ISO 27001 Controls: A Guide to Implementing Annex A Controls

Gowsika

Gowsika

Feb 15, 2024

iso 27001 controls

ISO 27001 is an international standard that outlines various clauses and controls that organizations can implement for effectively building an Information Security Management System (ISMS).

The ISO 27001 clauses and controls are utilized by organizations to manage security risks and achieve ISMS certification. The controls are detailed in Annex A, and organizations should choose and deploy the relevant controls. These controls will help mitigate the identified security risks, establishing a robust framework.

Read this article to learn about the 114 ISO 27001 Annex A controls, compliance steps, and upcoming control list changes.

What are ISO 27001 Controls?

ISO 27001 controls are the measures that organizations must take by way of policies, processes, and procedures to meet the security requirements of the framework. ISO 27001 lists its 114 controls in Annex A which are divided into 14 domains.

ISO 27001 Annex A is like a Table of Contents that lists all the security controls under ISO. Organizations can pick and choose the appropriate controls and decide how they deploy them based on their risk assessment and risk treatment plan.

Who is responsible for implementing ISO 27001 Annex A controls?

Infosec Officer (or team) is responsible for the implementation of controls and the organization’s compliance with ISO 27001 standard, the fundamental responsibility of implementing the Annex A controls vests on all the employees. Employees are the first line of defense in a security attack; therefore, it is a shared responsibility.

Management buy-in is critical here. Therefore, the entire process of ISO 27001 implementation rests equally on management review and approval of policies and procedures at every decisive step.

How many ISO 27001 clauses and controls are there?

ISO 27001 comprises 114 security controls categorized into different functions. These controls are organized across various clauses that outline specific requirements for an Information Security Management System (ISMS). And it is essential to note that not all of them are IT-related. 

Here’s a peek at how they stack up:

iso 27001 controls

These controls cover the technologies, policies, and processes an organization uses to build and maintain its information security management system (ISMS). All the controls are written in a way that allows different organizations and businesses to meet ISO 27001 requirements in their own way.

Organizations, however, must compulsorily meet the requirements from Clauses 4-10 of the ISO 27001 to claim compliance. In other words, organizations can achieve certification to ISO 27001 only when they meet all the requirements in Clauses 4 through 10.

Getting ISO 27001
audit-ready?

Sprinto can help you get certified in
4 easy steps.

Note:

Every organization can select the controls that apply to them based on their risk profile. That said, you will need to document a valid reason why some controls don’t apply to your organization.

4 through 10 of the ISO 27001 clauses are mandatory for certification: