ISO27001 Checklist of the Main Security Control Domain

Published on : 22 Apr 2022

ISO27001 Checklist

Information Security Management System is an international standard designed to manage the security of sensitive information. At the core, ISMS is about managing the people, processes, and technology through a risk management program. While there are many standards under the ISO2000 family, the ISO27001 Standard is the most popular and widely accepted standard in the industry. 

The ISO 27001 standard provides a framework for implementing ISMS and securing information assets. The Information Security Standard and Framework help organizations implement security controls that ensure Confidentiality, Integrity, and Availability of sensitive data. Elaborating on the standard in detail, we have in the article also share a compliance checklist with a list of security controls that must be implemented for those looking to achieve ISO27001 Certification. But before getting into the details of the security control list, let’s understand in brief the ISO27001 Standard and framework. 

What is ISO27001 Standard?

ISO/IEC 27001 is an international standard for managing data security through an information security management system (ISMS). The standard which was first published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) had last been updated the standard in 2013. The Standard comprises 10 management system clauses and 14 Annex A Security Control Domain which lists 114 Information Security Controls that are designed to support the implementation and maintenance of ISMS.

While there is no mandate that all 114 Annex A controls be implemented by the organization, it is however recommended that risk assessment should be conducted to determine which controls are required and provide details explaining why other controls are excluded from the ISMS. So, for the understanding of our reader, we have today shared an ISO 27001 checklist to help an organization approach its implementation plan efficiently and prepare for certification. But this again would depend on the controls applicable to the organization based on the risk assessment findings and outcomes. 

ISO27001 Checklist and Security Controls

Achieving ISO 27001 certification helps organization prove their implementation and adoption of industry best security practices to potential customers in the industry. So, achieving the ISO27001 Certification will provide the organization with a competitive edge in the industry. That said, ISO 27001 Annex A  comprises  114 controls that are grouped into 14 security control categories. Each of the 14 categories has been explained in the article. Referring to this checklist will help organizations successfully implement an Information Security Management System (ISMS) according to the standard, and prepare the organization for the audit of ISMS to obtain ISO 27001 certification.

ISO27001 Annex A contains 14 Main categories of Security Controls

Annex A.5Information Security Policies
Annex A.6Organization of Information Security

Annex A.7Human Resource Security
Annex A.8

Asset Management
Annex A.9

Access Control
Annex A.10Cryptography

Annex A.11Physical and Environmental Security
Annex A.12Operations Security
Annex A.13

Communications Security

Annex A.14System Acquisition, Development, and Maintenance

Annex A.15Supplier Relationships

Annex A.16Information Security Incident Management

Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.18Compliance

Control Category A.5 – Information Security Policies

This section guides the management in implementing information security measures in alignment with the industry standards, regulations, and the organization’s security requirements. Organizations can achieve this by establishing and documenting Information Security Policies and by regularly reviewing them from time to time. 

Control Category A.6 – Organization of Information Security

This section guides the management to set an Information Security Framework that facilitates the implementation of Information Security within the organization, across verticals and operations. This requires organizations to define information security roles and responsibilities, segregation duties maintain appropriate contact details with ICO and ISACA, and ensure information security in project management, irrespective of the project type. Organizations are also required to ensure security in remote working including the security of mobile devices and teleworking. For this organizations are required to establish and maintain a stringent security policy supporting the security measures to manage risk associated with remote working including protection of information accessed, processed, stored remotely, and use of mobile devices. 

Control Category A.7 – Human Resource Security

This category is about setting security measures and prerequisites for employment to ensure that the employees are aware of their responsibilities and they are suitable for the role they are hired for. This requires organizations to conduct appropriate background checks on candidates. It further requires organizations to have in place information security policies, procedures, and contracts that define the employee’s information security roles and responsibility and documented signature of acknowledgment for the same from the candidate.

The organization must also ensure the employees receive adequate training and are regularly updated on the policy changes if any concerning information security. There must also be a well-defined, formal disciplinary process in place to ensure necessary actions are taken against any individual who does not adhere to the information security breach.   In addition to this, the organization needs to even have an Employee Termination Policy that defines the process for terminating or changing employee duties that are defined and enforced. 

Free Consulting

Control Category A.8 – Asset Management

This section is about asset security and management. Organizations are expected to maintain an inventory of all assets associated with information and information processing facilities. The asset must be classified and the inventory must include information about the assets and their designated asset owners. The organization must document the policies, procedures, and rules for the acceptable use and handling of assets. There shall also be policies and procedures in place to manage and prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.  The policies and procedures must include details on how the media should be handled, rules for disposal of media or systems containing information, and protection of data in transit. 

Control Category A.9 – Access control

The organization must have in place Access Control Policies and Procedures to support the implementation of restricted access to information and information processing facilities. Further, the policy must define roles and responsibilities to ensure only authorized individuals are granted access based on their roles. Organizations are expected to make the policies accessible to their employees to know their roles and responsibilities concerning their access to sensitive data or systems.

Further, organizations must define and establish user access management for formal user access provisioning, management of privilege access rights, and removal of access rights for users who leave the organization. Necessary measures should be implemented to ensure users are accountable for securing their passwords and preventing unauthorized access to systems and applications. 

