Decoding ISO 27001 Controls: A Comprehensive Guide

The ISO 27001 controls, detailed in Annex A of the standard, are structured into 14 categories. It is also known as control sets or clauses. Each of these categories has a number of controls, amounting to a total of 114. Here’s a breakdown of these categories and an overview of the types of controls they include:

A.5: Information Security Policies (2 controls)

This category provides directives for how organizations should manage and provide support for information security in alignment with their specific business requirements and pertinent laws and regulations. The controls focus on ensuring that policies are written, approved by management, published, communicated, and regularly reviewed and updated.

A.6: Organization of Information Security (7 controls)

These controls deal with the overall organization of information security within a company. It includes the definition and allocation of roles and responsibilities, and establishing a clear information security management structure. And outlining the processes involved in managing information security. The goal is to ensure that information security is ingrained in all aspects of the organization’s operational structure.

A.7: Human Resource Security (6 controls)

The controls under this category focus on the role of employees and contractors before, during, and after employment. This involves:

• screening potential employees during recruitment
• defining security roles and responsibilities in job descriptions and contracts
• implementing an information security awareness, education, and training program
• managing changes or termination of employment

The intent is to ensure that all individuals who access the company’s data are reliable. And have a clear understanding of their responsibilities related to information security.

A.8: Asset Management (10 controls)

This category of controls deals with the identification, classification, and handling of assets. An asset in the context of ISO 27001 can be anything that has value to the organization and needs protection, such as data, hardware, software, services, people, or even the company’s reputation.

The controls require the organization to maintain an inventory of assets, define appropriate responsibility for assets, establish information classification guidelines and procedures (e.g., public, internal, confidential, secret), and set up processes for handling assets (both digital and physical) to ensure their protection.

A.9: Access Control (14 controls)

A.10: Cryptography (2 controls)

The controls under this section provide guidelines for the proper and secure use of cryptography to protect the confidentiality, authenticity, and integrity of information. This includes the management and protection of cryptographic keys used in your organization, which are crucial for securing data during transmission or storage.

A.11: Physical and Environmental Security (15 controls)

This section outlines measures to prevent unauthorized physical access, damage, and interference to an organization’s facilities and information. It includes controls related to secure areas, equipment security, and aspects related to working off-premises. The aim is to protect physical assets (servers, computers, etc.) and information from physical threats, whether environmental (like fire or floods) or human (like theft or vandalism).

A.12: Operations Security (14 controls)

The controls in this section involve various aspects of operational security, such as protection against malware, backup procedures, logging and monitoring, operational software controls, vulnerability management, and audit considerations. These controls ensure that day-to-day operations do not inadvertently lead to security incidents. And that routine activities are performed with a high level of security.

A.13: Communications Security (7 controls)

This section covers aspects related to network security management and information transfer. This includes secure network design, management of network services, segregation in networks, and information transfer policies. The controls aim to protect information in networks and its transfer within and outside the organization.

A.14: System Acquisition, Development, and Maintenance (13 controls)

This section of controls covers aspects such as setting security requirements for information systems, ensuring security in development and support processes, and managing the security of test data. The aim is to ensure that security is an integral part of the systems lifecycle and that it is incorporated into the organization’s IT systems from inception to retirement.

A.15: Supplier Relationships (5 controls)

These controls offer guidelines on managing information security within supplier relationships, including the agreements with suppliers and managing supply chain security. It helps in ensuring that the organization’s assets that are accessible by suppliers are adequately protected.

A.16: Information Security Incident Management (7 controls)

The controls under this section cover the consistent and effective approach to managing information security incidents, including their reporting, response, and learning from these incidents. The goal is to ensure a swift and effective response to incidents to minimize their impact and prevent their recurrence.

A.17: Information Security Aspects of Business Continuity Management (4 controls)

This section covers the controls related to planning, implementing, and reviewing information security continuity, as well as redundancies. It ensures the organization’s preparedness to respond to and recover from disruptive incidents that could affect the availability of critical processes and systems.

A.18: Compliance (8 controls)