ISO 27001: The 14 control sets of Annex A explained

ISO 27001 is the international standard that describes best practice for an ISMS (information security management system).

The Standard takes a risk-based approach to information security, requiring organisations to identify threats to their organisation and select appropriate controls to tackle them.

Those controls are outlined in Annex A of the Standard. There are 114 in total, divided into 14 different categories, which we have summarised below.

The 14 control sets

  • A.5 Information security policies (2 controls): how policies are written and reviewed.
  • A.6 Organisation of information security (7 controls): the assignment of responsibilities for specific tasks.
  • A.7 Human resource security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • A.8 Asset management (10 controls): identifying information assets and defining appropriate protection responsibilities.
  • A.9 Access control (14 controls): ensuring that employees can only view information that’s relevant to their job role.
  • A.10 Cryptography (2 controls): the encryption and key management of sensitive information.
  • A.11 Physical and environmental security (15 controls): securing the organisation’s premises and equipment.
  • A.12 Operations security (14 controls): ensuring that information processing facilities are secure.
  • A.13 Communications security (7 controls): how to protect information in networks.
  • A.14 System acquisition, development and maintenance (13 controls): ensuring that information security is a central part of the organisation’s systems.
  • A.15 Supplier relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • A.16 Information security incident management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities.
  • A.17 Information security aspects of business continuity management (4 controls): how to address business disruptions.
  • A.18 Compliance (8 controls): how to identify the laws and regulations that apply to your organisation.

A job for IT?

As this list shows, ISO 27001’s controls aren’t simply within the remit of the organisation’s IT department, as many people assume.

Rather, the Standard addresses each of the three pillars of information security: people, processes and technology.

The IT department will play a role in each of those – most obviously in technology but also in developing the processes and policies that ensure those technologies are used properly.

Most controls will require the expertise of people from across your organisation, meaning you should create a multi-departmental team to oversee the ISO 27001 implementation process.

Using Annex A

Organisations aren’t required to implement all 114 of ISO 27001’s controls.

They’re simply a list of possibilities that you should consider based on your organisation’s requirements.

Annex A provides an outline of each control, and you should refer back to it when conducting an ISO 27001 gap analysis and risk assessment.

These processes help organisations identify the risks they face and the controls they must implement (or have already implemented) to tackle them.

The only problem with Annex A is that only provides a brief overview of each control. While this is good for reference use, it’s not helpful when actively implementing the control.

That’s where ISO 27002 comes it. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.

The Standard dedicates about one page to each control, explaining how each one works and providing advice on how to implement it.

Identify the controls you should implement

Find out how to determine which controls you should implement by reading our free green paper: Risk Assessment and ISO 27001


No Responses