The Ultimate ISO 27001 Controls Guide is the most comprehensive ISO 27001 reference guide there is. For the beginner, and the practitioner, this guide covers everything you need to know. Updated for the 2022 update with all the latest guidance and insider trade secrets that others simply do not want you to know. Not for free anyway.
In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002:2013 controls and the new and updated ISO 27002:2022 control list. What controls do you need to implement? Let’s take a deep dive. I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Controls.
Table of contents
- ISO 27001 Controls Overview
- ISO 27001:2022
- ISO 27002:2022
- Introduction
- ISO 27001: 2022 ISMS Controls
- ISO 27001 Controls Summary Table
- ISO 27002:2022 Controls Checklist
- ISO 27002:2013 Controls Checklist
- ISO 27002 2013 – 5 Information Security Policies
- ISO 27002 2013 – 6 Organisation of Information Security
- ISO 27002 2013 – 7 Human resource security
- ISO 27002 2013 – 8 Asset management
- ISO 27002 2013 – 9 Access control
- ISO 27002 2013 – 10 Cryptography
- ISO 27002 2013 – 11 Physical and environmental security
- ISO 27002 2013 – 12 Operations security
- ISO 27002 2013 – 13 Communications security
- ISO 27002 2013 – 14 System acquisition, development and maintenance
- ISO 27002 2013 – 15 Supplier relationships
- ISO 27002 2013 – 16 Information security incident management
- ISO 27002 2013 – 17 Information security aspects of business continuity management
- ISO 27002 2013 – 18 Compliance
- ISO 27001 Controls FAQ
ISO 27001 Controls Overview
ISO 27001 is the international standard for information security. It has has a check list of ISO 27001 controls. These controls are set out in the ISO 27001 Annex A. Often referred to as ISO 27002.
We previously explored What is the difference between ISO 27001 and ISO 27002.
ISO 27001:2022
It is important to note that ISO 27001 itself has changed and is now referenced as ISO 27001:2022. You can read ISO 27001 2022 Everything You Need to Know for what has changed in ISO 27001. We are going to list the controls and the changes below.
ISO 27002:2022
The list of controls changed in 2022 and is now referenced as ISO 27002:2022. You can read the complete guide to the ISO 27002 changes for what exactly changed in ISO 27002. We are going to list the controls and the changes below.
Introduction
At the time of writing, businesses are still being assessed and certified against the old version of the controls. We will explore both.
I like the controls because they are standard controls that are easy to implement. When you buy a copy of the standard they are all laid out. Let us take a look at the ISO 27001 controls checklist. I have summarised them in the table of contents for ease of navigation.
If you want a list of both versions of the control you can download a copy here.
ISO 27001: 2022 ISMS Controls
ISO 27001 is the standard that you certify against. It is a management framework. Let’s start with a look at the ISO 27001 information security management system controls. ISO 27001 is divided into clauses which act as domains or groups of related controls. Click the links to learn everything you need to know about the control.
