ISO 27001 is an international standard specifying the principles and controls businesses may use to create an Information Security Management System (ISMS) effectively.

Organizations employ ISO 27001 clauses and procedures to address security risks and get ISMS certification. The measures are outlined in Annex A, and organizations should select and implement the appropriate controls.

These controls will assist in reducing the identified security threats, resulting in a strong foundation.

What are the ISO 27001 Technical Security Controls?

ISO 27001 controls are the mechanisms that businesses must implement through policies, processes, and procedures to satisfy the framework’s security requirements. ISO 27001’s 114 controls are listed in Annex A and organized into 14 domains.

ISO 27001 Annex A is similar to a table of contents, listing all of ISO’s security rules. Organizations can select the proper controls and determine how to implement them based on their risk assessment and treatment strategy.

Because a company can utilize a variety of security controls to address different threats and objectives, ISO categorizes the Annex A controls into 14 distinct ISO 27001 categories. ISO categorizes each category depending on its breadth and the business requirements it meets.

1. Information Security Policies 

Annex A.5 of ISO/IEC 27001, Information Security Policies, discusses how leadership may guide and support an organization’s information security, mainly through governance.

Companies can set rules that workers, contractors, and other external stakeholders must follow to maintain a strong security posture, promote their security vision, and comply with laws and regulations. 

In addition to detailing the methods for drafting and delivering information security policies to workers, Annex A.5 mandates businesses to perform periodic evaluations to ensure that the policies are still applicable based on the organization’s current risks and regulatory requirements.      

2. Organization of Information Security 

Annex A.6 presents a framework for an organization’s information security processes, including traditional and teleworking activities. It has several focal areas, including establishing roles and responsibilities for information security operations and separating functions to decrease risk.

Technology, protocols, and regulations must be in place to ensure proper communication with authorities and special interest groups, such as associations, industrial groups, or specialist security organizations.

Furthermore, firms must have systems and procedures to ensure information security for special initiatives outside typical day-to-day operations, such as mobile devices or teleworking.

3. Human Resources Security

Annex A.7 lists the information security measures that apply to human resource management before, during, and after employment. For example, these controls include screening and conducting background checks on new workers and enforcing employment agreements.

Organizations utilize these rules to govern how managers supervise workers and contractors and develop protocols for offering security awareness education and training.

Finally, ISO 27001 A.7 specifies formal processes and duties for managing employee terminations and disciplinary actions.

4. Asset Management

Annex A.8 discusses recognizing and securing a company’s technology and data assets. ISO 27001 specifies asset management controls that regulate the systems for taking inventory of assets, assigning ownership responsibility for each item, defining and enforcing acceptable use of business assets, and compelling workers to return assets to the company after usage.    

Annex A.8 further requires businesses to have procedures to classify and identify all managed data based on its sensitivity, value, or regulatory requirements.

5. Access Control

Annex A.9 is one of the more significant categories on the list, with several rules for regulating user data access and system rights. For example, enterprises must implement control rules that enforce the concept of least privilege for network and resource access. Organizations must have a complete system to register, deregister, and furnish users and manage user permissions for regular and privileged accounts.      

Next, Annex A.9 mandates companies to apply secure controls to store authentication information, such as user credentials, and to set policies governing who has access to credential data. User access rights should be assessed continuously, and modifications should be made accordingly. Finally, companies should develop secure login protocols and password management systems and build access control mechanisms for internal software.

6. Cryptography

Annex A.10, a brief but essential area within the ISO control framework, describes how an organization handles encryption and cryptographic measures to protect sensitive data

The first control focuses on establishing and implementing corporate policies that compel users to utilize encryption under certain conditions and establish baseline cryptographic requirements. Companies also require a system for handling cryptographic keys and their lifecycles.

7. Physical and Environmental Security

The biggest category, Annex A.11, describes procedures for protecting organizational assets from illegal access or physical damage.

This category demands the establishment of a physical security perimeter with entrance restrictions to protect all offices, rooms, and facilities from internal and external threats. It also stresses safeguarding physical assets against non-digital threats such as natural catastrophes or unlawful access. 

Organizations must assess and manage risk in secure areas and delivery sites. Systems should be in place to ensure the safe installation, protection, maintenance, removal, destruction, and reuse of equipment and assets, including those situated off-site or unattended by users.

