Scribd
Upload
270 views4 pages

ISO 27001 Controls List

The document summarizes the 14 control sets that make up Annex A of the ISO 27001 standard. It describes the purpose and sections of each control set, which address topics like information security policies, asset management, access control, operations security, and compliance. The control sets provide a framework for implementing and maintaining effective information security practices across an organization.

Uploaded by

Ilkontisa Halima
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
270 views4 pages

ISO 27001 Controls List

The document summarizes the 14 control sets that make up Annex A of the ISO 27001 standard. It describes the purpose and sections of each control set, which address topics like information security policies, asset management, access control, operations security, and compliance. The control sets provide a framework for implementing and maintaining effective information security practices across an organization.

Uploaded by

Ilkontisa Halima
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

ISO 27001 controls list: the 14 control sets of Annex A

Annex A.5 – Information security policies (2 controls)


This annex is designed to make sure that policies are written and reviewed in line
with the overall direction of the organization’s information security practices.

Annex A.6 – Organization of information security (7 controls)


This annex covers the assignment of responsibilities for specific tasks. It’s divided
into two sections, with Annex A.6.1 ensuring that the organization has established
a framework that can adequately implement and maintain information security
practices.

Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s
designed to ensure that anyone who works from home or on the go – either part-
time or full-time – follows appropriate practices.

Annex A.7 - Human resource security (6 controls)


The objective of Annex A.7 is to make sure that employees and contractors
understand their responsibilities. It’s divided into three sections:

Annex A.7.1 addresses individuals’ responsibilities before employment.


Annex A.7.2 covers their responsibilities during employment.
Annex A.7.3 addresses their responsibilities when they no longer hold that role
because they’ve left the organization or changed positions.

Annex A.8 - Asset management (10 controls)


This annex concerns the way organizations identify information assets and define
appropriate protection responsibilities.

It contains three sections. Annex A.8.1 is primarily about organizations identifying


information assets within the scope of the ISMS.

Annex A.8.2 is about information classification. This process ensures that


information assets are subject to an appropriate level of defense.
Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to
unauthorized disclosure, modification, removal, or destruction.
Annex A.9 – Access control (14 controls)
The aim of Annex A.9 is to ensure that employees can only view information
that’s relevant to their job.

It’s divided into four sections, addressing the business requirements of access
controls, user access management, user responsibilities and system and
application access controls, respectively.

Annex A.10 – Cryptography (2 controls)


This annex is about data encryption and the management of sensitive
information. Its two controls ensure that organizations use cryptography
effectively to protect data confidentiality, integrity, and availability.

Annex A.11 – Physical and environmental security (15 controls)


This annex addresses the organization’s physical and environmental security. It’s
the most extensive annex in the Standard, containing 15 controls separated into
two sections.

The objective of Annex A.11.1 is to prevent unauthorized physical access, damage


or interference to the organization’s premises or the sensitive data held therein.

Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to


prevent the loss, damage or theft of an organization’s information asset
containers – whether that’s, for example, hardware, software or physical files.

Annex A.12 – Operations security (14 controls)


This annex ensures that information processing facilities are secure and is
comprised of seven sections.

Annex A.12.1 addresses operational procedures and responsibilities, ensuring that


the correct operations are in place.

Annex A.12.2 addresses malware, ensuring that the organization has the
necessary defenses to mitigate infection risk.

Annex A.12.3 covers organizations’ requirements when it comes to backing up


systems to prevent data loss.
Annex A.12.4 is about logging and monitoring. It’s designed to make sure that
organizations have documented evidence when security events occur.

Annex A.12.5 addresses organizations’ requirements when it comes to protecting


the integrity of operational software.

Annex A.12.6 covers technical vulnerability management and is designed to


ensure that unauthorized parties don’t exploit system weaknesses.

Finally, Annex A.12.7 addresses information systems and audit considerations. It’s
designed to minimize the disruption that audit activities have on operation
systems.

Annex A.13 – Communications security (7 controls)


This annex concerns the way organizations protect the information in networks.

It’s divided into two sections. Annex A.13.1 concerns network security
management, ensuring that the confidentiality, integrity and availability of
information in those networks remain intact.

Meanwhile, Annex A.13.2 deals with information security in transit, whether it’s
going to a different part of the organization, a third party, a customer or another
interested party.

Annex A.14 – System acquisition, development and maintenance (13 controls)


The objective of Annex A.14 is to ensure that information security remains a
central part of the organization’s processes across the entire lifecycle.

Its 13 controls address the security requirements for internal systems and those
that provide services over public networks.

Annex A.15 – Supplier relationships (5 controls)


This annex concerns the contractual agreements organizations have with third
parties. It’s divided into two sections.

Annex A.15.1 addresses the protection of an organization’s valuable assets that


are accessible to or affected by suppliers.
Meanwhile, Annex A.15.2 is designed to ensure that both parties maintain the
agreed level of information security and service delivery.

Annex A.16 – Information security incident management (7 controls)


This annex is about how to manage and report security incidents. This process
involves identifying which employees should take responsibility for specific
actions, thus ensuring a consistent and effective approach to the lifecycle of
incidents and responses.

Annex A.17 – Information security aspects of business continuity management  (4


controls)
The aim of Annex A.17 is to create an effective system to manage business
disruptions.

It’s divided into two sections. Annex A.17.1 addresses information security
continuity – outlining the measures that can be taken to ensure that information
security continuity is embedded in the organization’s business continuity
management system.

Annex A.17.2 looks at redundancies, ensuring the availability of information


processing facilities.

Annex A.18 – Compliance (8 controls)


This annex ensures that organizations identify relevant laws and regulations. This
helps them understand their legal and contractual requirements, mitigating the
risk of non-compliance and the penalties that come with that.

You might also like