ISO 27001 Controls Summary Table
| ISO/IEC 27001:2022 | ISO/IEC 27001:2013 |
| ISO/IEC 27001:2022 Clause 4 Context of the Organisation | ISO/IEC 27001:2013 Clause 4 Context of the Organisation |
| ISO/IEC 27001:2022 Clause 4.1 Understanding the organisation and its context | ISO/IEC 27001:2013 Clause 4.1 Understanding the organisation and its context |
| ISO/IEC 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties | ISO/IEC 27001:2013 Clause 4.2 Understanding the needs and expectations of interested parties |
| ISO/IEC 27001:2022 Clause 4.3 Determining the scope of the information security management system | ISO/IEC 27001:2013 Clause 4.3 Determining the scope of the information security management system |
| ISO/IEC 27001:2022 Clause 4.4 Information security management system | ISO/IEC 27001:2013 Clause 4.4 Information security management system |
| ISO/IEC 27001:2022 Clause 5 Leadership | ISO/IEC 27001:2013 Clause 5 Leadership |
| ISO/IEC 27001:2022 Clause 5.1 Leadership and commitment | ISO/IEC 27001:2013 Clause 5.1 Leadership and commitment |
| ISO/IEC 27001:2022 Clause 5.2 Policy | ISO/IEC 27001:2013 Clause 5.2 Policy |
| ISO/IEC 27001:2022 Clause 5.3 Organizational roles, responsibilities and authorities | ISO/IEC 27001:2013 Clause 5.3 Organizational roles, responsibilities and authorities |
| ISO/IEC 27001:2022 Clause 6 Planning | ISO/IEC 27001:2013 Clause 6 Planning |
| ISO/IEC 27001:2022 Clause 6.1 Actions to address risks and opportunities | ISO/IEC 27001:2013 Clause 6.1 Actions to address risks and opportunities |
| ISO/IEC 27001:2022 Clause 6.1.1 General | ISO/IEC 27001:2013 Clause 6.1.1 General |
| ISO/IEC 27001:2022 Clause 6.1.2 Information security risk assessment | ISO/IEC 27001:2013 Clause 6.1.2 Information security risk assessment |
| ISO/IEC 27001:2022 Clause 6.1.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 6.1.3 Information security risk treatment |
| ISO/IEC 27001:2022 Clause 6.2 Information security objectives and planning to achieve them | ISO/IEC 27001:2013 Clause 6.2 Information security objectives and planning to achieve them |
| ISO/IEC 27001:2022 Clause 7 Support | ISO/IEC 27001:2013 Clause 7 Support |
| ISO/IEC 27001:2022 Clause 7.1 Resources | ISO/IEC 27001:2013 Clause 7.1 Resources |
| ISO/IEC 27001:2022 Clause 7.2 Competence | ISO/IEC 27001:2013 Clause 7.2 Competence |
| ISO/IEC 27001:2022 Clause 7.3 Awareness | ISO/IEC 27001:2013 Clause 7.3 Awareness |
| ISO/IEC 27001:2022 Clause 7.4 Communication | ISO/IEC 27001:2013 Clause 7.4 Communication |
| ISO/IEC 27001:2022 Clause 7.5 Documented information | ISO/IEC 27001:2013 Clause 7.5 Documented information |
| ISO/IEC 27001:2022 Clause 7.5.1 General | ISO/IEC 27001:2013 Clause 7.5.1 General |
| ISO/IEC 27001:2022 Clause 7.5.2 Creating and updating | ISO/IEC 27001:2013 Clause 7.5.2 Creating and updating |
| ISO/IEC 27001:2022 Clause 7.5.3 Control of documented information | ISO/IEC 27001:2013 Clause 7.5.3 Control of documented information |
| ISO/IEC 27001:2022 Clause 8 Operation | ISO/IEC 27001:2013 Clause 8 Operation |
| ISO/IEC 27001:2022 Clause 8.1 Operational planning and control | ISO/IEC 27001:2013 Clause 8.1 Operational planning and control |
| ISO/IEC 27001:2022 Clause 8.2 Information security risk assessment | ISO/IEC 27001:2013 Clause 8.2 Information security risk assessment |
| ISO/IEC 27001:2022 Clause 8.3 Information security risk treatment | ISO/IEC 27001:2013 Clause 8.3 Information security risk treatment |
| ISO/IEC 27001:2022 Clause 9 Performance evaluation | ISO/IEC 27001:2013 Clause 9 Performance evaluation |
| ISO/IEC 27001:2022 Clause 9.1 Monitoring, measurement, analysis and evaluation | ISO/IEC 27001:2013 Clause 9.1 Monitoring, measurement, analysis and evaluation |
| ISO/IEC 27001:2022 Clause 9.2 Internal audit | ISO/IEC 27001:2013 Clause 9.2 Internal audit |
| ISO/IEC 27001:2022 Clause 9.2.1 General | NEW |
| ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme | NEW |
| ISO/IEC 27001:2022 Clause 9.3 Management review | ISO/IEC 27001:2013 Clause 9.3 Management review |
| ISO/IEC 27001:2022 Clause 9.3.1 General | NEW |
| ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs | NEW |
| ISO/IEC 27001:2022 Clause 9.3.3 Management review results | NEW |
| ISO/IEC 27001:2022 Clause 10 Improvement | ISO/IEC 27001:2013 Clause 10 Improvement |
| ISO/IEC 27001:2022 Clause 10.1 Continual improvement | ISO/IEC 27001:2013 Clause 10.1 Nonconformity and corrective action |
| ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action | ISO/IEC 27001:2013 Clause 10.2 Continual improvement |
| ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls reference | ISO 27002: 2022 new version of control set |
Now lets look at each of the ISO 27001 clauses and how the break down.
