save the ISO 27001 controls spreadsheet that comes as part of our implementation in PDF format.
Yes, the ISO 27001 controls apply to cloud as well as on premise.
Yes. They are an Annex to the ISO 27001 standard. On their own they are referred to as ISO 27002.
ISO 27002 is another name for the list of the 114 ISO 27001 controls.
There are 114 controls in ISO 27001.
There are 114 controls in ISO 27002.
Eager to learn more? Check out these related articles.