ISO 27001 Controls Explained: A Detailed Guide

ISO 27001 Controls Explained: A Detailed Guide

  • January 11, 2022

What are ISO 27001 controls?

Information security controls are processes and policies you put in place to minimize risk. ISO 27001 requires organizations to implement controls that meet its standards for an information security management system. 

The ISO 27001 standard document includes Annex A, which outlines all ISO 27001 controls and groups them into 14 categories (referred to as control objectives and controls). Annex A outlines each objective and control to help organizations decide which ones they should use. 

The ISO 27002 standard acts as a complementary resource. It goes into more detail, providing a full page of information on the purpose of each control, how it works, and how to implement it. 

How many controls are there in ISO 27001?

ISO 27001 includes 114 controls, divided into 14 categories. 

In addition to meeting Annex A control requirements, organizations must meet the requirements from clauses 4-10 of ISO 27001 to achieve certification:

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10: Improvement

How you satisfy the ISO 27001 clauses and Annex A controls will depend on your unique organization. The ISO 27001 standard is written in a way that allows different types of organizations to meet the requirements in their own way. 

If you choose not to include an Annex A control, explain why within your statement of applicability. Using your internal ISO 27001 risk assessment as a guide, select the controls that are applicable to your organization.

For example, if you chose to exclude A.6.2.2 because none of your employees work remotely, your certification auditor will want to know.

What are the 14 domains of ISO 27001?

What are ISO 27001 domains? You can think of them as the broad topics covered by ISO 27001. 

Topics like: how do you treat company security? How do you handle asset management? How do you address physical security? 

Each domain focuses on general best practices for that area of information security and its control objectives. 

1. A.5. Information security policies (2 controls)

The first domain in the ISO 27001 Annex A controls asks whether your organization has a clear set of policies about keeping its ISMS secure.

Auditors will be looking for: 

  • High-level documentation of information security policies
  • A regular process to review and update those policies
  • A clear explanation for how those policies work with the other needs of the business

While this is a short domain with only two controls, it’s first for a reason. 

A.5 is probably the most important of all 14 domains in Annex A. The strength of your information security policies directly influences every other category. 

Without clear central leadership, everything else you do to secure your ISMS will be patchwork and inconsistent.

2. A.6 Organization of information security (7 controls)

A.6 is about ensuring that the policies outlined in A.5 can be implemented throughout the organization.

It’s all well and good for the CTO to put security policies in place, but that’s not sufficient for ISO 27001. Specifically defined security roles at every level of the organization are a must. 

In each department, there should be zero ambiguity about who owns ISMS security. There should also be plans for how remote workers or vendors fit into the environment as applicable.

It’s far easier for a single IS professional to implement policies in a smaller office. However, you should still have a plan for organizing data security as your company grows.

3. A.7 Human resources security (6 controls)

Think of A.5 as the set of ISO 27001 security controls for policy leadership. A.6 are the controls for middle management. And A.7 are the controls for individual contributors. 

The controls in this section require every employee to be clearly aware of their information security responsibilities.

It’s broken into three sections. 

  1. How are employees vetted before being hired? Employee agreements must clearly describe infosec duties. 
  2. How will employees receive on-the-job information security training? This control requires set penalties for violations.
  3. How will you make sure employees don’t compromise your information security after leaving the company? This is a crucial set of controls since disgruntled former employees can be a big security risk.

4. A.8 Asset management (10 controls)

Any information asset is a potential security risk — if it’s valuable to you, it’s probably valuable to somebody else.

ISO 27001 certification requires your business to identify its information assets, classify them, and apply management processes based on those classifications.

For the controls in this domain, you should know: 

  • How an information asset should be handled
  • Who is authorized to receive and share each asset
  • How to track an asset’s location
  • How to dispose of the asset, if necessary 

Controls also cover how to safely store assets on removable media, such as USB drives.

5. A.9 Access control (14 controls)

Despite being one of the largest sections with 14 controls, Annex A.9 is relatively easy to understand. Put simply, employees at your organization should not be able to view information that isn’t relevant to their jobs.

Access control encompasses who receives login credentials and what privileges those credentials come with. The more people with access to corporate information, the more infosec liabilities. The easiest way to keep a secret is to share it with the smallest number of people possible.

Controls in A.9 address how to keep employee user IDs and passwords secure and limit non-essential access to applications.

