Guide On ISO 27001 Controls


Guide on iso 27001 controls

ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS. This framework facilitates the Confidentiality, Integrity and Availability of all essential corporate data through its secure and streamlined management processes.

ISO 27001 is one of the most recognized and internationally certified Information Security Standards. We have already discussed everything you need to know about the ISO 27001 standard, in our previous blog that you can refer to for more details. However, today’s article aims to take a closer look at ISO 27001 Audit Controls. The article explains in detail the ISO27001 Audit Controls are and how they help strengthen the Cyber Security systems of your organization.

What are ISO 27001 Audit controls?

The ISO 27001 Audit Control Standards can be divided into two parts. The first part, which is the mandatory part, consisting 11 clauses, ranging from 0 to 10. The second part which is termed Annex A, provides a guideline for 114 control objectives and controls. Clause 0 to 3 cover the Introduction, Scope, Normative references and the Terms and Definitions of the ISO 27001 standard.

Clauses 4 to 10 provide ISO 27001 requirements that are mandatory for any organization that wishes to be compliant with the Standard. Annex A is a part of the Standard which exists to support these clauses and their requirements with a list of controls that are not mandatory, but are selected as part of the Risk Management process. The 114 ISO 27001 Annex A controls can be divided into 14 categories which we will be covering below.

ISO 27001 Information Security Management Standard – Clauses 0 – 10

  1. Clause 0.1: Introduction – The ISO 27001 Standard gives you the information required to set up an efficient Information Security Management System. This system summarizes how the standard implementation protects your data from unauthorized users, follows various domestic and international compliance standards and also gives confidence to stakeholders and customers as a trusted company.
  2. Clause 1: Scope – This Clause states that the requirements specified in the ISO 27001 standard are to be within the context of your organization. Therefore, determining your organizational context is very important.  This is so that you don’t overdo your system and start trying to meet something you don’t need to achieve. The clause repeats that you need to use Risk Management processes for your ISMS. It also shows how this standard organizations of all sizes.
  3. Clause 2: Normative references – This Clause exists to signify that ISO 27000 is indispensable to the application of ISO 27001.  Therefore, you must read, understand and apply ISO 27000 requirements and use them while building your ISMS.
  4. Clause 3: Terms and Conditions – This Clause is another important reason for you to first understand ISO 27000 as all the terms and conditions given in this Standard also apply to ISO 27001.
  5. Clause 4: Context of the organization – This Clause requires the organization to determine all internal and external issues that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself.
  6. Clause 5: Leadership – This Clause requires that top management responsibilities be defined, setting the roles and responsibilities, and contents of the top-level Information Security Policy to facilitate the smooth setup of the ISMS.
  7. Clause 6: Planning – Clause no. 6 seeks to cover the “preventive action” stated in the old ISO 27001:2005. It clearly defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and how these integrate with and facilitate setting up the ISMS.
  8. Clause 7: Support – The next Clause states that resources required by the ISMS to achieve the stated objectives and show continual improvement must be defined and made available by the organization to the team implementing the system. It seeks to define the requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.
  9. Clause 8: Operation – This Clause seeks to ensure that risks and opportunities are treated properly, security objectives are achieved, and information security requirements are met. It defines the implementation of risk assessment as well as other processes needed to achieve information security objectives.
  10. Clause 9: Performance evaluation – This Clause deals with the constant monitoring, measurement, analysis and performance evaluation of the ISMS. Therefore, this Clause seeks to define requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review of the organization, thus establishing clear measurement metrics.
  11. Clause 10: Improvement – This clause defines the requirements for nonconformities, corrections, corrective actions, and continual improvement.

What are the 14 domains of ISO 27001?

There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:

  1. Annex A.5. Information Security Policies: 

Annex A.5 is about providing management with the right direction for information security policies. The objective in this Annex is to manage direction and support for information security in accordance with the organization’s requirements and in line with the relevant laws and regulations. The Annex includes two controls –  

  • A.5.1.1 Policies for Information Security – Annex A.5.1.1 states that a set of policies for information security must be defined, approved by management, published and communicated to employees and relevant external parties.
  • A.5.1.2 Review of the Policies for Information Security – Annex A.5.1.2 states that the policies for information security need to be reviewed at planned intervals, or if significant changes occur, so that their continuing functionality remains stable, adequate and effective.

2.Annex A.6. Organization of Information Security: 

  1. Annex A.6.1 is about the internal organization of information security. The objective of this Annex is to establish a management framework that initiates and controls the implementation and operation of information security. It contains 7 controls. 
  2. Annex A.6.1.1 Information Security Roles & Responsibilities states that all information security responsibilities must be defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the responsibility for granting a particular permission).

3.Annex A.7. Human Resource Security:

a.Annex A.7.1 is about employment and is concerned directly with human resources. The objective here is to ensure that employees understand their responsibilities and are properly trained and suited for their roles. This Annex also covers what happens when people leave or change roles. The Annex is made up of 6 controls.

This covers background verification and competence checks on all candidates for employment. The contractual agreement signed by employees and contractors must explicitly state the responsibilities the employee and the company will both undertake for proper information security hygiene. The objective is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.