Control Category A.10 – Cryptography

Organizations are expected to use the Cryptography technique to ensure confidentiality, integrity, and authenticity of the information. For this, the organization needs to establish and enforce a cryptography policy which should include details such as the use of cryptography controls, and cryptography key management.

Control Category A.11 – Physical and Environmental Security

This category is about ensuring the prevention of unauthorized physical access, damage, and interference to information and systems and facilities comprising information. So security measures must be implemented to secure systems and information and prevent data compromise and interruption to operations. For this, organizations need to implement physical security, for securing offices, rooms, and facilities with necessary access controls in place. They are further required to establish security policies and procedures that support the implementation of these physical security measures. This is to ensure protection against the external environmental threat.

Control Category A.12 – Operations Security

This category is about ensuring operational security within the organization. The organization needs to ensure that information processing facilities are operated appropriately and securely. So, to ensure safe and secure operations,  the organization needs to establish operational procedures and make them available to all. The procedure must include change management to control changes to business processes, information processing systems, and operations. It should also include capacity management to highlight the capacity requirements.

Organizations must also ensure enforcement of segregation of development, test, and operational environment. This is to reduce risks of unauthorized access or changes to operational environments. Further, to ensure security, necessary controls against malware should be established to detect, alert and prevent malware attacks. So, organizations are expected to implement anti-malware software for effective detection and prevention of attacks. Organizations are also expected to maintain a backup of information to protect against loss of data

Control Category A.13 – Communications Security

This category focuses on maintaining the security of Information when transferred internally or externally. The organization must for these reasons have a Network Management process in place which includes risk management, and ensuring network segmentation where applicable to prevent unauthorized access to sensitive networks and data.

This can be achieved by organizations by having in place agreements, and contracts with security-related SLAs mandated. For securing the data transition, the organization must have data transfer policies and procedures including details such as how the data should be transferred and made available to employees and the implementation of technical controls to prevent unauthorized data transfer.

This requires organizations to implement security controls to protect information transferred  through emails, social media, and other communication platforms.  the organization is also expected to maintain an agreement contract between third parties involved, specifying their responsibility in ensuring the security of data when transferred. There should also be in place Confidentiality or Nondisclosure Agreements that should be subject to regular review and maintenance of such records. 

Control Category A.14 – System Acquisition, Development, and Maintenance

The category focuses on ensuring the systems and operations within the environment are secured and the security implementations are an integral part of the systems and operations lifecycle. The organization must ensure information security requirements are specified when new systems are introduced or when systems are being enhanced or upgraded.

The organizations are expected to secure applications sending information over public networks against fraudulent activities, unauthorized access, and modification of data. The organizations must have in place technical security measures to prevent instances of incomplete transmission, unauthorized modification, disclosure of data, misrouting, or duplication of data.

The organization must also have in place a secure development policy, system change control procedures, and processes for secure software development, system engineering, secure development environment. The organization must also ensure system security testing is performed on outsourced developments.

Control Category A.15 – Supplier Relationships

This category focuses on ensuring the security of information accessed by suppliers. For this organizations should have in place documented policies and procedures concerning supplier management with details of all suppliers and information they have access to.

The organization must also develop an agreement or contract with suppliers mentioning their responsibilities and security requirements, addressing the information security risks associated with information and communications technology services and the supply chain. This should be in line with the security management policy. The Agreement or Contract must also include and mention the agreed level of information security and delivery of service in line with the Supplier Agreement.

Control Category A.16 – Information Security Incident Management 

This category focuses on ensuring consistent and effective enforcement of Information Security Incident Management. This includes communication security incidents and weaknesses in systems and processes. For this, organizations must define roles responsibilities, and a clear process for reporting incidents, information security weaknesses, assessment, and response to information security incidents. 

Control Category A.17 – Information Security Aspects of Business Continuity Management

This category focuses on ensuring Information Security and Business Continuity Management. The organizations are expected to have in place policies, procedures, and processes in place to facilitate Information Security and Business Continuity in case of an incident. This further needs to be documented for future use, reference, and audit purpose. Organizations are expected to evaluate review and verify the effectiveness of Information Security and Business Continuity Management.  The organization must also maintain information on whether the information processing facilities have sufficient redundancy to meet the organization’s availability requirements.

Control Category A.18 – Compliance

This category focuses on ensuring compliance with the legal, statutory, regulatory, or contractual obligations related to information security and security requirements.  Organizations are expected to identify and document applicable legislation and contractual requirements for compliance.

Further, it is a mandate to maintain records of all intellectual property rights and the use of proprietary software products. All records and documents should be secured against unauthorized access, destruction, and modification as per the legislative, regulatory, contractual, and business requirements.

Organizations must maintain the security and privacy of personally identifiable information (PII) and use cryptography controls in line with relevant agreements, legislation, and regulations. Organizations must also regularly conduct audit reviews and implementation of security controls. Further compliance with security policies and standards should be regularly reviewed and verified. 

Final Thought

ISO 27001 is an international standard that helps organizations understand the various requirements of an Information Security Management System (ISMS). The standard comprises multiple policies, procedures, processes, and systems that an organization must establish and implement that help manages information security risks. Achieving and Demonstrating the ISO/IEC 27001 certification implies that the organization followed the ISO 27001 guidelines and implemented the best practices of information security processes. It reflects the organization’s commitment to building and maintaining high-level security standards within the organization and thereby gaining customer confidence in them. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.