ISO 27001 controls: a complete guide to Annex A

Key takeaways

• ISO 27001 is a dynamic framework that mitigates information security risks. The latest version is ISO 27001:2022, which made several changes to the 2013 version.
• The core themes of ISO 27001:2022 are human, organizational, technical, and physical controls. The 2022 version introduces a greater focus on planning and interested parties and simplifies the list of recommended controls. However, the register of controls remains relevant and guides companies as they achieve ISO compliance.
• Annex A is the core register of ISO controls. This list of controls has 14 areas. These areas cover major information security themes, including technical, physical, environmental, human, and operational security. Domains cover supplier relationships, incident response, and change management.
• Organizations should take a risk-based approach to the implementation of ISO 27001. Planners should consider the business context. They should select controls that mitigate real-world security risks and audit their ISO 27001 implementation to ensure compliance.

Changes resulting from ISO/IEC 27001:2022

Before we look at ISO 27001 controls in more depth, it's important to discuss the most recent iteration of Annex A controls. ISO 27001:2022 replaced ISO 27001:2013, resulting in subtle changes to ISO compliance.

The 2022 version of ISO 27001 is not a significant overhaul. Many aspects of ISO 27001:2013 remain relevant. However, even minor violations of the ISO framework can lead to failed audits. This table lists the main alterations that companies need to know about:

Number of controls

ISO 27001:2022 merges 56 into 24 controls and adds 11 new ones. The new framework reduces the overall number of controls from 114 to 93.

New controls

ISO 27001:2022 adds 11 new controls that compliant organizations must implement. New areas include:

• Threat intelligence and continuous risk management
• Information security in the cloud
• Business continuity for communication systems
• Physicals security monitoring
• Managing configurations
• Deleting sensitive data
• Appropriate data masking/anonymization
• Web and content filtering
• Use of secure coding principles

Domains or themes

ISO 27001:2022 refers to "themes," not "domains." There are now four themes, as opposed to 14 domains. The new themes are People, Organizational controls, Technological controls, and Physical controls.

Interested parties

Clause 4.2 adds a requirement to take the requirements of "interested parties" into account. Management reviews must also consider how business changes affect the expectations of interested parties.

Planning

The new version of ISO 27001 focuses more on ISMS planning. Organizations must document and monitor their "security objectives." They must also show evidence that they have systematically planned changes to their ISMS.

Communication

When companies assign information security roles, they must communicate these decisions to all parts of the organization.

How many controls are in ISO 27001?

ISO 27001:2013 included 114 Annex A controls. ISO 27001:2022 lists 93 controls.

The 2013 version of ISO 27001 grouped controls into 14 categories. These categories included:

• Information security policies
• Organizing information security
• Human resource security
• Managing assets
• Access controls
• Cryptography
• Environmental and physical security
• Operational security
• Secure communications
• System acquisition, development, and maintenance
• Third-party relationships
• Managing information security incidents
• Business continuity management
• Compliance with relevant regulations
  
  

The 2022 version of ISO 27001 reduces this list to four core sub-groups. These groups include:

• People
• Organizational controls
• Technical controls
• Physical controls
  
  

These new groups are larger than the domains used by ISO 27001:2013. To make it easier to navigate the control list, the ISO has specified five "attributes" for controls. These attributes include:

• Type of control. Includes preventative, detective, and corrective controls.
• Information security role. Includes ensuring confidentiality, data integrity, and availability.
• Cyber security role. This includes identifying and neutralizing threats, responding to threats, and recovering data.
• Operational function. Includes issues like asset management and governance.
• Security domain. Includes core themes like governance, ISMS defense, and promoting resilience.

The 14 categories of ISO 27001 Annex A controls

Most ISO-compliant organizations follow the structure recommended by ISO:27001:2013. This structure remains relevant and will be compliant until April 30, 2024. The new framework also closely follows the previously used domains. The 14 core domains are still valuable tools to identify compliance requirements.

Information security policies

The purpose of Annex A.5 is to guide companies when creating information security policies. This guidance includes recommendations on creating, implementing, and auditing information security policies.

This section of ISO 27001 controls enables organizations to define how they protect information assets from cybersecurity threats.

Organization of information security

Annex A.6 includes seven controls regarding assigning information security responsibilities within an organization. This section of the 27001 framework ensures that the personnel are in place to implement the ISMS.

The 2013 version of ISO 27001 includes two sub-sections regarding roles and responsibilities. Section A.6.1 deals with creating a framework that continuously manages information security. Section A.6.2 deals with remote working and mobile devices.

