ISO 27001 is the international standard for information security. Its framework requires organisations to identify information security risks and select appropriate controls to tackle them.
Those practices are outlined in Annex A of ISO 27001, which contains 114 controls divided into 14 domains.
Thankfully, organisations aren’t expected to adopt every control in the Standard. They must instead document which ones are relevant based on information security risks they’ve identified.
From there, they must implement the appropriate controls within their ISMS (information security management system).
This blog outlines each of the 14 domains of Annex A of ISO 27001 to help you understand how its controls relates to your organisation.
Please note that new versions of ISO 27001 and ISO 27002 have now been published. However, the new versions of the Standards are not yet in force, so organisations should continue to use the existing framework.
ISO 27001 controls list: the 14 control sets of Annex A
Annex A.5 – Information security policies (2 controls)
Annex A.5 ensures policies are written and reviewed in line with the organisation’s information security practices.
Annex A.6 – Organisation of information security (7 controls)
This annex covers the assignment of responsibilities for specific tasks. It’s divided into two sections.
Annex A.6.1 ensures that the organisation has established a framework that can adequately implement and maintain information security practices.
Annex A.6.2 addresses mobile devices and remote working. It’s designed to ensure that anyone who works remotely follows appropriate practices.
Annex A.7 – Human resource security (6 controls)
The objective of Annex A.7 is to make sure that employees and contractors understand their responsibilities.
It’s divided into three sections:
Annex A.7.1 addresses individuals’ responsibilities before employment.
Annex A.7.2 covers their responsibilities during employment.
Annex A.7.3 addresses their responsibilities when they no longer hold that role because they’ve left the organisation or changed positions.
Annex A.8 – Asset management (10 controls)
This annex concerns the way organisations identify information assets and define appropriate protection responsibilities.
It contains three sections. Annex A.8.1 is primarily about organisations identifying information assets within the scope of the ISMS.
Annex A.8.2 is about information classification. This process ensures that information assets are subject to an appropriate level of defence.
Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to unauthorised disclosure, modification, removal or destruction.
Annex A.9 – Access control (14 controls)
The aim of Annex A.9 is to ensure that employees can only view information that’s relevant to their job.
It’s divided into four sections, and addresses (1) the business requirements of access controls, (2) user access management, (3) user responsibilities, and (4) system and application access controls.
Annex A.10 – Cryptography (2 controls)
This annex is about data encryption and the management of sensitive information. Its two controls ensure that organisations use cryptography effectively to protect data confidentiality, integrity and availability.
Annex A.11 – Physical and environmental security (15 controls)
This annex addresses the organisation’s physical and environmental security. It’s the most extensive annex in the Standard, containing 15 controls separated into two sections.
Annex A.11.1 works to protect premises and sensitive data from unauthorized access, damage, or interference.
Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to prevent the loss, damage or theft of an organisation’s information asset containers.
Annex A.12 – Operations security (14 controls)
This annex ensures that information processing facilities are secure and is comprised of seven sections.
Annex A.12.1 addresses operational procedures and responsibilities, ensuring that the correct operations are in place.
Annex A.12.2 addresses malware, ensuring that the organisation has the necessary defences to mitigate infection risk.
Annex A.12.3 covers organisations’ requirements when it comes to backing up systems to prevent data loss.
Annex A.12.4 is about logging and monitoring. It’s designed to make sure that organisations have documented evidence when security events occur.
Annex A.12.5 addresses organisations’ requirements when it comes to protecting the integrity of operational software.
Annex A.12.6 covers technical vulnerability management and is designed to ensure that unauthorised parties don’t exploit system weaknesses.
Finally, Annex A.12.7 addresses information systems and audit considerations. It’s designed to minimise the disruption that audit activities have on operation systems.
Annex A.13 – Communications security (7 controls)
This annex concerns the way organisations protect the information in networks. It’s divided into two sections.
Annex A.13.1 concerns network security management, ensuring that the confidentiality, integrity and availability of information in those networks remain intact.
Annex A.13.2 covers security when transferring information within or outside the organisation, to customers or other interested parties.
Annex A.14 – System acquisition, development and maintenance (13 controls)
Annex A.14 ensures that information security remains a central part of the organisation’s processes across the entire lifecycle.
Its 13 controls address the security requirements for internal systems and those that provide services over public networks.
Annex A.15 – Supplier relationships (5 controls)
This annex concerns the contractual agreements organisations have with third parties.
It’s divided into two sections. Annex A.15.1 addresses the protection of an organisation’s valuable assets that are accessible to or affected by suppliers.
Meanwhile, Annex A.15.2 is designed to ensure that both parties maintain the agreed level of information security and service delivery.
Annex A.16 – Information security incident management (7 controls)
This annex is about how to manage and report security incidents. It requires organisations to designate certain employees to handle tasks, ensuring that incident response is managed consistently.
Annex A.17 – Information security aspects of business continuity management (4 controls)
The aim of Annex A.17 is to create an effective system to manage business disruptions. It’s divided into two sections.
Annex A.17.1 addresses information security continuity. It outlines the measures that can be taken to ensure that information security continuity is embedded in the organisation’s business continuity management system.
Annex A.17.2 looks at redundancies, ensuring the availability of information processing facilities.
Annex A.18 – Compliance (8 controls)
This annex ensures that organisations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.
Who is responsible for implementing Annex A controls?
ISO 27001’s security requirements aren’t simply within the remit of the organisation’s IT department, as many people assume.
Instead, the Standard addresses each of the three pillars of information security: people, processes and technology.
The IT department will play a role in risk treatment. Most obviously in technology and developing the processes and policies that ensure those technologies are used properly.
Most controls will require the expertise of people from across your organisation. This means you should create a multi-departmental team to oversee the ISO 27001 implementation process.
Using the 14 domains of ISO 27001
Organisations aren’t required to implement all 114 of ISO 27001’s controls.
They’re simply a list of possibilities that you should consider based on your organisation’s requirements.
These processes help organisations identify the risks they face and the controls they must implement to tackle them.
The only problem with Annex A is that it only provides a brief overview of each control. While this is good for reference use, it’s not helpful when actively implementing the control.
The Standard dedicates about one page to each control, explaining how it works and implementing it.
Identify the controls you should implement
Find out how to determine which controls you should implement by reading Nine Steps to Success – An ISO 27001 Implementation Overview.
This essential guide provides an in-depth explanation of ISO 27001 and includes a section on risk assessment.
Plus, it comes with a five-step guide detailing how you should complete the process.
A version of this blog was originally published on 18 March 2019.