What Are ISO 27001 Controls? A Guide to Annex A

The number of ISO 27001 certifications has been steadily increasing since 2006, with 44,499 issued in 2020. That’s a 22% increase from 2019. 

If you’re among the ranks of companies looking to get ISO 27001 certified — or recertified — then it’s essential that your controls are effective so your information security management system meets the ISO 27001 requirements.

To help you establish or improve your ISMS and prepare for an audit, we’ll take a closer look at the ISO 27001 controls below.

What are ISO 27001 Annex A controls?

Information security controls are processes and policies you put in place to minimize information security risks. ISO 27001 requires organizations to implement controls that meet its standards for an information security management system.  

The ISO 27001 standard document includes Annex A, which outlines all ISO 27001 controls and groups them into 14 categories (referred to as control objectives and controls). Annex A outlines each objective and control to help organizations decide which ones they should use. 

The ISO 27002 standard acts as a complementary resource that expands on ISO 27001 Annex A overview. It goes into more detail, providing information on the purpose of each control, how it works, and how to implement it.

How many Annex A controls does ISO 27001 have?

ISO 27001 Annex A includes 114 controls, divided into 14 categories. Together with the ISO 27001 framework clauses, these controls provide a framework for identifying, assessing, treating, and managing information security risks.

Addressing risk is a core requirement of the ISO 27001 standard (clause 6.1 to be specific). Organizations must meet all the core requirements addressed in clauses 4 through 10 of ISO 27001 to achieve certification:

• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement

How you satisfy the ISO 27001 clauses will depend on your unique organization. The ISO 27001 standard is written in a way that allows different types of organizations to meet requirements in their own way. 

This decision should be based on an assessment of the organization’s information security risks. Once these risks have been identified, the organization can select the controls that will help prevent them. Controls may also be selected because of a business objective or need, or a legal or contractual requirement. 

If you choose not to include an Annex A control, explain why within your statement of applicability. For example, if you chose to exclude A.6.2.2 because none of your employees work remotely, your ISO auditor will want to know.

What are the 14 domains of ISO 27001?

What are ISO 27001 Annex A control domains? You can think of them as the broad topics covered by ISO 27001. 

Topics like: how do you treat company security? How do you handle asset management? How do you address physical security? 

Each ISO 27001 domain focuses on general best practices for that area of information security and its control objectives.

1. A.5 Information security policies (2 controls)

The first domain in the ISO 27001 Annex A controls asks whether your organization has a clear set of policies about keeping its information systems secure.

Auditors will be looking for: 

• High-level documentation of information security policies
• How the policies are disseminated throughout the organization
• A regular process to review and update those policies
• A clear explanation for how those policies work with the other needs of the business

While this is a short domain with only two controls, it’s first for a reason. 

This domain sets the tone in terms of the information security processes in place and how organization’s personnel are informed of such processes. The strength of your information security policies directly influences every other category. 

Without a clear central tone and leadership, everything else you do to secure your information system could become patchwork and inconsistent.

2. A.6 Organization of information security (7 controls)

This domain is about ensuring that the policies outlined in A.5 can be implemented throughout the organization.

It’s all well and good for the CTO to put security policies in place, but that’s not sufficient for ISO 27001. Thethe roles and responsibilities in the ISMS should be well defined. There should also be plans for how remote workers or vendors fit into the environment as applicable, ensuring proper security processes in place.

It’s far easier for a single information security professional to implement policies in a smaller office. However, you should have a plan for organizing information security throughout the organization as your company grows.

3. A.7 Human resources security (6 controls)

3. A.7 Human resource security (6 controls)

Think of A.5 as the set of ISO 27001 security controls for policy leadership and tone. The A.6 domain reflects the controls for middle management. And A.7 domain controls are for individual contributors. 

The controls in this section require every employee to be clearly aware of their information security responsibilities.

It’s broken into multiple sections. 

• How are employees vetted before being hired? Employee agreements must clearly describe information security duties. 
• How will employees receive information security awareness training? Ensure employees understand the importance for information security in the organization.
• What are the consequences for not performing the agreed upon information security duties? Addresses risk of employee noncompliance.
• How will you make sure employees don’t compromise your information security after leaving the company? This is a crucial control since disgruntled former employees can be a big security risk.

4. A.8 Asset management (10 controls)

Any information asset is a potential security risk. If it’s valuable to you, it’s likely valuable to somebody else.

ISO 27001 certification requires your business to identify its information assets, assign ownership, classify them, and apply management processes based on those classifications.

For the controls in this domain, you should know: 

• What constitutes acceptable use of an information asset
• Who is authorized to receive and share each asset
• How to track an asset’s location
• How to dispose of the asset, if necessary 

Controls also cover media handling in terms of how to securely handle, store, and transfer information.

5. A.9 Access control (14 controls)

Despite being one of the largest sections with 14 controls, Annex A.9 is relatively easy to understand. Put simply, employees at your organization should not be able to access information that isn’t relevant to their job responsibilities.

Access control encompasses who receives authentication information — like login credentials — and what privileges that information comes with. The more people with user access to sensitive information, the more information security risks. The easiest way to keep information secure is to share it with the smallest number of people possible. 

Controls in A.9 address how to keep employee user credentials and passwords secure and limit non-essential access to applications through a formal access management process. These controls should be supported by documented procedures and user responsibilities.

This domain also covers review of user access rights on a periodic basis to ensure only authorized users have access to the information systems per job responsibilities.

6. A.10 Cryptography (2 controls)

Cryptography is just one tool in your security arsenal, but ISO 27001 considers it important enough to deserve its own domain. 

Your company should have a documented policy for managing encryption. It should provide evidence that you’ve thought about the best type of encryption for your business needs. 

