ISO 27001 Controls

ISO 27001 Controls

  • June 01, 2021

ISO 27001 is the most widely respected international certification standard for information security management systems (ISMS). Outside the U.S. (where we recommend a SOC 2 audit instead), it’s the most impressive security certificate you can get.

It’s not easy, though. Annex A of the ISO 27001 document has no fewer than 114 controls, each of which has to be extensively documented before you can pass. Preparing for the audit can be overwhelming, especially for a small company.

To make it easier to understand, ISO 27001 control is divided into 14 categories — but these can make it even more confusing if you’re not prepared. 

What’s the difference between “information security policies” and “organization of information security?” Why isn’t “operations security” the same thing as “physical and environmental security?”

Don’t fret: you can get a handle on it. 

In this article, we’ll walk you through all 14 control categories in ISO 27001. By the time you finish reading, you’ll be that much closer to passing your ISO 27001 audit.

Do I need to meet all 114 controls?

It’s not mandatory to meet all 114 controls in Annex A. In fact, it’s unlikely for an organization to be capable of meeting all of them unless it’s an enormous multinational.

Companies seeking ISO 27001 compliance are required to meet all the main clauses of ISO 27001. By contrast, the controls in Annex A are more of a menu of options. Using your internal risk assessment, pick the ones that apply best to your company.

If you choose not to include any of the controls (and you’ll probably leave out a lot of them), document why you didn’t choose them. Though documentation needs to be extensive for the controls you choose, it’s acceptable to be brief here.

For example, if you chose to pass over A.6.2.2 because none of your employees telework, that’s all you really have to say.

What are the 14 domains of ISO 27001 controls?

1. A.5. Information security policies

The first domain in Annex A asks whether your organization has a clear set of policies about keeping its ISMS secure.

Auditors will be looking for high-level documentation of information security policies, a regular process to review and update those policies, and a clear explanation for how those policies work with the other needs of the business.

While this is a short domain with only two controls, it’s first for a reason. 

A.5 is probably the most important of all 14 domains in Annex A. The strength of your information security policies directly influences every other category. Without clear central leadership, everything else you do to secure your ISMS will be patchwork and inconsistent at best.

2. A.6 Organization of information security

While the policies outlined in A.5 are about central leadership for ISMS security, A.6 is about ensuring that those policies can be implemented throughout the organization.

It’s all well and good for the CTO to put security policies in place, but that’s not sufficient for ISO 27001. Specifically defined security roles at every level of the organization are a must. In each department, there should be no ambiguity whatsoever about who owns ISMS security. There should also be plans for how remote workers fit into the security apparatus if you have any.

Smaller companies often skip A.6. It’s far easier for a single IS professional to implement policies in a smaller office. However, you should still have a plan for organizing data security as the company grows.

3. A.7 Human resources security

Think of A.5 as the set of controls on policy leadership, A.6 as the controls on middle management, and A.7 as the controls on individual contributors. The controls in this section require every employee to be clearly aware of their information security responsibilities.

It’s broken into three sections. 

  1. The first concerns how employees are screened and vetted before being hired and requires employee agreements to clearly describe infosec duties. 
  2. The second section covers how employees receive on-the-job IS training and requires penalties for violations.
  3. The third section covers how to make sure employees don’t compromise your information security after leaving the company. 

This is a crucial set of controls since disgruntled former employees can be a big security risk.

4. A.8 Asset management

An information asset is any unit of data that provides value to your business. Any information asset is a potential security risk — if it’s valuable to you, it’s probably valuable to somebody else.

ISO 27001 certification requires your business to clearly identify information assets, classify them in a useful inventory, and apply different management processes according to their classifications.

For the controls in this domain, you should know how any information asset should be handled, who is authorized to receive and share each asset, how to track an asset’s location, and how to dispose of it if necessary. Controls also cover how to safely store assets on removable media, such as USB drives.

5. A.9 Access control

Despite being one of the largest sections with 14 controls, Annex A.9 is relatively easy to understand. Put simply, employees at your organization should not be able to view information that isn’t relevant to their jobs.

Access control encompasses who receives login credentials and what privileges those credentials come with. It assumes that the more people have access to corporate information, the more infosec liabilities will open up. Essentially, it’s saying that the easiest way to keep a secret is to share it with the smallest number of people possible.

Controls in A.9 address employees keeping their user IDs and passwords secure and controls access to applications.

6. A.10 Cryptography

Cryptography is just one tool in your security arsenal, but ISO 27001 considers it important enough to deserve its own domain. As it’s often misunderstood, encryption is a common weak point in an otherwise robust ISMS.

