The International Organisation for Standardisation (ISO) has designed ISO 27001 as the leading international standard for information security management. At its core, ISO 27001 aims to provide organisations with a systematic and structured approach to managing information security risks. A crucial aspect of ISO 27001 is its comprehensive set of controls, which play a pivotal role in ensuring the confidentiality, integrity, and availability of sensitive information. In this blog, we will delve into Annex A of ISO 27001, the number of controls it comprises, and their significance in the realm of information security.
UPDATE: In October 2022, a new version of ISO 27001 was published. This new version is arranged differently, with 4 main sections rather than 14, and fewer controls. However, the bulk of the controls and the purpose of the standard remain the same.
Understanding ISO 27001 Controls
ISO 27001 controls are essentially a set of measures, policies, procedures, and technical safeguards that organisations implement to mitigate various information security risks. These controls are distributed across specific domains, each addressing different aspects of information security. Let’s explore the structure and key domains of ISO 27001 controls:
Annex A.5 – Information Security Policies (2 controls)
Annex A.5 ensures that information security policies are crafted and periodically reviewed to align with the organisation’s information security practices.
Annex A.6 – Organisation of Information Security (7 controls)
This annex is divided into two sections:
- Annex A.6.1 ensures that a robust framework for information security practices is in place.
- Annex A.6.2 addresses mobile devices and remote working to ensure secure practices for remote employees.
Annex A.7 – Human Resource Security (6 controls)
Annex A.7 ensures employees and contractors understand their responsibilities and is divided into three sections:
- Annex A.7.1 addresses responsibilities before employment.
- Annex A.7.2 covers responsibilities during employment.
- Annex A.7.3 addresses responsibilities upon leaving the organisation or changing roles.
Annex A.8 – Asset Management (10 controls)
This annex revolves around identifying information assets and defining protection responsibilities. It contains three sections:
- Annex A.8.1 involves identifying information assets within the ISMS scope.
- Annex A.8.2 focuses on information classification.
- Annex A.8.3 pertains to media handling, and preventing unauthorised data exposure.
Annex A.9 – Access Control (14 controls)
Annex A.9 aims to ensure that employees only access relevant information. It covers four sections: business requirements of access controls, user access management, user responsibilities, and system and application access controls.
Annex A.10 – Cryptography (2 controls)
This annex emphasises data encryption and the effective management of sensitive information, ensuring data confidentiality, integrity, and availability.
Annex A.11 – Physical and Environmental Security (15 controls)
Annex A.11 addresses physical and environmental security, encompassing measures to protect premises, sensitive data, and equipment. It contains two sections:
- Annex A.11.1 safeguards premises and sensitive data.
- Annex A.11.2 ensures equipment protection.
Annex A.12 – Operations Security (14 controls)
This annex ensures the security of information processing facilities and covers seven sections addressing various operational security aspects:
- 12.1 addresses operational procedures and responsibilities.
- 12.2 mitigates malware risks.
- 12.3 covers the requirements for backing up systems.
- 12.4 refers to logging and monitoring.
- 12.5 covers protecting operational software integrity.
- 12.6 pertains to managing technical vulnerabilities.
- 12.7 addresses minimising audit disruptions.
Annex A.13 – Communications security (7 controls)
This annex concerns the way organisations protect the information in networks. It’s divided into two sections:
- Annex A.13.1 concerns network security management.
- Annex A.13.2 covers security during information transfers.
Annex A.14 – System acquisition, development, and maintenance (13 controls)
Annex A.14 ensures that information security remains a priority for the organisation across the lifecycle of the system.
Its 13 controls concern the security requirements for internal and public network systems.
Annex A.15 – Supplier relationships (5 controls)
This annex concerns the contractual agreements organisations have with third parties. It is split into two sections:
- Annex A.15.1 addresses the protection of assets accessible to or affected by suppliers.
- Annex A.15.2 ensures mutual information security and service delivery.
Annex A.16 – Information security incident management (7 controls)
This annex is about how to manage and report security incidents. It requires organisations to designate certain employees to handle tasks, ensuring that incident response is managed consistently.
Annex A.17 – Information security aspects of business continuity management (4 controls)
The aim of Annex A.17 is to create an effective system to manage business disruptions. It’s divided into two sections:
- Annex A.17.1 maintains information security continuity.
- Annex A.17.2 covers redundancies for information processing facilities.
Annex A.18 – Compliance (8 controls)
This annex ensures that organisations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.
Who is Responsible for Implementing Annex A Controls?
Implementing ISO 27001 controls is not solely the responsibility of an organisation’s IT department. Instead, it spans the three pillars of information security: people, processes, and technology. The IT department will have the biggest role in implementing the standard, but a multi-departmental team should oversee the ISO 27001 implementation process, leveraging expertise from across the organisation to effectively address the controls.
How Many Controls Are There In ISO 27001?
ISO 27001 controls, as defined in Annex A of the standard, comprise a total of 114 controls. These controls are distributed across the 14 domains, each addressing specific aspects of information security. The number of controls may seem excessive, but their applicability varies based on the organisation’s risk assessment and security requirements. Organisations are not expected to fulfil every control, instead, they are expected to document the controls that are relevant to them based on the specific risks to their information security.
ISO 27001 controls form the backbone of an organisation’s information security management system. They provide a structured framework for addressing information security risks comprehensively. Effectively implementing ISO 27001 controls not only enhances data protection but also demonstrates a commitment to maintaining robust information security practices.
At OmniCyber Security, we understand the complexities of implementing ISO 27001 controls and the significance of robust information security practices. Our team of experts is poised to guide your organisation through every stage of this transformative journey. Contact us today to explore how OmniCyber Security can assist your organisation in ISO 27001 and achieving information security excellence.