ISO 27001 outlines the various controls that organizations can implement to meet the requirements of the standard to design their Information Security Management System (ISMS). While it lists all the controls in Annex A, organizations need to deploy only the controls that will help mitigate the identified risks.
Read this article to know in detail the 14 domains and the 114 controls listed in Annex A of ISO 27001, the various ToDos in your compliance journey and the expected changes in the controls list by the end of the year.
What are ISO 27001 Controls?
ISO 27001 controls are the measures that organizations must take by way of policies, processes and procedures to meet the security requirements of the standard. The ISO 27001 lists its controls in Annex A; Annex A has 114 controls, divvied into 14 categories. An organization’s response to the requirements listed against these controls will depend on its risk assessment, risk treatment plan and specific needs (if any).
Simply put, Annex A is like a Table of Content that lists all the security controls under ISO 27001. Organizations can pick and choose the appropriate controls and decide how they deploy them based on their risk assessment and risk treatment plan. You can read our article on ISO 27001 Checklist to learn more about risk assessment and risk treatment plans.
A notable aside here: the list of applicable controls must be captured in your Statement of Applicability (SOA). Readying the SOA is an important step in your ISO 27001 compliance journey. It is a list of all of the controls from Annex A that apply to your organization. The SOA should reveal which controls your organization has chosen to mitigate the identified risks. It should also include justifications for the inclusion and exclusion of controls and point to the relevant documentation on the implementation of each control.
How many controls are there in ISO 27001?
The ISO 27001 has 114 security controls in toto. The 114 controls are bucketed under different functions. And yes, not all are IT-related. Here’s a peek at how they stack up:
As we mentioned, you don’t need to implement all the 114 controls. The controls aren’t mandatory, and every organization can select the controls that apply to them based on their risk profile. That said, you will need to document a valid reason why some of the controls don’t apply to your organization.
Organizations, however, must compulsorily meet the requirements from Clauses 4-10 of the ISO 27001 to claim compliance. In other words, organizations can achieve certification to ISO 27001 only when they meet all the requirements in Clauses 4 through 10.
What are the 14 domains of ISO 27001 Controls List?
The ISO 27001 comprises 14 domains, with each centred on specific security functions within the organization.
A5: Information Security Policies
The controls here determine if your organization has policies to provide management direction and support for information security. The organization needs to document relevant infosec policies and ensure they are approved by the management, published and communicated for staff awareness and reviewed periodically.
Though the domain has only two controls, it is perhaps the most important one as it sets the tone for the organization-wide information security standards.
- Documentation of your infosec policies
- Process for infosec policies’ approval, communication and review
A6: Organisation of Information Security
If A5 was about setting up the information security policies and processes, A6 is about ensuring how the policies are implemented in the organization. The Annex provides a framework for assigning security roles across the organization such that no one drops the ball while implementing and running the ISMS. It also covers mobile devices and remote working.
While a lone infosec officer can spearhead the policy implementations for startups or smaller organizations, it’s a good practice to have a plan in place for the same as your organization grows.
- Detailed organization structure with roles, reporting structure, job descriptions & responsibilities
- Process for ensuring data security for remote workers and vendors
A7: Human Resources Security
Much like the human resources function, the controls in this domain are centred on information security through the three phases of employees’ journey in an organization – before employment, during employment and on termination/change of employment.
These include background verification and mention of infosec responsibilities in the terms and conditions of employment, infosec awareness training on the job, disciplinary processes in case of security breaches, and policies implemented to ensure data security is maintained even after employees leave the organization.
- Policies and relevant documentation/proof to demonstrate how every hire in the organization are evaluated
- Background checks & verification
- Policies and proof to showcase that every employee undergoes periodic security training
- Employee acknowledgement of the organization’s information security policies
- Policies and proof of how the organization ensures data security after employees leave the organization
A8: Asset Management
The controls in this domain help identify organizational assets (associated with information management) and define appropriate protection responsibilities. It includes asset identification within the scope of the ISMS to its classification (confidential, restricted, internal and public) and access and media handling to prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
- Proof to demonstrate how your organization ensures restricted access to all critical systems
- Data Encryption and media disposal procedure
A9: Access Control
An important facet of data security is controlling access to information, and this domain defines the controls to do just that. Access control, in essence, is user management that defines controls for the administration of login credentials, user privileges, access rights, and password management systems, to name a few. It also includes access privileges of clients, applications, secure login procedures and controlled access to program source codes.
- Proof of organization-wide access control and its periodic review
- User privilege and access rights to the production database
- Evidence of termination of access to organization’s information assets on offboarding
Your organization should have a documented policy on cryptographic controls and key management processes. The objective of this domain is to ensure the confidentiality, integrity and availability of information are protected throughout. The policy should include details on the use, protection and lifetime of cryptographic keys.
- Proof that all production database[s] that store customer data are encrypted at rest
- Documented encryption policy that’s made available for all staff on the company intranet
- Proof that endpoints with access to production systems are encrypted to protect them from unauthorised access
A11. Physical and Environmental Security
The control objectives for this domain focus on protecting your organization’s physical premises and preventing loss, damage, theft or compromise to its assets and operations. It does so by laying out controls to prevent unauthorized physical access, damage and interference to the organization’s ISMS.
Securing your premises, physical entry access controls, protection of the environment against natural disasters, clear desk and clean screen, unattended user equipment, authorized removal of assets and their secure disposal are other areas covered in this domain.
