ISO 27001, or ISO/IEC 27001, is an international standard that describes how organizations should adopt an information security management system (ISMS).
It was established by the International Organization for Standardization (ISO). ISO requirements specify that organizations should perform a risk assessment and identify any information security risks. The organizations must then implement the necessary security controls to reduce those risks.
Those ISO 27001 controls are outlined in Annex A of the standard. There are 114 Annex A ISO 27001 controls in total, grouped into 14 categories. We identify them below.
FAQ: What are the 14 ISO 27001 Control Sets of Annex A?
Annex A.5 – Information security policies (2 controls)
This annex assures that organizational policies are written in alignment with the organization’s cybersecurity practices and information security controls as a whole.
Annex A.6 – Organization of information security (7 controls)
This annex concerns the management process and assigned responsibilities for duties within the organization. It’s further divided into two more sections:
- Annex A.6.1 – holds that an organization must establish an architecture to execute and manage information security guidelines throughout the organization.
- Annex A.6.2 – concerns teleworking and the use of mobile devices. This ensures that anyone working remotely follows the prescribed protocols for risk management.
Annex A.7 – Human resource security (6 controls)
This annex seeks to confirm that all employees and contractors understand their assigned responsibilities and all security standards relevant to their work. It contains three parts:
- Annex A.7.1 – individuals understand their contractual obligations and responsibilities prior to being offered employment.
- Annex A.7.2 – individuals understand their contractual obligations and responsibilities during employment.
- Annex A.7.3 – individuals understand their contractual obligations and responsibilities when they’re no longer in a previous role, regardless of whether they are still with the company or not.
Annex A.8 – Asset management (10 controls)
This annex discusses how to identify intellectual property and requires that appropriate protection responsibilities be defined to preserve the integrity of an organization’s information assets. It has three parts:
- Annex A.8.1 – covers the scope of how organizations identify information technology assets as it relates to ISMS.
- Annex A.8.2 – concerns information classification and requires that information assets be defended appropriately.
- Annex A.8.3 – regards handling of storage media and mandates that all sensitive information be given high-risk treatment, including shielding it from unauthorized access, modification, disclosure, and elimination.
Annex A.9 – Access control (14 controls)
The goal of this annex is to ensure that employee access to data is limited to what’s necessary to conduct their job responsibilities. Its control objectives address business requirements, access controls, user access management, and user responsibilities.
Annex A.10 – Cryptography (2 controls)
This annex addresses encryption of sensitive data as well as how encryption is managed. It was created to ensure that cryptography practices are executed appropriately to preserve privacy and data availability.
Annex A.11 – Physical and environmental security (15 controls)
This annex concerns physical security as well as environmental security. Annex A.11 is the largest in the group, combining 15 controls in two sections.
- Annex A.11.1 – prevents unauthorized physical access to sensitive data within an organization, including the data’s removal, modification, or destruction.
- Annex A.11.2 – concerns equipment, and was created to prevent the theft or tampering of information assets—whether that asset is in a physical file, hardware, or software storage.
Annex A.12 – Operations security (14 controls)
This annex requires that information processing facilities maintain proper security protocols. It’s divided into seven sections:
- Annex A.12.1 – requires that the correct operational procedures be in place.
- Annex A.12.2 – concerns malware and requires that organizations put the proper defenses in place to protect against the spread of computer viruses.
- Annex A.12.3 – requires that organizations take measures to back up their systems and protect against data loss.
- Annex A.12.4 – incorporates internal audits so that evidence of any security events is appropriately documented.
- Annex A.12.5 – concerns requirements for protecting data privacy and integrity as it relates to organizational software.
- Annex A.12.6 – addresses technical vulnerability management as it relates to unauthorized access and the exploitation of system vulnerabilities.
- Annex A.12.7 – concerns information systems and seeks to minimize the disruption caused by internal audits on systems.
Annex A.13 – Communications security (7 controls)
This annex addresses the methods used by organizations to protect sensitive data within networks. It has two parts:
- Annex A.13.1 – addresses network security management, and requires that both confidentiality and availability of information remain in place for those networks.
- Annex A.13.2 – addresses the security of information as it is shared, whether to another department within the organization, a customer, a third party, or any other interested party.
Annex A.14 – System acquisition, development, and maintenance (13 controls)
The goal of this annex is to assure that information security policy is foundational to an organization’s processes. It includes security requirements for internal and external systems that provide services over a shared network.
Annex A.15 – Supplier relationships (5 controls)
This annex addresses any contractual agreements an organization has with third-party partners. It has two sections:
- Annex A.15.1 – addresses the protection of information assets accessed by vendors or partners.
- Annex A.15.2 – assures that both organizations and their third-party vendors maintain an appropriate level of information security during service delivery.
Annex A.16 – Information security incident management (7 controls)
This annex concerns how security incidents are handled. It provides that organizations must define employee responsibilities and create an effective approach to the reporting and handling of security breaches throughout the entire breach lifecycle.
Annex A.17 – Information security aspects of business continuity management (4 controls)
This annex requires organizations to create a systematic way of handling any business disruptions. It has two sections:
- Annex A.17.1 – primarily concerns information security continuity. It maps out the measures available to enforce information security continuity and to assure that security is foundational to your business continuity management system.
- Annex A.17.2 – examines any redundancies to make sure that information processing facilities are available.
Annex A.18 – Compliance (8 controls)
This annex requires organizations to identify any regulations or contractual requirements relevant to their operations. In this way, the organization can understand its legal duties and eliminate the chance of non-compliance and any associated fines or costs.
To achieve ISO 27001 certification, organizations must adhere to the security requirements that undergird the three pillars of information security: people, processes and technology.
To meet these requirements, organizations must develop their processes and policies with security as the foundation.
While organizations aren’t required to observe all 114 of ISO 27001’s controls, the controls do provide a comprehensive set of guidelines that an organization must consider before addressing how it will identify and handle associated risks.
If you’d like help in ensuring that your organization implements the proper information security controls to maintain compliance with ISO 27001 (and other regulations), please fill out the form below and we’ll reach out to discuss how we can partner together.