Your company should have a documented policy for managing encryption, with evidence that you’ve thought about the best type of encryption for your business needs. Make sure to pay special attention to how you manage cryptographic keys throughout their entire lifecycle, including a plan for what to do if a key becomes compromised.

7. A.11 Physical and environmental security

A.11 is the largest domain in Annex A and perhaps the most unique. Since an ISMS can be penetrated physically even if it’s digitally invincible, A.11 includes 15 controls to protect your information against real-world attacks.

Your organization should be protecting any physical location where it stores sensitive data. That means offices, data centers, customer-facing premises, and anywhere else that could compromise your information security if breached.

Security is more than just locks and guards. It demands that you think about access, asking questions like, “how do you determine who can be trusted to enter a secure server room?” 

A.11 also includes controls on employees who work remotely — someone leaving their tablet behind in a bar can be even worse than getting hacked.

Later controls in Annex A.11 cover the risk of natural disasters. If your data center is damaged by a flood or earthquake, how will you ensure it remains protected against forced entry? If you can’t ensure that, what else will you do to protect your sensitive data?

8. A.12 Operations security

Following our consideration of hardware in A.11, we’re now turning our attention to software. A.12 requires your company to secure the applications and systems that make up its ISMS.

There are a lot of subdomains in this one. A.12.1 covers documentation of ISMS operating procedures. Subsequent subdomains cover malware protection, data backups, controls on information processing software, penetration testing, and your processes for logging potential security faults.

If your company is tech-heavy, you’ll also need to prove that your development and testing environments are secure.

9. A.13 Communications security

ISO 27001 broadly defines communication as any transit of information from one node of your network to another. Information is especially vulnerable while it’s on the move, so if you have any sort of company network, think twice before ignoring this domain.

A.13 is split into two sections. 

  1. The first covers controls that prevent attackers from accessing sensitive information by exploiting flaws in your network security. 
  2. The second concerns itself with information transfer, including how you exchange information, how you protect emails, and how you use non-disclosure agreements.

10. A.14 System acquisition, development, and maintenance (90 words)

This domain is interested in how your ISMS evolves over time. Whenever you introduce a new information security system or make changes to one you already use, information security should be at the forefront of your mind.

To meet the controls in A.14, you’ll need to hold any new system to specific security requirements, rejecting any changes that don’t meet your specifications. 

This is even more important if you’re developing security systems of your own. Though if you’re not, there are several controls here you can skip.

11. A.15 Supplier relationships

Most companies are dependent on outside partnerships to some degree. When seeking ISO 27001 certification, business owners often tightly secure internal operations while forgetting the security implications of their external relationships.

It’s harder to implement controls here because you can’t control how someone else operates. Present the auditor with proof that you hold all third-party supplies to a rigorous standard. You should also refuse to work with anyone who won’t meet it.

12. A.16 Information security incident management

As much as we’d like it if things never went wrong, there are always unknowns. You won’t be able to predict every security threat, regardless of how prepared you might be. This domain covers how your company responds to security incidents.

If there’s a large-scale breach, who gets informed immediately? Who has the power to make decisions? What will you do to minimize the impact, and who is responsible for it?

A.16 also accounts for what you do after the crisis has passed. How will you learn from it to ensure nothing like this ever happens again?

13. A.17 Information security aspects of business continuity management

The wording of Annex A.17 is complex, but the underlying concept is not. Basically, it’s an acknowledgment which states that when business is significantly disrupted, information security can fall by the wayside. 

Does your company have a plan to protect sensitive data during serious operational upheavals?

Disruption can be anything from a natural disaster to a ransomware attack or political upheaval in the business’s home country. It can also be internal, like an acquisition or the ouster of a CEO.

14. A.18 Compliance

The final section details how your organization complies with information security laws. 

Under laws like the EU’s General Data Protection Regulation (GDPR), businesses can face heavy fines for infosec failures. ISO 27001 auditors want to see that you have a plan for mitigating compliance risk.


Like everything else about ISO 27001, the controls of Annex A seem complicated at first. Once you understand them, though, they’re mostly common sense. The better you understand your company, the easier it’ll be to figure out which controls apply to you and how you can best meet them.

Once you can do that, you’re on your way to a clear understanding of Annex A and ISO 27001 certification before long.

With all that said, we don’t blame you if ISO 27001 still feels daunting. Running a business is hard enough without ruthlessly documenting everything you do.

That’s why we built Secureframe to speed up the audit compliance process. If your company manages customer information and you’re seeking an ISO 27001 audit, Secureframe’s real-time support and automated security audits are the fastest way to get the certification. Schedule a free demo today.

Never miss a post. Subscribe!