Make sure to pay special attention to how you manage cryptographic keys throughout their entire lifecycle. There should also be a plan for what to do if a key becomes compromised.

7. A.11 Physical and environmental security (15 controls)

This is the largest domain in Annex A and perhaps the most unique. It includes 15 controls to protect your information against real-world risks.

Your organization should be protecting any physical location where it stores sensitive data. That includes offices, data centers, customer-facing premises, and anywhere else that could compromise your information security if breached.

Security is more than just locks and guards. It demands that you think about access rights, asking questions like, “How do you determine who can enter a secure area like a server room?” 

This domain also includes controls for employees who work remotely. Someone leaving their laptop or mobile device behind in a cafe can be even worse than getting hacked. Remote as well as in-office workers should adopt a clear desk and clear screen policy. This helps prevent an unauthorized person from being able to access, see, or take information.

Other controls in Annex A.11 cover the risk of equipment damage or equipment operational loss. For example, if your data center is impacted by a hurricane, how will you ensure the server equipment remains secure and operational?

8. A.12 Operations security (14 controls)

This domain requires your company to secure the information processing facilities and systems that make up its ISMS.

There are a lot of subdomains in this domain. Annex A.12.1 covers documentation of ISMS operating procedures, including change management and review procedures. Other subdomains cover malware protection, logging and monitoring, data backups, technical vulnerability management such as penetration testing, and more.

If your company is tech-heavy, you’ll also need to prove that your development and testing environments are secure.

9. A.13 Communications security (7 controls)

Information is especially vulnerable while it’s on the move. This can include any transit of information from one node of your network to another. 

This domain is split into two sections. 

1. Controls that prevent attackers from accessing sensitive information by exploiting flaws and vulnerabilities in your network security. 
2. Controls for information transfer, including how you exchange information, how you protect it when using electronic messaging, and how you use non-disclosure agreements.

Firewalls, access control lists, logical or virtual segregation, and intrusion detection systems are all examples of technical controls that help protect information within an organization’s systems and applications.

10. A.14 System acquisition, development, and maintenance (13 controls)

This domain is interested in how your organization manages information system changes over time. 

Whenever you introduce a new information security system or make changes to one you already use, information security should be at the forefront of your mind.

To meet the controls in A.14, you’ll need to hold any new system or changes to an existing information system to specific security requirements. Ensure that software development processes integrate organization’s security requirements and that change management processes are in place for any change of information systems.

11. A.15 Supplier relationships (5 controls)

Most companies are dependent on outside partnerships or vendors to some degree. When seeking ISO 27001 certification, businesses often focus on internal operations and operational systems and overlook vendor risk management.

It’s harder to implement controls here because you can’t control how someone else operates. You can present the auditor with proof that you hold all third-party vendors to a rigorous information security standard, ensuring due diligence is performed by your organization on any critical vendors in terms of information security posture they possess.

This domain also covers the topic of ensuring appropriate vendor agreements are in place in terms of information security requirements.

12. A.16 Information security incident management (7 controls)

This domain covers the topic of security incident management. If your organization does get impacted by a security threat or security incident, your organization should have an incident management process in place to report, assess, respond, and learn from these threats or incidents. 

If there’s a large-scale breach, who gets informed first? Who has the power to make decisions? What will you do to minimize the impact? The controls of this domain that you implement should cover these types of rhetorical questions. 

This domain applies to security events and weaknesses as well. Employees and other interested parties should be aware of what each is and know the process for reporting them, since they can lead to or become security incidents.

13. A.17 Information security aspects of business continuity management (4 controls)

This domain acknowledges that when business is significantly disrupted, information security can fall by the wayside. So its objective is to ensure that organizations have the required level of continuity for information security during a crisis or disaster. 

Does your company have a plan to protect sensitive data during a serious operational upheaval, for example?

Disruption can be anything from a natural disaster to a ransomware attack or political upheaval in the business’s home country. It can also be internal, like an acquisition or the ouster of a CEO.

Redundancy measures — including maintaining an inventory of spare parts and duplicate hardware and software — can help maintain business continuity and smooth operations during times of disruption.

14. A.18 Compliance (8 controls)

The final section details how your organization complies with information security laws.

To start, organizations must be able to identify which legal and contractual requirements apply to them. This can be especially challenging for organizations operating in multiple countries. 

Under laws like the EU’s General Data Protection Regulation (GDPR), businesses that target or collect data from EU citizens or residents can face heavy fines for information security failures. ISO 27001 auditors want to see that you have a plan for mitigating compliance risk.

Who is responsible for implementing ISO 27001 controls?    

There’s a common misconception that IT should be solely responsible for implementing the ISO 27001 controls that are applicable to an organization. However, only some of these controls are technological. The rest are related to organizational issues, physical security, human resources, and legal protection. 

So implementing Annex A controls must be the responsibility of multiple stakeholders and departments within an organization. Who those individuals are exactly will depend on the size, complexity, and security posture of that organization. 

Understanding ISO 27001 controls

Like everything else about the ISO 27000 family of standards and ISO 27001 in particular, the Annex A controls seem complicated at first. But once you dig a little deeper, the ISO 27001 control framework is fairly straightforward. 

The better you understand your information security risk landscape, the easier it will be to figure out which controls apply to you.

That said, we don’t blame you if the ISO 27001 certification process still feels daunting.

That’s why we built Secureframe. 

Our compliance automation platform makes it easier and faster to get ISO 27001 certified — and maintain it. With powerful automation features and a team of ISO 27001 experts, we'll help you build a compliant ISMS, manage vendor risk, complete a gap analysis, and get you 100% audit-ready.