ISO 27001 Clause 4 Context of Organisation
The context of organisation controls look at being able to show that you understand the organisation and its context. That you understand the needs and expectations of interested parties and that you have determining the scope of the information security management system.
ISO 27001 Context of Organisation Further Reading
- The essential guide to ISO 27001 Clause 4.1 Understanding the Organisation and its Context.
- The essential guide to ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties
- The essential guide to ISO 27001 Clause 4.3 Determining the scope of the information security management system
- The essential guide to ISO 27001 Clause 4.4 Information security management system
ISO 27001 Clause 5 Leadership
ISO 27001 wants top down leadership and to be able to evidence leadership commitment. We require Information Security Policies that say what we do. We document the organisational roles and responsibilities.
ISO 27001 Leadership Further Reading
- The essential guide to ISO 27001 Clause 5.1 Leadership and Commitment
- The essential guide to ISO 27001 Policies
- The essential guide to ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities
ISO 27001 Clause 6 Planning
Planning addresses actions to address risks and opportunities. ISO 27001 is a risk based system so risk management is a key part, with risk registers and risk processes in place. We ensure that we have objectives and measure in place for the information security management system.
ISO 27001 Planning Further Reading
- The essential guide to ISO 27001 Clause 6.1.1 Planning General
- The essential guide to ISO 27001 Clause 6.1.2 Information security risk assessment
- The essential guide to ISO 27001 Clause 6.1.3 Information security risk treatment
- The essential guide to ISO 27001 Clause 6.2 Information security objectives and planning to achieve them
ISO 27001 Clause 7 Support
Education and awareness is put in place and a culture of security is implemented. A communication plan is created and followed. Resources are allocated and competency of resources is managed and understood. If it isn’t written down it does not exist so standard operating procedures are documented and documents are controlled.
ISO 27001 Support Further Reading
- The essential guide to ISO 27001 7.1 Resources
- The essential guide to ISO 27001 7.2 Competence
- The essential guide to ISO 27001 7.3 Awareness
- The essential guide to ISO 27001 7.4 Communication
- The essential guide to ISO 27001 7.5.1 General
- The essential guide to ISO 27001 7.5.2 Creating and updating
- The essential guide to ISO 27001 7.5.3 Control of documented information
ISO 27001 Clause 8 Operation
Operations are managed and controlled and risk assessments undertaken.
ISO 27001 Operation Further Reading
- The essential guide to ISO 27001 8.1 Operational planning and control
- The essential guide to ISO 27001 8.2 Information security risk assessment
- The essential guide to ISO 27001 8.3 Information security risk treatment
ISO 27001 Clause 9 Performance Evaluation
Monitors and measures as well as the processes of analysis and evaluation are implemented. As part of continual improvement audits are planned and executed, management reviews are undertaken following structured agendas.
ISO 27001 Performance Evaluation Further Reading
- The essential guide to ISO 27001 9.1 Monitoring, measurement, analysis and evaluation
- The essential guide to ISO 27001 9.2 Internal audit
- The essential guide to ISO 27001 9.2.1 General
- The essential guide to ISO 27001 9.2.2 Internal audit programme
- The essential guide to ISO 27001 9.3 Management review
- The essential guide to ISO 27001 9.3.1 General
- The essential guide to ISO 27001 9.3.2 Management review inputs
- The essential guide to ISO 27001 9.3.3 Management review results
ISO 27001 Clause 10 Improvement
Improvement is a foundation of The ISO 27001 standard. The ability to adapt and continually improve. We are going to look at how we manage non conformities and corrective actions and our processes for managing continual improvement.
