A quick guide to ISO 27001 controls from Annex A
Annex A of ISO 27001 is probably the most famous annex of all the ISO standards – this is because it provides an essential tool for managing information security risks: a list of security controls (or safeguards) that are to be used to improve the security of information assets.
This article will provide you with an understanding of how Annex A is structured, as well as its relationship with the main part of ISO 27001, and with ISO 27002.
How many domains are there in ISO 27001?
The ISO 27001 controls list can be found in Annex A, and it is organized into 14 sections (domains). Contrary to what one might think, these are not all IT oriented – below you can find a breakdown of what particular sections are focused on:
- Sections related to organizational issues: A.5, A.6., A.8, A.15
- Section related to human resources: A.7
- IT-related sections: A.9, A.10, A.12, A.13. A.14, A.16, A.17
- Section related to physical security: A.11
- Section related to legal issues: A.18
What are the 14 domains of ISO 27001?
Here’s a short description of each of the 14 sections:
- A.5 Information security policies – controls on how the policies are written and reviewed
- A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
- A.7 Human resources security – controls prior to employment, during, and after the employment
- A.8 Asset management – controls related to inventory of assets and acceptable use; also for information classification and media handling
- A.9 Access control – controls for the management of access rights of users, systems and applications, and for the management of user responsibilities
- A.10 Cryptography – controls related to encryption and key management
- A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk and Clear Screen Policy, etc.
- A.12 Operational security – lots of controls related to the management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
- A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
- A.14 System acquisition, development and maintenance – controls defining security requirements, and security in development and support processes
- A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
- A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
- A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
- A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
How many controls does ISO 27001 have?
There are 114 ISO 27001 information security controls listed in its Annex A in the current 2013 revision of the standard (compared to 133 from the previous 2005 revision of the standard). Here is a breakdown of what type of controls are included:
- Controls related to organizational issues: 24
- Controls related to human resources: 6
- IT-related controls: 61
- Controls related to physical security: 15
- Controls related to legal issues: 8
The best way to understand Annex A is to think of it as a catalogue of information security controls you can select from – out of the 114 controls that are listed in Annex A, you can choose the ones that are applicable to your company’s scope. Another approach is to use Annex A as an ISO 27001 controls checklist, for an initial evaluation of your organization’s readiness for information security management process.
Relationship with ISO 27001 main clauses
Not all of these ISO 27001:2013 controls are mandatory – organizations can choose for themselves which controls they find applicable, and then it must implement them (in most cases, at least 90% of the controls are applicable); the rest are declared to be non-applicable. For example, control A.14.2.7 Outsourced development can be marked as non-applicable if a company does not outsource the development of software. The main criterion for selecting the controls is through risk management, which is defined in clauses 6 and 8 of the main part of ISO 27001. Learn more here: ISO 27001 risk assessment & treatment – 6 basic steps.
Further, clause 5 of the main part of ISO IEC 27001 requires you to define responsibilities for managing those controls, and clause 9 requires you to measure if the controls have fulfilled their purpose. Finally, clause 10 requires you to fix anything that is wrong with those controls, and to make sure that you achieve information security objectives with those controls.
What is the difference between ISO 27001 and ISO 27002?
The truth is that Annex A of ISO27001 does not give much detail about each control. There is usually one sentence for each control, which gives you an idea of what you need to achieve, but not how to do it.
This is why ISO 27002 was published – it has exactly the same structure as ISO 27001 Annex A: each control from Annex A exists in ISO 27002, but it has a much more detailed explanation on how to implement it. But, don’t fall into the trap of using only ISO 27002 for managing your information security risks – it does not give you any clues as to how to select which controls to implement, how to measure them, how to assign responsibilities, etc. Learn more here: ISO 27001 vs. ISO 27002.
Usability of Annex A
There are a couple of things I like about Annex A – it gives you a perfect overview of which controls you can apply so that you don’t forget some that would be important, and it gives you the flexibility to choose only the ones you find applicable to your business so that you don’t have to waste resources on the ones that are not relevant to you.
It is true that Annex A doesn’t give you much detail on implementation, but this is where ISO 27002 comes in; it is also true that some companies might abuse the flexibility of ISO-27001 and aim only for the minimum controls in order to pass the certification, but this is a topic for a different blog post.
To see which policies and procedures are required for Annex A controls, download this free Checklist of mandatory documentation required by ISO 27001:2013.