Companies must create explicit desk policies for employees and procedures to safeguard telecommunications cables and protect equipment from utility failures.

8. Operational Security

Annex A.12 addresses the secure administration of data processing processes. ISO 27001 A.12 specifies systems for documenting operating procedures, supervising change management, and controlling operational capacity for data storage, processing power, and communications.

Organizations require controls to segregate their development, testing, and operational environments, backup their data, guard against malware, and log user and network activities. 

Companies must protect their log data, keep system administrators’ activity data distinct from everyday users, and track all system occurrences in a single time zone. Also, to protect the integrity of their operating systems, enterprises must implement: 

  • Policies that enable or prevent program installation.
  • Procedures for addressing system vulnerabilities.
  • Mechanisms for auditing information-system controls.

9. Communications Security

Annex A.13 focuses on maintaining network security and ensures that enterprises safeguard information within and outside their networks. Firms must implement a system that detects, monitors, segregates, and regulates access to digital resources such as applications, data, and other network systems. 

ISO 27001 A.13 also addresses information security management while engaging with third-party sources such as customers, suppliers, and stakeholders

Organizations require rules and processes for external information transfers, confidentiality agreements between the organization and outside users, and electronic message security methods.

10. System Acquisition, Development, and Maintenance

Annex A.14 covers security across all systems and life cycles, including development, maintenance, and testing. Organizations must identify information security requirements, develop a strategy for protecting applications on public networks, and safeguard application service transactions.

When operating systems change, businesses must have rules for secure software development, change control procedures, and technical application evaluations. 

ISO 27001 A.14 mandates teams to limit the changes workers can make to software packages acquired from an outside vendor and the customization of open-source code.

Companies should also develop and enforce secure system engineering guidelines. They must use safe development environments, manage outsourced development effectively, and have security and acceptance testing protocols that protect test data.

11. Supplier Relationships

Annex A.15 describes the control areas that protect assets accessible to third-party providers or partners. Organizations require strategies to manage supplier relationships and handle security concerns in their service agreements. 

They must also assess and solve supply chain risks in managed technology systems. When employing data hosting centers or Infrastructure-as-a-Service (IaaS) providers, enterprises have little control over actions or events that might jeopardize data and applications maintained elsewhere.

Finally, companies should regularly evaluate supplier delivery and be prepared to address service changes.  

12. Information Security Incident Management

Annex A.16 describes how an organization handles a cybersecurity or breach incident. Companies must define their duties and incident response protocols. They also require a method for reporting information security events and system vulnerabilities.

Annex A.16 requires companies to establish criteria for what constitutes an incident, develop processes for learning from occurrences, and use technology to collect incident evidence.   

13. Information Security Aspects of Business Continuity Management

Annex A.17 discusses the procedure of keeping activities going after an event. Businesses should have established and implemented business continuity strategies in place.

These plans describe maintaining data and resources available if the significant environments are shut down. The processes must be checked for efficacy and assessed regularly for organizational preparedness.

14. Compliance

Finally, Annex A.18 discusses the administration of legal and contractual duties. Businesses must identify the appropriate compliance requirements for information security, understand their intellectual property rights, and have mechanisms to secure data under the compliance umbrella.

Strong controls should be in place to safeguard Personally Identifiable Information (PII) and cryptographic technology that complies with contractual and regulatory standards across all areas. 

The compliance and information security assessment component of Annex A.18 states that businesses should get independent, third-party examinations of their information security risks and controls and adherence to compliance standards.

Organizations must also undertake internal assessments to verify that their security policies and processes are followed and

 technical examinations of internal software, security technologies, and information systems.    

What are the 11 New Controls in ISO 27001?

The 11 new controls included in the ISO 27001:2022 version are as follows:

A.5.7 Threat intelligence

This control requires you to collect and analyze threat data for suitable mitigation measures. This information might be on specific assaults, the attackers’ techniques, technology, or attack patterns.

This information should be gathered internally and externally via vendor reports and government agency statements.

A.5.23 Information security for use of cloud services

This control requires you to specify security requirements for cloud services to safeguard your data in the cloud better. This encompasses cloud-based services’ purchase, usage, management, and termination.

A.5.30 ICT readiness for business continuity

This control mandates that your information and communication technology be prepared for any interruptions, ensuring that necessary information and assets are available when needed. This involves preparedness planning, implementation, upkeep, and testing.