ISO 27001 Improvement Further Reading
- The essential guide to ISO 27001 10.1 Continual improvement
- The essential guide to ISO 27001 10.2 Nonconformity and corrective action
ISO 27002:2022 Controls Checklist
ISO 27002:2022 5 Organisational controls
ISO 27002:2022 5.1 Policies for information security
ISO 27002:2022 5.2 Information security roles and responsibilities
ISO 27002:2022 5.3 Segregation of duties
ISO 27002:2022 5.4 Management responsibilities
ISO 27002:2022 5.5 Contact with authorities
ISO 27002:2022 5.6 Contact with special interest groups
ISO 27002:2022 5.7 Threat intelligence – new
ISO 27002:2022 5.8 Information security in project management
ISO 27002:2022 5.9 Inventory of information and other associated assets – change
ISO 27002:2022 5.10 Acceptable use of information and other associated assets – change
ISO 27002:2022 5.11 Return of assets
ISO 27002:2022 5.12 Classification of information
ISO 27002:2022 5.13 Labelling of information
ISO 27002:2022 5.14 Information transfer
ISO 27002:2022 5.15 Access control
ISO 27002:2022 5.16 Identity management
ISO 27002:2022 5.17 Authentication information – new
ISO 27002:2022 5.18 Access rights – change
ISO 27002:2022 5.19 Information security in supplier relationships
ISO 27002:2022 5.20 Addressing information security within supplier agreements
ISO 27002:2022 5.21 Managing information security in the ICT supply chain – new
ISO 27002:2022 5.22 Monitoring, review and change management of supplier services – change
ISO 27002:2022 5.23 Information security for use of cloud services – new
ISO 27002:2022 5.24 Information security incident management planning and preparation – change
ISO 27002:2022 5.25 Assessment and decision on information security events
ISO 27002:2022 5.26 Response to information security incidents
ISO 27002:2022 5.27 Learning from information security incidents
ISO 27002:2022 5.28 Collection of evidence
ISO 27002:2022 5.29 Information security during disruption – change
ISO 27002:2022 5.30 ICT readiness for business continuity – new
ISO 27002:2022 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27002:2022 5.32 Intellectual property rights
ISO 27002:2022 5.33 Protection of records
ISO 27002:2022 5.34 Privacy and protection of PII
ISO 27002:2022 5.35 Independent review of information security
ISO 27002:2022 5.36 Compliance with policies and standards for information security
ISO 27002:2022 5.37 Documented operating procedures
ISO 27002:2022 6 People controls
ISO 27002:2022 6.1 Screening
ISO 27002:2022 6.2 Terms and conditions of employment
ISO 27002:2022 6.3 Information security awareness, education and training
ISO 27002:2022 6.4 Disciplinary process
ISO 27002:2022 6.5 Responsibilities after termination or change of employment
ISO 27002:2022 6.6 Confidentiality or non-disclosure agreements
ISO 27002:2022 6.7 Remote working – new
ISO 27002:2022 6.8 Information security event reporting
ISO 27002:2022 7 Physical controls
ISO 27002:2022 7.1 Physical security perimeter
ISO 27002:2022 7.2 Physical entry controls
ISO 27002:2022 7.3 Securing offices, rooms and facilities
ISO 27002:2022 7.4 Physical security monitoring
ISO 27002:2022 7.5 Protecting against physical and environmental threats
ISO 27002:2022 7.6 Working in secure areas
ISO 27002:2022 7.7 Clear desk and clear screen
ISO 27002:2022 7.8 Equipment siting and protection
ISO 27002:2022 7.9 Security of assets off-premises
ISO 27002:2022 7.10 Storage media – new
ISO 27002:2022 7.11 Supporting utilities
ISO 27002:2022 7.12 Cabling security
ISO 27002:2022 7.13 Equipment maintenance
ISO 27002:2022 7.14 Secure disposal or re-use of equipment
ISO 27002:2022 8 Technological controls
ISO 27002:2022 8.1 User endpoint devices – new
ISO 27002:2022 8.2 Privileged access rights
ISO 27002:2022 8.3 Information access restriction
ISO 27002:2022 8.4 Access to source code
ISO 27002:2022 8.5 Secure authentication
ISO 27002:2022 8.6 Capacity management
ISO 27002:2022 8.7 Protection against malware
ISO 27002:2022 8.8 Management of technical vulnerabilities
ISO 27002:2022 8.9 Configuration management
ISO 27002:2022 8.10 Information deletion – new
ISO 27002:2022 8.11 Data masking – new
ISO 27002:2022 8.12 Data leakage prevention – new
ISO 27002:2022 8.13 Information backup
ISO 27002:2022 8.14 Redundancy of information processing facilities
ISO 27002:2022 8.15 Logging
ISO 27002:2022 8.16 Monitoring activities
ISO 27002:2022 8.17 Clock synchronization
ISO 27002:2022 8.18 Use of privileged utility programs
ISO 27002:2022 8.19 Installation of software on operational systems
ISO 27002:2022 8.20 Network controls