Human resources security

The six Annex A.7 controls promote security leadership and robust lines of control. A central aspect of this sub-section is ensuring that all employees know their security responsibilities.

Themes of Annex A.7 include:

• Assessing new hires to cut security risks and communicate security policies.
• Providing security awareness training to new and existing hires. Delivering clear statements of user responsibilities for employees to follow.
• Penalties for not following security policies.
• Policies for information security after employees leave the organization (secure offboarding).

Asset management

Annex A.8 includes 10 controls that deal with securing information assets. There are three sub-categories in this domain.

Firstly, section A.8.1 relates to identifying and inventorying information. This information guides organizations when locating and tracking the state of assets.

Section A.8.2 deals with classifying information assets. Classification sorts assets according to risk levels and potential harm. When assets have appropriate risk classifications, it is easier to apply suitable controls.

Finally, section A.8.3 deals with applying controls to secure information assets. This section includes guidance about determining who should have access to data and information-sharing policies.

Guidance in this sub-section also includes technical vulnerability management. Organizations must ensure safe data transfers, guard assets against cyber threats, and guarantee secure disposal of information.

Access control

Annex A.9 relates to controlling access to data and other assets. This section provides focused guidance about ensuring legitimate access for authorized users. It also offers recommendations about how to deny access to everyone else.

Access control is a lengthy section with 14 separate measures. These controls refer to critical access control processes, including:

• Assigning appropriate credentials to users
• Minimizing access to resources that users do not need
• Secure storage of access credentials
• Formalized access processes for all applications
• Documenting access management systems

Cryptography

Section A.10 features two cryptography controls. These controls guide readers when integrating encryption into an information security management system.

Requirements under this section include the creation and maintenance of cryptography policies. Encryption policies should document the reasons for choosing forms of cryptography. They should also include safe usage guidelines for employees.

Managing cryptographic keys is another critical aspect of section A.10. Controls here include a requirement to build key management into incident recovery procedures.

Physical and environmental security

The 15 controls in Annex A.11 deal with physical information security risks. ISO 27001 recommends that companies secure physical information processing facilities. Security refers to protection against unauthorized access. It also encompasses disaster risks, damage, and physical theft.

Physical and environmental security controls in this domain include:

• Access policies for physical premises
• Security of offices and other information processing facilities
• Protection against natural disasters (environmental management)
• The creation of secure working areas
• Delivery and loading locations
• Siting equipment safely
• Protecting utilities and secure cabling
• Equipment maintenance
• Safe asset removal
• Policies for equipment or media re-use
• Security measures for remote working, including safe media handling

Operations security

Annex A.12 focuses on securing the information processes that form the ISMS. Information security controls in this section involve creating policies and processes that support secure operations. There are seven sub-sections, including:

• Procedures to secure operational systems. These procedures include assigning staff responsibilities for aspects of the ISMS.
• Protecting information systems against cyber threats such as malware.
• Creating backup systems to protect critical data and respond to information security incidents.
• Logging systems to document security incidents.
• Protecting the integrity of apps and systems that handle sensitive data.
• Vulnerability management controls to protect against exploits.
• Policies to ensure seamless ISMS audits.

Communications security

Annex A.13 features ISO 27001 controls relating to communications security. Organizations must protect critical information as it passes across networks. The ISO 27001 framework recommends two measures to achieve this:

• Technical controls to prevent unauthorized access to information flows. Controls must ensure that data is available while protecting its integrity. For example, companies may use network security tools like firewalls, threat detection systems, encryption, or segmentation.
• Controls to safeguard information transfers. This includes information security risks like unsafe information sharing and using electronic messaging systems. This section also features policies for creating watertight Non-Disclosure Agreements (NDAs).

System acquisition, development, and maintenance

Annex A.14 refers to change management within information systems. Organizations must have secure policies to acquire new systems, make changes, and update them when required.

The 13 ISO 27001 controls in this section require organizations to benchmark all new technology acquisitions against ISO 27001 standards. Elements to consider here include:

• Determining security parameters for all new applications and systems
• Testing the security of new technologies
• Adopting safe system design to build business assets
• Reviewing changes to app deployments in the light of ISO principles
• Using a secure development environment
• Protecting and recording test data
  
  

The controls in Annex A.14 apply across the entire lifecycle of an application or system. Together, they essentially recommend intensive change management processes for all new acquisitions.

Supplier relationships

Annex A.15 refers to third-party relationships. The five controls in this domain include the need to execute due diligence on all third parties. Organizations must also enforce ISO-compliant practices via legal and contractual requirements.