A.7.4 Physical security monitoring

This restriction requires you to monitor sensitive locations so that only authorized individuals can access them. This may include your offices, production facilities, warehouses, and other locations.

A.8.9 Configuration Management

This control needs you to manage your technology’s whole security configuration cycle to provide an appropriate degree of security and prevent unauthorized modifications. This encompasses configuration definition, implementation, monitoring, and review.

A.8.10 Information deletion

This control requires you to delete data that is no longer needed to prevent the leakage of sensitive information and to ensure compliance with privacy and other regulations. This might involve deletions from your IT systems, portable media, or cloud services.

A.8.11 Data masking

This control requires you to use data masking in conjunction with access control to minimize the exposure of sensitive information. This generally refers to personal data, which are strictly controlled under privacy laws, although it might also encompass other types of sensitive data.

A.8.12 Data leakage prevention

This control demands you implement various data leakage safeguards to prevent unauthorized exposure of sensitive information and, if such occurrences occur, to notice them in a timely way. This covers data in IT systems, networks, and other devices.

A.8.16 Monitoring activities

This control requires you to monitor your systems to detect odd activity and, if necessary, initiate the proper incident reaction. This involves monitoring your IT systems, networks, and applications.

A.8.23 Web filtering

This control needs you to govern which websites your users visit to safeguard your IT infrastructure. In this manner, you may protect your computers from dangerous malware while preventing people from accessing illicit content from the Internet.

A.8.28 Secure coding

This control requires you to build safe coding rules and apply them to software development to eliminate vulnerabilities. This might encompass efforts preceding, during, and following the coding.

Benefits of ISO Technical Controls

Here are some reasons why your company could benefit from ISO 27001 certification.

Reduces the likelihood of Audits

ISO 27001 accreditation is recognized worldwide and indicates excellent security, avoiding the need for recurring customer audits. When you have ISO 27001 certification, your clients and prospects will know you take data security seriously. Your worldwide security policies will aid in building confidence, retaining existing clients, and winning new business.

Improved Focus and Structure

As companies adapt and develop, people quickly lose sight of their information security obligations.

With ISO 27001, you may design a flexible system to guarantee that everyone remains focused on information security tasks. Similarly, it mandates organizations to do yearly risk assessments, allowing you to adjust as needed.

Mitigating Cybersecurity Risks

Implementing the ISO 27001 standard also assures that the company has an internationally acceptable degree of security efficacy in terms of procedures, rules, and controls to defend it from data threats and a business continuity management strategy.

Data Protection

The ISO/IEC 27001 accreditation demonstrates a professional’s commitment to information security. It displays their commitment to maintaining the highest levels of data protection. This dedication is highly valued by enterprises seeking to improve their security posture and safeguard critical information.

Who is Responsible for Implementing ISO 27001 Controls?

While the Infosec Officer (or team) will establish controls and ensure the organization’s compliance with the ISO 27001 standard, all workers bear primary responsibility for implementing Annex A controls. Employees bear a shared responsibility for security since they are the first defense against an attack.

Here, management support is essential. Therefore, management evaluation and approval of policies and procedures at every critical juncture is equally vital to implementing ISO 27001.

Identifying Which ISO Controls Your Organization Should Implement

At first, the 114 ISO 27001 controls may seem excessive. However, it can be completed quickly if they are broken down methodically. Your risk assessment and treatment strategy should determine your adopted controls, but choosing the best ones requires time. Analyzing your unique business requirements and vulnerabilities is crucial.

For example, determine which assets and data require priority protection. Analyze where holes may exist that controls can fill. Consider applicable industry rules and trends. Obtaining feedback from important internal stakeholders, such as your IT, compliance, and legal departments, might provide insight. They may identify high-risk regions to focus on.

Prepare for Your ISO Audit with ZenGRC

Compliance audits for ISO (or any other regulatory framework) can be complex and time-consuming. Understanding what is expected of you, conducting internal audits, and documenting your efforts may all be tricky – but valuable resources are available.

ZenGRC is a fully integrated platform that lets you track the complete life cycle of your compliance and risk management program. ZenGRC allows you to manage outstanding requirements, organize paperwork, and establish priority actions for achieving and maintaining compliance.

Schedule a demo now to see how ZenGRC can help you develop your company’s compliance program.