ISO 27001 Controls – Annex A Explained

ISO 27001 outlines the various controls that organizations can implement to meet the requirements of the standard to design their Information Security Management System (ISMS). While it lists all the ISO 27001 controls in Annex A, organizations must deploy only the controls that will help mitigate the identified risks.

Read this article to know in detail the 14 domains and 114 ISO 27001 Annex A controls, the various ToDos in your compliance journey, and the expected changes in the controls list by the end of the year. 

What are ISO 27001 Controls?

ISO 27001 controls are the measures that organizations must take by way of policies, processes, and procedures to meet the security requirements of the standard. ISO 27001 lists its 114 controls in Annex A which are divvied into 14 domains.

Basically, Annex A is like a Table of Content that lists all the security controls under ISO 27001. Organizations can pick and choose the appropriate controls and decide how they deploy them based on their risk assessment and risk treatment plan.

You can read our article on ISO 27001 Checklist to learn more about risk assessment and risk treatment plans. A notable aside here: the list of applicable controls must be captured in your Statement of Applicability (SOA). Readying the SOA is an important step in your ISO 27001 compliance journey. It is a list of all of the controls from Annex A that apply to your organization.

How many controls are there in ISO 27001?

The list of ISO 27001 Controls has 114 security controls in total. The 114 controls are bucketed under different functions. And yes, not all are IT-related. Here’s a peek at how they stack up:

As we mentioned, you don’t need to implement all 114 List of ISO 27001 controls. The controls aren’t mandatory, and every organization can select the controls that apply to them based on their risk profile. That said, you will need to document a valid reason why some controls don’t apply to your organization. 

Organizations, however, must compulsorily meet the requirements from Clauses 4-10 of the ISO 27001 to claim compliance. In other words, organizations can achieve certification to ISO 27001 only when they meet all the requirements in Clauses 4 through 10.

What are the 14 domains of ISO 27001 Controls List?

ISO 27001 Controls List comprises 14 domains, each centered on specific security functions within the organization.

A5: Information Security Policies

As per the List of ISO 27001 controls here it determines if your organization has policies to provide management direction and support for information security. The organization needs to document relevant infosec policies and ensure they are approved by the management, published and communicated for staff awareness and reviewed periodically. 

Though the domain has only two controls, it is perhaps the most important one as it sets the tone for the organization-wide information security standards.

ToDos

• Documentation of your infosec policies
• Process for infosec policies’ approval, communication, and review

A6: Organisation of Information Security

If A5 was about setting up the information security policies and processes, A6 is about ensuring how the policies are implemented in the organization. The Annex provides a framework for assigning security roles across the organization such that no one drops the ball while implementing and running the ISMS. It also covers mobile devices and remote working.

While a lone infosec officer can spearhead the policy implementations for startups or smaller organizations, it’s a good practice to have a plan in place for the same as your organization grows.

ToDos

• Detailed organization structure with roles, reporting structure, job descriptions & responsibilities
• Process for ensuring data security for remote workers and vendors

A7: Human Resources Security

Much like the human resources function, the controls in this domain are centered on information security through the three phases of employees’ journey in an organization – before employment, during employment and on termination/change of employment.

These include background verification and mention of infosec responsibilities in the terms and conditions of employment, infosec awareness training on the job, disciplinary processes in case of security breaches, and policies implemented to ensure data security is maintained even after employees leave the organization.

ToDos

• Policies and relevant documentation/proof to demonstrate how every hire in the organization are evaluated
• Background checks & verification 
• Policies and proof to showcase that every employee undergoes periodic security training 
• Employee acknowledgment of the organization’s information security policies
• Policies and proof of how the organization ensures data security after employees leave the organization

A8: Asset Management

ISO 27001 Annex A controls in this domain help identify organizational assets (associated with information management) and define appropriate protection responsibilities.

