Implementation of controls
The implementation of controls for ISO 27001 is important to address the requirements from Clauses 4-10 of the framework, along with the Annex A controls.
The control implementation steps include conducting risk assessments for threat analysis, selecting appropriate controls, and integrating those controls into your business processes.
Implementing controls also goes hand in hand with the SoA (Statement of Applicability) as you need to document all Annex A controls, their implementation status, and justifications for exclusions. This is critical for certification audits.
| Control category | Number of controls | Focus area | Key examples |
|---|---|---|---|
| Organizational Controls | 37 | Policies, asset management, governance |
– Information security policy – Risk assessment processes – Identity and access management |
| People Controls | 8 | Human factors (training, remote work) |
– Security awareness programs – Pre-employment screening – Incident reporting procedures |
| Physical Controls | 14 | Physical environment security |
– Security perimeters – Equipment maintenance – Clear desk policies |
| Technological Controls | 34 | Digital asset protection |
– Malware protection – Data backups – Secure coding practices |
Implementing controls also goes hand in hand with the SoA (Statement of Applicability) as you need to document all Annex A controls, their implementation status, and justifications for exclusions. This is critical for certification audits.
ISO 27001 Controls: A Guide to Implementing Annex A Controls
ISO 27001 Series
Basics
Certification Process
Policies & Management
Risk Management
Resources & Templates
Sprinto: Your ally for all things compliance, risk, governance