- Proof that company-owned endpoints are configured to auto-screen-lock after 15 minutes of inactivity
- Production systems are encrypted from unauthorized access
A12. Operational Security
Comprising seven sub-domains, the controls listed here pertain to operational procedures, defences against malware, backups, logging & monitoring, change management, patch management, vulnerability management and penetration tests, and more. But more importantly, like anything in ISO 27001, it all needs to be documented.
- Proof to demonstrate that endpoints with access to production systems are protected by malware-protection software
- Proof of periodic audits of employee endpoints to ensure security patches are applied and the Operation System version is current (or the next most current)
- Vulnerability scans, pen tests, business continuity & disaster recovery policies, among others
Network security, segregation of networks, secure transfer of information, confidentiality and non-disclosure agreements are some of the critical controls in this domain. It governs how organizations protect their data in networks. A13.1 dwells on network security management and ensures that information security, confidentiality, integrity and availability are maintained throughout. A13.2 pertains to information on the move – to a different organization, third party or customer.
- Network service agreements detailing the security mechanisms, service levels and management requirements of all network services
- Data classification policy, Confidentiality policy, firewall with a deny-by-default rule
A14. System Acquisition, Development and Maintenance
The first objective of A14 is to ensure that information security is integral to information systems across the entire lifecycle. So, data security should remain paramount for any changes made to the information security system or when a new system replaces the existing one. The controls cover the security requirements for internal systems and public networks. It also includes the controls for securing the software development life cycle (SDLC).
A15. Supplier Relationships
Vendor risk management is critical to managing your organization’s information security management system. The controls here protect your organization’s assets accessible to the suppliers. Contractual agreements your organization has with its suppliers come under the purview of this domain. You will need to demonstrate that you also hold your suppliers to a strict security standard.
- Proof of periodic vendor risk assessments conducted to identify vendors critical to the systems’ security commitments and requirements.
- Senior Management review and approval of ‘Vendor Risk Assessment Report’ annually
- Documented Vendor Management Policy that guides staff on performing a risk assessment of third-party vendors
A16. Information Security Incident Management
This domain deals with controls that define the roles and responsibilities of employees when things go wrong (aka, there is a security breach). Who should be informed in the case of a breach? Who can make decisions? What are the must-dos in case of a breach? The controls here detail the incident response and reporting process in case of a security incident and also require defining the corrective action after one. Learnings and collection of evidence is also included here.
- Continuous monitoring system with periodic review access
- Policies and procedures for production assets to generate alerts and action after that in case of a threat
- Maintain a record of information security incidents
A17. Information Security Aspects of Business Continuity Management
Information security is critical. And it is especially so when facing a disruption in business such as a natural disaster, acquisition, or political upheaval, to name a few. This domain requires the organization to have a plan of action in such events. The first section addresses information security continuity, and the second focuses on redundancies to ensure information processing facilities’ availability.
- Document and communicate your Business Continuity & Disaster Recovery Policies that establish guidelines and procedures on continuing business operations in case of a disruption or a security incident
- Restore and test data backups annually
- Test and document learnings from the periodic running of the disaster recovery plan
The last domain ensures organizations identify the relevant and applicable laws and regulations such as intellectual property rights, privacy and protection of personally identifiable information, and how they abide by them. It also includes how organizations mitigate the risk on non-compliance and penalties.
- Proof to show access Control and restricted use of data
- Media disposal policy
- Periodic vulnerability and pen testing
- Data protection, data retention and data classification policies on the company’s intranet
Download your ISO 27001 Controls List
Who is responsible for implementing Annex A controls?
While the Infosec Officer (or team) will spearhead the implementation of controls and the organization’s compliance with ISO 27001 standard, the fundamental responsibility of implementing the Annex A controls vests on all the employees. Employees are the first line of defence in a security attack; therefore, it is a shared responsibility.
Management buy-in is critical here. Therefore, the entire process of ISO 27001 implementation rests equally on management review and approval of policies and procedures at every decisive step.
How to identify ISO 27001 Security Controls you should implement?
We understand that 114 controls can seem daunting. But if you break them down, these are just rules and requirements that can strengthen your organization’s security posture. While the decision of which controls you should implement rests on your risk assessment and treatment plan, it can take away a chunk of your time.
When you work with Sprinto, we do all the heavy lifting in drafting the policies (sans legal speak and editable), evidence collection and continuous monitoring. Our team of experts walk you through the ISO 27001 compliance requirements, risk assessment and treatment plan and helps you make the right choice of controls from Annex A. And that’s not all. Sprinto’s automated compliance platform makes you audit-ready within weeks and keeps you on top of your compliance game, whether there’s an audit or not.
Talk to our team and find out more about how Sprinto can partner in your compliance journey.
ISO 27001 Annex A vs ISO 27002
The ISO 27002 mirrors the controls list in Annex A of ISO 27001 and provides detailed guidance on its implementation. The ISO 27002 saw a slew of changes recently. We can take the changes made in ISO 27002:2022 as a helpful guide to prep for the changes to ISO 27001 by the end of the year. So, if your organization is currently assessing against ISO 27001, it may be a good idea to include the 11 new controls too. But if you are yet to begin your compliance journey, be proactive in preparing for the new controls.
You can read more about it in our blog ISO 27001 vs ISO 27002.
Or better still, book a demo with us and see how Sprinto can make compliance easy, error-free and fast for you.