6. A.10 Cryptography (2 controls)

Cryptography is just one tool in your security arsenal, but ISO 27001 considers it important enough to deserve its own domain. 

Your company should have a documented policy for managing encryption, with evidence that you’ve thought about the best type of encryption for your business needs. 

Make sure to pay special attention to how you manage cryptographic keys throughout their entire lifecycle, including a plan for what to do if a key becomes compromised.

7. A.11 Physical and environmental security (15 controls)

A.11 is the largest domain in Annex A and perhaps the most unique. It includes 15 controls to protect your information against real-world attacks.

Your organization should be protecting any physical location where it stores sensitive data. That means offices, data centers, customer-facing premises, and anywhere else that could compromise your information security if breached.

Security is more than just locks and guards. It demands that you think about access, asking questions like, “how do you determine who can enter a secure server room?” 

A.11 also includes controls for employees who work remotely. Someone leaving their laptop behind in a cafe can be even worse than getting hacked.

Other controls in Annex A.11 cover the risk of natural disasters. If your data center is damaged by a flood or earthquake, how will you ensure it remains protected against forced entry? If you can’t ensure that, what else will you do to protect your sensitive data?

8. A.12 Operations security (14 controls)

A.12 requires your company to secure the applications and systems that make up its ISMS.

There are a lot of subdomains in this one. A.12.1 covers documentation of ISMS operating procedures. Later subdomains cover malware protection, data backups, penetration testing, and more.

If your company is tech-heavy, you’ll also need to prove that your development and testing environments are secure.

9. A.13 Communications security (7 controls)

Information is especially vulnerable while it’s on the move. ISO 27001 broadly defines communication as any transit of information from one node of your network to another. 

A.13 is split into two sections. 

  1. Controls that prevent attackers from accessing sensitive information by exploiting flaws in your network security. 
  2. Controls for information transfer, including how you exchange information, how you protect emails, and how you use non-disclosure agreements.

10. A.14 System acquisition, development, and maintenance (13 controls)

This domain is interested in how your ISMS evolves over time. 

Whenever you introduce a new information security system or make changes to one you already use, information security should be at the forefront of your mind.

To meet the controls in A.14, you’ll need to hold any new system to specific security requirements, rejecting any changes that don’t meet your specifications. 

11. A.15 Supplier relationships (5 controls)

Most companies are dependent on outside partnerships to some degree. When seeking ISO 27001 certification, businesses often focus on internal operations and can easily overlook vendor risk management.

It’s harder to implement controls here because you can’t control how someone else operates. Present the auditor with proof that you hold all third-party vendors to a rigorous standard. You should also refuse to work with anyone who won’t meet those standards.

12. A.16 Information security incident management (7 controls)

You won’t be able to evade every security threat, regardless of how prepared you might be. This domain covers how your company will respond to security incidents.

If there’s a large-scale breach, who gets informed first? Who has the power to make decisions? What will you do to minimize the impact?

A.16 also accounts for what you do after the crisis has passed. How will you learn from the incident?

13. A.17 Information security aspects of business continuity management (4 controls)

A.17 acknowledges that when business is significantly disrupted, information security can fall by the wayside. 

Does your company have a plan to protect sensitive data during a serious operational upheaval?

Disruption can be anything from a natural disaster to a ransomware attack or political upheaval in the business’s home country. It can also be internal, like an acquisition or the ouster of a CEO.

14. A.18 Compliance (8 controls)

The final section details how your organization complies with information security laws. 

Under laws like the EU’s General Data Protection Regulation (GDPR), businesses can face heavy fines for infosec failures. ISO 27001 auditors want to see that you have a plan for mitigating compliance risk.

Understanding ISO 27001 controls

Like everything else about ISO 27001, the Annex A controls seem complicated at first. But once you dig a little deeper, the ISO 27001 control framework is fairly straightforward. 

The better you understand your risk landscape, the easier it will be to figure out which controls apply to you.

That said, we don’t blame you if the ISO 27001 certification process still feels daunting.

That’s why we built Secureframe. 

Our compliance automation platform makes it easier and faster to get ISO 27001 certified. With powerful automation features and a team of ISO 27001 experts, we'll help you build a compliant ISMS, manage vendor risk, complete a gap analysis, and get you 100% audit-ready.

Become a security expert

Get the latest articles on startup security and compliance best practices delivered straight to your inbox.

Get a Secureframe demo
subscription-logo