ISO 27001 Annex A controls complete guide

The ISO 27001 standard requires organisations to identify information security risks and select appropriate controls to tackle them. Such practices are outlined in Annex A of ISO 27001, which contains 114 controls that are divided into 14 domains. Thankfully, it is not expected that organisations would adopt every single control outlined in the standard. They must instead, select controls that are relevant to their security risks. This blog will provide an outline of all the 14 domains of Annex A, so that you gain a better understanding of how the controls apply to your organisation with help of an ISO consultant. 

How many ISO 27001 controls are there?

As mentioned above, ISO 27001 Annex A contains 114 controls that cover multiple areas of an organisation. The objective of the framework is to protect the confidentiality, integrity, and availability of the information. Implementation of the appropriate controls implies that the organisation is complying with the ever-changing legal requirements and demonstrating prioritised information security through a single framework.

What are the 14 domains of ISO 27001 controls?

The 14 domains or focus areas in ISO 27001 are:

1. Information security policies.
2. Organisation of information security.
3. Human resources security.
4. Asset management. 
5. Access control.
6. Cryptography.
7. Physical and environmental security.
8. Operational security.
9. Communications security.
10. System, acquisition, development and maintenance.
11. Supplier relationships.
12. Information security incident management.
13. Information security aspects of business continuity management.
14. Compliance.

You can learn more information about ISO 27001 domains and controls by reading ISO 27001 clauses article.

ISO 27001 Annex A controls complete guide

Here is a comprehensive list of all the 14 control domains:

ISO 27001 Annex A.5- Information security policies

This contains two controls with the objective of ensuring that policies regarding information security are well written and are in accordance with an individual organisation’s requirements. The information security policy is different in every organization and is chosen according to the field of activity of that organization. For example, if you are looking for ISO certification for manufacturers, you should choose an information security policy that fits the conditions of a manufacturing company.

Annex A.6- Organisation of information security

This domain contains seven controls with the objective of helping organisations establish a management framework and assign information security roles for how each control should be implemented. This allows for the appropriate adoption of security guidelines that enhance employee access, stored information and working out of office.

Annex A.7- Human resource security

This contains six controls with the objective of ensuring that all parties including stakeholders, contractors, and employees, understand their responsibilities long before their term of employment actually begins. This section contains advice for human resource team to conduct background checks, adhere to information security policies, conduct necessary trainings to adhere to information security policies, implement a formal disciplinary process to protect the company’s interests and evaluation tips.

Annex A.8- Asset management

This contains 10 controls to identify, classify and prevent the disclosure of information and assets to unauthorised parties. The objective of this domain is to define acceptable usage of assets, implement a classification scheme, outline a procedure for handling assets and implement a procedure to securely dispose of multimedia data.

Annex A.9- Access control

There are 14 controls in this domain that aim to limit access and prevent unauthorised access to information. This involves teaching the organisation to implement an access control policy, control, access rights, define the usage of secret authentication information and restrict any programs which override capabilities.

Annex A.10- Cryptography

This domain contains two controls with the objective to ensure that encryption and key management are utilised appropriately to maintain the authenticity, confidentiality, and integrity of all important information. This involves understanding the validity of cryptographic keys and creating a cryptographic policy that is appropriate to the organisation.

Annex A.11- Physical and environmental security

This contains 15 controls with the objective of preventing unauthorised access to information that may lead to loss or interruption of operations. The aim of this domain is to prevent the compromise of assets through theft, damage, or loss. This domain deals with defining and implementing a physical security perimeter securing assets, regularly servicing equipment, and protecting equipment whenever they cross the office premises.

Annex A.12- Operational security

This domain contains 14 controls with the objective of ensuring the integrity of information, processing facilities, and operational systems by maintaining consistency across activity logs. This involves creating appropriate documenting operating procedures.

Annex A.13- Communication Security

This domain contains seven controls to monitor the internal and external transfer of information and involves implementing information transfer policies across communication facilities.

Annex A.14- System, acquisition, development, and maintenance

This domain contains 13 controls to ensure that information security requirements are established across the life-cycle of the information system, including updates and accommodation of new systems.

Annex A.15- Supplier relationships

This domain contains five controls that ensure that any valuable asset that can be accessed by suppliers remains protected by establishing an agreed level of information security.

Annex A.16- Information security incident management

This domain contains 7 controls to ensure that any information or security incidents are effectively managed and consistently reported.

Annex A.17- Information security aspects of business continuity management

This domain contains four controls to ensure that the measures and safeguards are aligned with the organisation’s continuity plans. 

Annex A.18- Compliance

This section contains 8 controls to avoid information security breaches that are contractual, regulatory, statutory, or legal in nature.

Conclusion

The ISO 27001 standard contains 114 controls that are divided into 14 subsections in Annex A. Organisations can choose the controls that are relevant to their individual case and exclude the ones that are not.