Organizations should also apply controls to any information suppliers or other external partners can access.

Information security incident management

Annex A.16 is about responding to information security incidents. ISO 27001 requires an incident management process that restores data availability, neutralizes threats, and boosts organizational learning.

• Policies in this section deal with:
• Reporting incidents to stakeholders and regulators.
• Assigning staff members to carry out critical incident response tasks.
• Establishing a chain of command when dealing with security incidents.

Information security aspects of business continuity management

The four controls in Annex A.17 are related to A.16. They deal with ensuring business continuity during incidents. The core purpose of these controls is to maintain an adequate level of security, even during periods of intense disruption. There are two main sections:

• Planning for disruption. Companies need policies that embed business continuity management in all operations.
• Building redundancy into systems. Organizations need spare capacity to store data or restore IT systems. They may need access to spare parts or additional personnel that are only required during emergencies.

Compliance

The final domain in the ISO 27001:2013 framework includes eight controls to meet regulatory compliance goals. This section includes policies to identify compliance needs. Organizations should be aware of relevant laws or regulations and plan to meet regulatory requirements.

Organizations must also create plans to mitigate compliance risks. This helps them avoid compliance violations and regulatory fines.

Are Annex A controls required?

The list of ISO 27001 controls may seem excessive at first glance. But very few companies apply all of the recommended controls. Companies can choose controls that apply to their information security systems.

Whether a company implements an ISO 27001 control depends on its risk profile. For example, companies without remote workers won't need to worry about securing remote devices.

However, organizations must apply controls when risk assessments recommend it. ISO 27001 is a risk-based security framework. Companies that fail to act on identified security risks will likely fail their certification audits.

Deciding which ISO 27001 controls to implement

Determining the scope of ISO 27001 implementation is critically important. As a rule, the ISMS should be as simple as possible. Controls should only apply when they mitigate serious risks. The core challenge is deciding which risks apply and classifying those risks to determine relevant controls.

The context of the organization is all-important. For example, healthcare companies face critical risks around patient privacy, data portability, cybersecurity, and vendor relationships. Companies that want to achieve HIPAA compliance must apply many ISO 27001 controls.

The risks differ for eCommerce businesses that handle financial data and little else. A cloud-based online seller may need to apply network security controls, access management, and personnel management. However, other areas of the ISO 27001 framework are less relevant.

The risk assessment determines the mix of controls for each situation. Assess your business operations. Compare your information security systems against ISO controls, and apply controls that help to protect your sensitive data.

Who is responsible for the implementation of ISO 27001 controls?

ISO 27001 implementation is usually executed by a separate team within the organization. Companies typically do not use their security team for this task. Project teams must be independent of ISMS operators, although drawing on internal technical expertise is essential.

Organizations should start by appointing a dedicated ISO 27001 lead. This individual should then bring together project officers from different parts of the organization. Specific areas of expertise to recruit include:

• Legal or compliance officers. To draft compliant policies relating to ISO 27001 controls.
• HR officers. To implement training, candidate vetting, and enforce staff responsibilities.
• IT technicians. To advise on technological controls and implement recommendations arising from the ISO 27001 process.
  
  

The ISO 27001 implementation team should also have backing at the executive level. Board members should participate in the process and assist the project team at every stage.

If necessary, companies can bring in external contractors to manage the process. External expertise helps to deal with internal skill gaps and brings a fresh perspective to reforming information security systems.

Implementing ISO 27001 controls

The implementation process for achieving ISO 27001 compliance varies. But generally, the implementation process has the following components:

1. Start by inventorying existing information security policies, procedures, and controls.
2. Execute risk assessments for information processing systems. Identify security risks and classify risks according to probability and severity.
3. Compare ISO 27001 controls to the risk assessment. Which controls are needed to mitigate risks and create a secure Information Security Management System?
4. Create an ISO 27001 implementation plan informed by the risk assessment. Ensure that the risk treatment plan covers every applicable ISO 27001 control.
5. Carry out an internal audit to verify that ISO 27001 controls are in place. Ensure that corrective actions fix any gaps.

Implement the right ISO 27001 controls

This article has explored the role of ISO 27001 controls in building secure information processing systems. ISO 27001 Annex A is a comprehensive framework with many sub-annexes and recommended controls. However, companies can adopt these controls to suit their security needs.

Use risk-based analysis to identify ISO 27001 controls that will strengthen your information processing operation. Implement technical controls, policies, and procedures to protect critical data and enable ISO certification.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.