It includes asset identification within the scope of the ISMS to its classification (confidential, restricted, internal and public) and access and media handling to prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

ToDos

• Proof to demonstrate how your organization ensures restricted access to all critical systems
• Data Encryption and media disposal procedure

A9: Access Control

An important facet of data security is controlling access to information, and this domain defines the controls to do just that. Access control, in essence, is user management that defines controls for the administration of login credentials, user privileges, access rights, and password management systems, to name a few.

It also includes access privileges of clients, applications, secure login procedures and controlled access to program source codes.

ToDos

• Proof of organization-wide access control and its periodic review
• User privilege and access rights to the production database
• Evidence of termination of access to organization’s information assets on offboarding

A10. Cryptography

Your organization should have a documented policy on cryptographic controls and key management processes. The objective of this domain is to ensure the confidentiality, integrity and availability of information are protected throughout. The policy should include details on the use, protection and lifetime of cryptographic keys.

ToDos

• Proof that all production database[s] that store customer data are encrypted at rest
• Documented encryption policy that’s made available for all staff on the company intranet
• Proof that endpoints with access to production systems are encrypted to protect them from unauthorised access

A11. Physical and Environmental Security

The control objectives for this domain focus on protecting your organization’s physical premises and preventing loss, damage, theft or compromise of its assets and operations. It does so by laying out controls to prevent unauthorized physical access, damage and interference with the organization’s ISMS.

Securing your premises, physical entry access controls, protection of the environment against natural disasters, clear desk and clean screen, unattended user equipment, authorized removal of assets and their secure disposal are other areas covered in this domain.

ToDos

• Proof that company-owned endpoints are configured to auto-screen-lock after 15 minutes of inactivity
• Production systems are encrypted from unauthorized access

A12. Operational Security

Comprising seven sub-domains, the controls listed here pertain to operational procedures, defences against malware, backups, logging & monitoring, change management, patch management, vulnerability management and penetration tests, and more. But more importantly, like anything in ISO 27001, it all needs to be documented.

ToDos

• Proof to demonstrate that endpoints with access to production systems are protected by malware-protection software
• Proof of periodic ISO 27001 audits of employee endpoints to ensure security patches are applied and the Operation System version is current (or the next most current)
• Vulnerability scans, pen tests, business continuity & disaster recovery policies, among others

Also, check out a detailed ISO 27001 audit checklist

A13.Communications Security

Network security, segregation of networks, secure transfer of information, confidentiality and non-disclosure agreements are some of the critical controls in this domain. It governs how organizations protect their data in networks.

A13.1 dwells on network security management and ensures that information security, confidentiality, integrity and availability are maintained throughout. A13.2 pertains to information on the move – to a different organization, third party or customer. 

ToDos

• Network service agreements detailing the security mechanisms, service levels and management requirements of all network services
• Data classification policy, Confidentiality policy, firewall with a deny-by-default rule

Also, check out ISO 27001 policy template.

A14. System Acquisition, Development and Maintenance

The first objective of A14 is to ensure that information security is integral to information systems across the entire lifecycle. So, data security should remain paramount for any changes made to the information security system or when a new system replaces the existing one.

The ISO 27001 controls cover the security requirements for internal systems and public networks. It also includes the controls for securing the software development life cycle (SDLC).

A15. Supplier Relationships

Vendor risk management is critical to managing your organization’s information security management system. The ISO 27001 controls here protect your organization’s assets accessible to the suppliers. Contractual agreements your organization has with its suppliers come under the purview of this domain.

You must demonstrate that you also hold your suppliers to a strict security standard.

ToDos

• Proof of periodic vendor risk assessments conducted to identify vendors critical to the systems’ security commitments and requirements.
• Senior Management review and approval of ‘Vendor Risk Assessment Report’ annually
• Documented Vendor Management Policy that guides staff on performing a risk assessment of third-party vendors

A16. Information Security Incident Management

This domain deals with controls that define the roles and responsibilities of employees when things go wrong (aka, there is a security breach). Who should be informed in the case of a breach? Who can make decisions? What are the must-dos in case of a breach?

The controls here detail the incident response and reporting process in case of a security incident and require defining the corrective action after one. Learnings and collection of evidence are also included here.