ISO 27002:2022 8.21 Security of network services
ISO 27002:2022 8.22 Web filtering – new
ISO 27002:2022 8.23 Segregation in networks
ISO 27002:2022 8.24 Use of cryptography
ISO 27002:2022 8.25 Secure development lifecycle
ISO 27002:2022 8.26 Application security requirements – new
ISO 27002:2022 8.27 Secure system architecture and engineering principles – new
ISO 27002:2022 8.29 Security testing in development and acceptance
ISO 27002:2022 8.30 Outsourced development
ISO 27002:2022 8.31 Separation of development, test and production environments
ISO 27002:2022 8.32 Change management
ISO 27002:2022 8.33 Test information
ISO 27002:2022 8.34 Protection of information systems during audit and testing – new
ISO 27002:2013 Controls Checklist
ISO 27002: 2013 is the old version of the Annex A controls and was replaced and updated in 2022. As business is still being assessed and certified against ISO 27002: 2013 we will do a deep dive into those controls.
There are 114 controls in the 2013 version of the control list. Lets break them down. Helpfully the controls start at number 5.
ISO 27002 2013 – 5 Information Security Policies
| 2 controls
ISO 27001 Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organisation through having policies for information security and those policies being reviewed. You can see the ISO 27001 policies and the headline Information Security Policy by clicking the links.
ISO 27002 2013 – 6 Organisation of Information Security
| 7 controls
A management framework for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.
ISO 27002 2013 – 7 Human resource security
| 6 controls
Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of pre employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarise as the starter, leaver, mover process.
ISO 27002 2013 – 8 Asset management
| 10 controls
You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers.The asset management policy looks at ownership of assets, acceptable use, return of assets. There are controls on information classification and labelling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.
ISO 27002 2013 – 9 Access control
| 14 controls
Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.
ISO 27002 2013 – 10 Cryptography
| 2 controls
2 controls, so how hard can this be. A policy on cryptographic controls and a key management process.
ISO 27002 2013 – 11 Physical and environmental security
|15 controls
You are going to manage this mainly by having the right scope and probably out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.
ISO 27002 2013 – 12 Operations security
| 14 controls
If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronisation, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.
ISO 27002 2013 – 13 Communications security
| 7 controls
Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.
ISO 27002 2013 – 14 System acquisition, development and maintenance
| 13 controls
You do software development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.
ISO 27002 2013 – 15 Supplier relationships
| 5 controls
I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation. Have a third party supplier policy and a third party supplier register.
ISO 27002 2013 – 16 Information security incident management
| 7 controls
What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents. An incident and corrective action log is a must.
ISO 27002 2013 – 17 Information security aspects of business continuity management
| 4 controls
Having a plan, testing it, proving you tested it and having it all written down is the order of the day here. Business Continuity will keep you going when things go wrong.
ISO 27002 2013 – 18 Compliance
| 8 controls
You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.
ISO 27001 Controls FAQ
Yes. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
The actual list of controls is in the ISO 27001 standard which you should purchase.
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Yes. They are summarised here and you should purchase a copy of the standard for the details. The checklist forms part of our deliverables.
Yes. This is included in our ISO 27001 implementation.
Yes, you can save the ISO 27001 controls spreadsheet that comes as part of our implementation in PDF format.
Yes, the ISO 27001 controls apply to cloud as well as on premise.
Yes. They are an Annex to the ISO 27001 standard. On their own they are referred to as ISO 27002.
ISO 27002 is another name for the list of the 114 ISO 27001 controls.
There are 114 controls in ISO 27001.
There are 114 controls in ISO 27002.
