Understanding ISO 27001 Controls [Guide to Annex A]

Summary: In this article, we’ll cover the 14 specific categories of the ISO 27001 Annex A
controls. You’ll learn how to decide which ISO 27001 framework controls to implement and
who should be involved in the implementation process. By the end of this article, you’ll have
a basic understanding of ISO 27001 Annex A controls and how to implement them in your
organization.

What Are ISO 27001 Annex A Controls?

Set by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC), ISO/IEC 27001 Annex A defines the 114 information
security controls an organization can address to receive and maintain its ISO 27001
certification.

ISO 27001 defines and audits these controls during stage two of the ISO 27001 certification
process. An external accredited certification body runs a series of evidentiary audits that
confirm the organization’s technology and processes are correctly deployed and working
properly. The auditors also confirm the implemented solutions align with the controls that
were declared to be in use by the organization during part one, the documentation review
stage of the certification process.

Since industry compliance requirements, technology needs, and scope of operations are
unique for each organization, the ISO 27001 Annex A control list serves as a framework,
rather than a checklist of requirements. For the certification, however, each firm must draft a
Statement of Applicability (SoA), defining the specific Annex A controls based on the
company’s identified risks, legal and contractual requirements, and overall business needs.

How Many Annex A Controls Are in ISO 27001?

ISO/IEC 27001 identifies 114 unique Annex A controls or safeguards in its framework. These
cover the technology, processes, and policies an organization utilizes to oversee its
information security management system (ISMS) and maintain its security posture for
personnel and third-party stakeholders.

The 14 Categories of ISO 27001 Annex A Controls

Because a business can deploy many combinations of security controls to cover various risks
and objectives, ISO divides the Annex A controls into 14 unique ISO 27001 categories. ISO
segments each category based on its scope and the business needs it supports.

These are the 14 categories of ISO 27001 Annex A controls:

Information Security Policies

Annex A.5 of ISO/IEC 27001, Information Security Policies, describes how leadership can
provide direction and support an organization’s information security, specifically through
governance. Companies can implement policies that employees, contractors, and other
external stakeholders need to follow to maintain a strong security posture, promote their
security vision, and comply with laws and regulations.

Organization of Information Security

Annex A.6 establishes the framework for an organization’s information security processes,
both for traditional and teleworking operations. It comprises multiple focus areas, which
include defining roles and responsibilities for information security activities while
segregating duties to reduce risk.

Technology, processes, and policies must be in place to maintain adequate contact with
authorities and special interest groups, such as associations, industry groups, or specialty
security organizations. Additionally, organizations must have systems and policies for
maintaining information security for special projects outside of normal day-to-day operations
while using mobile devices, and during teleworking operations.

Human Resources Security

Annex A.7 comprises the information security controls that relate to human resources
management before, during, and following employment. For example, these controls include
screening and running background checks on prospective employees and implementing the
terms of employment agreements.
 Organizations use these policies to control how managers oversee employees and contractors
and to establish procedures for providing security awareness education and training. Finally,
ISO 27001 A.7 cites formal processes and responsibilities for handling employee
terminations and disciplinary actions.

Assets management
Annex A.8 dives into identifying and protecting a firm’s technology and data assets. ISO
27001 lists specific asset management controls that govern the systems for taking inventory
of assets, assigning the responsibility of ownership for each asset, outlining and enforcing
acceptable use of company assets, and requiring employees to return assets to the firm after
use.

Annex A.8 also requires organizations to have policies and mechanisms for classifying and
labeling all managed data based on its sensitivity, value, or legal requirements. In addition,
companies need processes that outline how personnel must handle certain assets based on
how an asset is classified. Organizations also need a system that enables the secure
management, disposal, and transfer of physical or removable media.

Access Control
Annex A.9 is one of the largest categories on the list, with plenty of controls relating to the
management of user data access and system privileges. For example, businesses need to
establish control policies that enforce the principle of least privilege for network and resource
access. Organizations must have a comprehensive system for registering, deregistering, and
provisioning users and for managing user rights for both standard and privileged accounts.