4.Annex A.8. Asset management:

Annex A.8.1 is about responsibility for assets. The objective of this Annex is to identify and define information assets in scope for the management system. Appropriate protection responsibilities must also be assigned to them. The Annex consists of 10 controls. All assets associated with information processing facilities must be identified and managed under this Annex. There should be a compiled inventory of assets that shows how the assets are managed and controlled in detail.

5.Annex A.9. Access Control: 

a.Annex A.9.1 is about the business requirements of access control. The objective of this Annex control is to limit access to information and information processing facilities. This Annex is made up of 14 controls. Under this Annex an access control policy must be established, documented and reviewed regularly while keeping the business requirements for the assets in scope. Users should only get access to the network and network services they need to use or know about for their job. A process must be implemented to assign or revoke access rights for all user types to all systems and services.

6.Annex A.10. Cryptography:

a. Annex A.10.1 is about Cryptographic controls. The objective here is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. This Annex contains 2 controls. Under the requirements of this Annex a policy should be established on the use and protection of Cryptographic Keys. This policy should be implemented throughout the lifecycle of the keys.  There should also be a process in place for the creation, distribution, changes, backup and storage of cryptographic key material through to its end of life and destruction.

7.Annex A.11. Physical and environmental Security: 

a. Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. It consists of 15 internal controls. This Annex should contain a detailed description of the security perimeters and boundaries for areas that contain either sensitive or critical information. This also includes areas with information processing facilities such as computers, laptops etc. Secure areas need to be secured with appropriate entry controls to ensure only authorized personnel are allowed access. This Annex also covers loss, damage, theft or compromise of assets and interruption to the organization’s operations.

8.Annex A.12. Operations security:

a. Annex A.12.1 is about Operational Procedures and Responsibilities. The objective of this Annex is to ensure correct and secure operations of information processing facilities. It is made up of 14 controls. Under this Annex operating procedures must be documented and then made available to all users who need them. Operating procedures that have been documented in such a manner ensures consistent operation of systems even in the case of new staff or changing resources, and can often be critical for disaster recovery, business continuity and for when staff availability is compromised. This Annex also covers protection from malware. The objective is to ensure that information and information processing facilities are protected against malware from entering.

9.Annex A.13. Communications security: 

a. Annex A.13.1 is about Network Security Management. The objective of this Annex is to ensure the protection of information in networks and its supporting information processing facilities. This Annex is made up of 7 controls. Networks must be managed and controlled to protect information within systems and applications. This means that the organization should use methods that ensure that the information within its systems and applications is protected.

b.Annex A.13.2 is about information transfer. The objective of this Annex is to maintain the security of information transferred within the organization and with any external entity e.g. a customer, supplier or other interested parties.

10. Annex A.14. System Acquisition, Development and Maintenance:

a. Annex A.14.1 is about security requirements of information systems. The objective is to ensure that healthy information security practices remain an integral part of information systems across their entire lifecycle. This includes requirements for information systems that provide services over public networks. This Annex consists of 13 controls. Information security-related requirements must be included in any requirements for new information systems or enhancements to the existing information systems. 

b. Annex A.14.2 is about security in development and support processes. The objective of this Annex is to ensure that information security is designed and implemented within the development lifecycle of information systems.

11.Annex A.15. Supplier Relationships:

a. Annex A.15.1 is about Information Security in supplier relationships. The objective is to protect the organization’s valuable assets that are accessible to or affected by suppliers. Other key relationships such as business partners should also be covered here. This Annex contains 5 controls. 

b. Annex A.15.2 is about Supplier Service Development management. The objective of this Annex is to ensure that an agreed level of Information Security and service delivery is maintained in line with supplier agreements.

12.Annex A.16. Information Security Incident Management:

a. Annex A.16.1 is about management of Information Security Incidents, events and weaknesses. The objective is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. This Annex is made up of 7 controls. These controls describe how management must establish responsibilities and procedures to ensure a quick, effective and orderly response to weaknesses, events and security incidents.

13.Annex A.17. Information Security Aspects of Business Continuity Management:

a. Annex A.17.1 is about Information Security Continuity. The objective is to embed Information Security Continuity into the organization’s Business Continuity Management Systems. This Annex contains 4 controls. The organization must determine its unique requirements for Information Security and take into account the continuity of Information Security Management in adverse situations, e.g. during a crisis or disaster.

14.Annex A.18. Compliance: Annex

a. A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. This Annex contains 8 controls.

b. Annex A.18.2 is about Information Security reviews. The objective is to ensure that Information Security is implemented and operated in accordance with the organizational policies and procedures.

Also Read:- Benefits Of ISO 27001 Certification

Using the 14 domains of ISO 27001

All of this might seem like too much information, which is where experienced cyber security firms such as VISTA InfoSec can step in and help make the process easier. As we discussed earlier, organizations are not required to implement all 114 of ISO 27001’s controls.

It is simply a list of requirements that is required to be done based on your organization’s risk assessment. The standard works as a guide for you and your management team for establishing, implementing, maintaining and continually improving an efficient Information Security Management System. With all of the above-mentioned necessary controls in place you will establish a seamless process that will help your organization identify and mitigate potential  risks in time.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.