ToDos

• Continuous monitoring system with periodic review access 
• Policies and procedures for production assets to generate alerts and action in case of a threat
• Maintain a record of information security incidents

A17. Information Security Aspects of Business Continuity Management

Information security is critical. And it is especially so when facing business disruption, such as a natural disaster, acquisition, or political upheaval, to name a few. This domain requires the organization to have a plan of action in such events.

The first section addresses information security continuity, and the second focuses on redundancies to ensure information processing facilities’ availability.

ToDos

• Document and communicate your Business Continuity & Disaster Recovery Policies that establish guidelines and procedures on continuing business operations in case of a disruption or a security incident
• Restore and test data backups annually
• Test and document learnings from the periodic running of the disaster recovery plan

A18. Compliance

The last domain ensures organizations identify the relevant and applicable laws and regulations, such as intellectual property rights, privacy, and protection of personally identifiable information, and how they abide by them. It also includes how organizations mitigate the risk of non-compliance and penalties.

ToDos

• Proof to show access Control and restricted use of data 
• Media disposal policy
• Periodic vulnerability and pen testing
• Data protection, data retention and data classification policies on the company’s intranet

Also find out: How all these controls can be automated

Who is responsible for implementing Annex A controls?

While the Infosec Officer (or team) will spearhead the implementation of controls and the organization’s compliance with ISO 27001 standard, the fundamental responsibility of implementing the Annex A controls vests on all the employees. Employees are the first line of defence in a security attack; therefore, it is a shared responsibility. 

Management buy-in is critical here. Therefore, the entire process of ISO 27001 implementation rests equally on management review and approval of policies and procedures at every decisive step.

ISO 27001 Annex A controls vs ISO 27002

The ISO 27002 mirrors the ISO 27001 Annex A controls and provides detailed guidance on its implementation. The ISO 27002 saw a slew of changes recently. We can take the changes made in ISO 27002:2022 as a helpful guide to prep for the changes to ISO 27001 by the end of the year.

So, if your organization is currently assessing against ISO 27001, it may be a good idea to include the 11 new controls too. But if you are yet to begin your compliance journey, be proactive in preparing for the new controls. 

You can read more about it in our blog ISO 27001 vs ISO 27002.

Or better still, book a demo with us and see how Sprinto can make compliance easy, error-free and fast for you. 

How to identify which ISO 27001 Security Controls you should implement?

We understand that 114 List of ISO 27001 controls can seem daunting. But if you break them down, these rules and requirements can strengthen your organization’s security posture. While deciding which controls you should implement rests on your risk assessment and treatment plan, it can take away a chunk of your time. 

When you work with Sprinto, we do all the heavy lifting in drafting the policies (sans legal speak and editable), evidence collection and continuous monitoring. Our team of experts walk you through the ISO 27001 compliance requirements, risk assessment and treatment plan and helps you make the right choice of controls from Annex A. And that’s not all. Sprinto’s automated compliance platform makes you audit-ready within weeks and keeps you on top of your compliance game, whether there’s an audit or not. 

Talk to our team and learn more about how Sprinto can partner in your compliance journey.

Final Thoughts

So, that was all about ISO 27001 Annex A controls. Annex A is an important document for effectively meeting the ISO 27001 requirements. Once you have identified the controls that will be implemented, you can refer to ISO 27002 for more information.

To make your ISO 27001 journey a seamless ride, you can tune in to the Sprinto way to put your compliance ventures in auto-pilot mode. Book a demo with us and see how Sprinto can make compliance easy, error-free, and fast for you.

FAQs

How many controls does the ISO 27001 Annex A have?

There are a total of 114 controls in the ISO 27001 Annex A that are divided into 14 domains. The 114 controls in general come under different functions i.e. organizational issues, human resources, information technology, physical security, and legal issues.

Are Annex A controls mandatory?

No, it isn’t mandatory to implement all 114 ISO 27001 controls listed under Annex A. You can select the controls that apply to your organization based on the risk profile.

What is the primary purpose of Annex A controls?

The primary purpose/objective of Annex A controls is to improve the security of the organization’s information assets.