Next, Annex A.9 requires organizations to utilize secure controls for storing authentication
information, such as user credentials, and to establish policies that specify which users may
access credential data. User access rights should be reviewed ongoingly and periodic
adjustments should be made based on those reviews. Lastly, firms should create secure login
procedures and password management systems and establish access control processes for
internal software.
Cryptography
A short but essential category within the ISO control framework, Annex A.10 covers how an
organization manages encryption and cryptographic controls to secure its sensitive data. The
first control covers setting and enforcing organizational policies that require users to deploy
encryption under specific circumstances and setting minimum cryptographic standards.
Companies also need a procedure for managing cryptographic keys and their life cycles.

Physical and Environmental Security

The largest of the categories, Annex A.11 outlines controls to protect organizational assets
from unauthorized access or physical damage. This category requires establishing a physical
security perimeter with entry controls to secure all offices, rooms, and facilities from internal
and external threats. It also emphasizes protecting physical assets from non-digital risks, such
as natural disasters or unauthorized entry.

Organizations must identify and manage risk for secured areas and delivery locations.
Systems should be in place for the secure installation, protection, maintenance, removal,
disposal, and reuse of equipment and assets—even those located off-premises or unattended
by users. Firms must establish clear desk policies for employees and have mechanisms to
secure telecommunications cabling and protect equipment from utility failures.

Operational Security
Annex A.12 describes the secure management of data-processing operations. ISO 27001 A.12
requires systems for documenting operating procedures; overseeing change management; and
managing operational capacity for data storage, processing power, and communications.
Organizations need controls to separate their development, testing, and operating
environments; back up their data; protect from malware; log user and network activity.

Companies must secure their log information, keep system administrators’ activity data
separate from the activity data for regular users, and track all system events in a single time
zone. Also, to maintain the integrity of their operating systems, organizations need to
institute:

Policies that allow or restrict software installation

Procedures for managing system vulnerabilities
Mechanisms for auditing information system controls
Communications Security
With a focus on managing network security, Annex A.13 looks to ensure businesses protect
information both inside and outside their networks. Firms must implement a system that
identifies, monitors, segregates, and controls access to digital resources, including
applications, data, and other systems within the network.

ISO 27001 A.13 also specifically addresses the management of information security when
communicating with external sources, such as customers, suppliers, and other stakeholders.
Organizations need policies and procedures for external information transfers, confidential
agreements between the organization and outside users, and protection mechanisms for
electronic messaging.

System Acquisition, Development, and Maintenance

Annex A.14 addresses security across all systems and life cycles, including development,
support, and test stages. Organizations must determine information security requirements,
create a method for securing applications on public networks, and protect application service
transactions. Companies must have policies for secure software development, change control
procedures, and technical reviews of applications when changes are made to operating
platforms.

ISO 27001 A.14 requires teams to restrict the changes employees can make to software
packages purchased from an outside vendor and limit the customization of open-source code.
Firms should also establish and enforce secure system engineering principles. They must
utilize secure development environments, properly manage outsourced development, and
have processes for security and acceptance testing while protecting test data.

Supplier Relationships
Annex A.15 discusses the control areas used to secure any assets that are accessible to third-
party suppliers or partners. Organizations need policies to manage supplier relationships and
address security within their service agreements.
They must also consider and address the risks associated with supply chains for managed
technology systems. When using data hosting centers or infrastructure-as-a-service (IaaS)
providers, for instance, organizations have minimal control over decisions or events that
could compromise data and applications that are managed elsewhere. Finally, organizations
should continuously monitor supplier services for delivery and be prepared to handle service
changes.

Information Security Incident Management

Annex A.16 explains how an organization manages a cybersecurity or breach incident.
Companies must establish responsibilities and incident response procedures. They also need
a process for reporting information security events and system vulnerabilities.

Annex A.16 requires firms to set criteria for what qualifies as an incident, create mechanisms
to learn from incidents, and implement technology that helps collect evidence of an incident.

