ISO 27001 is made up of 2 parts – the information security management system ( ISMS ) which is ISO 27001 and the 114 ISO 27001 Annex A controls that are also referred to as ISO 27002. In this section we look at the 114 ISO 27001 Annex A controls.
ISO 27002 / Annex A
This is a list of controls that a business is expected to review for applicability and implement. The controls are straight forward and cover the basics that a business should implement. The controls are added as an Annex to ISO 27001 and therefore are a requirement of the standard.
Statement of Applicability
The first step is to review the controls and decide if they are applicable or not. This is referred to as a Statement of Applicability. This sets the scope of controls and what will be audited in the certification process. You need a compelling reason not to implement a particular control and should document why it is not applicable.
List of ISO 27001 Annex A controls
The following is a list of the 114 controls in summary. For a full list of the controls, when the time comes, you will want to purchase a copy of the standard. Lets break them down. Helpfully the controls start at number 5.
Annex A.5 – Information Security Policies | 2 controls
Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organisation through having policies for information security and those policies being reviewed. You can see the typical ISO 27001 policies and the headline Information Security Policy by clicking the links.
Annex A.6 – Organisation of Information Security | 7 controls
A management frame work for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.
Annex A.7 – Human resource security | 6 controls
Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of pre employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarise as the starter, leaver, mover process.
Annex A.8 – Asset management | 10 controls
You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of asset registers, ownership of assets, acceptable use, return of assets. There are controls on information classification and labelling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.
Annex A.9 – Access control | 14 controls
Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.
Annex A.10 – Cryptography | 2 controls
2 controls, so how hard can this be. A policy on cryptographic controls and a key management process.
Annex A.11 – Physical and environmental security |15 controls
You are going to manage this mainly by having the right scope and probablly out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.
Annex A.12 – Operations security | 14 controls
If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronisation, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.
Annex A.13 – Communications security | 7 controls
Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.
Annex A.14 – System acquisition, development and maintenance (13 controls)
You development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.
Annex A.15 – Supplier relationships | 5 controls
I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation.
Annex A.16 – Information security incident management | 7 controls
What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents.
Annex A.17 – Information security aspects of business continuity management | 4 controls
Having a plan, testing it, proving you tested it and having it all written down is the order of the day here.
Annex A.18 – Compliance (8 controls)
You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.
ISO 27001 Controls FAQ
Yes. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
The actual list of controls is in the ISO 27001 standard which you should purchase.
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Yes. They are summarised here and you should purchase a copy of the standard for the details. The checklist forms part of our deliverables.
Yes. This is included in our ISO 27001 implementation.
Yes, you can save the ISO 27001 controls spreadsheet that comes as part of our implementation in PDF format.
Yes, the ISO 27001 controls apply to cloud as well as on premise.
Yes. They are an Annex to the ISO 27001 standard. On their own they are referred to as ISO 27002.
ISO 27002 is another name for the list of the 114 ISO 27001 controls.
There are 114 controls in ISO 27001.
There are 114 controls in ISO 27002.