Information Security Aspects of Business Continuity Management

Annex A.17 addresses the process of keeping operations running following an incident. A
business should have documented and implemented business continuity plans in place. These
plans explain the procedures for keeping data and resources available if the primary
environments are shut down. The procedures must be verified for effectiveness and regularly
tested for organizational readiness.

Compliance
Finally, Annex A.18 describes the management of legal and contractual obligations.
Businesses must identify the applicable compliance requirements for information security,
understand their intellectual property rights, and have systems that protect records that fall
under a compliance umbrella. There should be solid controls to safeguard personally
identifiable information (PII) and deployed cryptographic technology that follows contractual
and regulatory requirements across all territories.

The compliance and information security evaluation component of Annex A.18 outlines that
firms should obtain independent, third-party reviews of their information security risks and
controls and of their adherence to compliance requirements. Organizations must also perform
internal evaluations to ensure compliance with their own security policies and procedures, as
well as conduct technical reviews of internal software, security technology, and other
information systems.

How to Decide Which ISO 27001 Controls to Implement

Deciding which Annex A controls to implement is a crucial step that determines whether an
organization becomes ISO 27001 certified. To assess their SoA for implementing controls,
firms must consider various factors, such as their industry, operations model, IT environment,
organizational size, technology stack, and information-security risks.

For example, if a healthcare facility is seeking compliance certification for the Health
Insurance Portability and Accountability Act (HIPAA) through the Health Information Trust
Alliance (HITRUST), the organization will need a comprehensive system for each control
area defined in the Compliance category.

The Supplier Relationships category will be relevant only to organizations that work with
suppliers. Likewise, the Physical and Environmental Security category will be irrelevant to a
business that works remotely and relies solely on cloud-based applications; however, that
organization will need to implement comprehensive controls in the Access Control and
Communications Security categories.

Who Should Implement ISO 27001 Controls?

Because the ISO 27001 control categories cover a wide range of business functions,
personnel from different areas of the organization will need to collaborate during the ISO
implementation process. If ISO 27001 is to be implemented by an in-house team, a dedicated
ISO 27001 lead must oversee the entire operation.

Specific ISO 27001 control categories require certain roles to provide input and complete
specific tasks. For example,

A human resources director will manage some of the Human Resource Security activities,
such as running background checks on candidates.
An in-house attorney will draft specific organizational policies across the various Annex A
categories.
An IT manager will install software to protect network assets and endpoints relevant to the
categories that require software controls to improve security.
Alternatively, companies can opt to invest in outside consultants who will help implement the
ISO 27001 controls list. While individual departments within the organization will still need
to be involved, a dedicated contractor with ISO 27001 experience can bring skills, resources,
and an outside perspective that an in-house lead often lacks.

How to Implement ISO 27001 Controls

The checklist for implementing ISO 27001 controls starts with assigning and coordinating
with all the personnel involved in the process, including human resources, legal, supplier
relations, IT management, DevOps, and cybersecurity department representatives. The next
step is to establish the organization’s SoA by running risk assessments and thoroughly
reviewing the 114 ISO 27001 security controls to determine which areas apply to the
business’s operational, technology, and compliance needs.

Once those control requirements are determined, firms should run a gap analysis to compare
the controls necessary for the organization to those already implemented in their current
ISMS. Based on the gaps, they can implement the new controls by updating company
policies, hiring personnel, developing new processes, and purchasing new technology to
upgrade the ISMS.

After implementing the new security systems, organizations must train personnel in the
operations of the new controls. Finally, once everything is in place, they start the ISO 27001
certification process by conducting an internal audit.

How StrongDM Can Help with ISO 27001 Controls

StrongDM’s Dynamic Access Management (DAM) platform fulfills many ISO 27001 control
requirements. For instance, organizations can manage Access Control (Annex A.9) through
StrongDM’s all-in-one access and authentication management system. The capabilities
include automated user provisioning, least-privileged access deployment, one-click user
onboarding, and tools for securely storing user credentials.