ISO 27001:2013* Controls
Annex A of ISO 27001: 2013 comprises 114 controls which are grouped into the following 14 control categories:
- Information Security Policies
- Organisation of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operational Security
- Communications Security
- System Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Compliance
Each of the 14 categories and provide you with a clear explanation of the primary objective or objectives of that category.
In other words, what is the purpose of the different sets of controls in helping you to improve your information security.
*With the publication of ISO/IEC 27001:2022 on 25 October 2022, URM is in the process of producing a control objective blog for the latest version of ISO 27001:2022
Control Category A.5
– Information Security Policies (1 Objective and 2 Controls)
The objective of this category is to provide management direction and support for information security in line with the organisation’s requirements and relevant legislation and regulations.
This is achieved by documenting a set of information security policies, which must be approved, published, communicated and reviewed, at planned intervals.
Control Category A.6
– Organisation of Information Security (2 Objectives and 7 Controls)
The first objective is to establish a management framework which initiates and controls the implementation and operation of information security.
This includes ensuring that:
- Information security roles and responsibilities are understood and communicated
- Segregation of duties is understood and maintained
- Appropriate contact details are established and maintained with authorities, such as the ICO and special interest groups such as ISACA
- Information security in project management is established and managed, regardless of the type of project.
The second objective is to ensure the security of remote working and the use of mobile devices.
This is achieved by adopting and implementing a policy and supporting security measures to manage the risks associated with the use of mobile devices and to protect information accessed, processed or stored remotely.
Control Category A.7
– Human Resource Security (3 Objectives and 6 Controls)
The first objective relates to pre-employment requirements, ensuring that individuals understand their responsibilities and are suitable for the roles they are being considered for.
This is achieved by conducting appropriate background verification checks on all candidates and ensuring that employment contracts state responsibilities in respect of information security.
The second objective is to ensure that individuals are aware of and fulfil their information security responsibilities during their employment.
To achieve this, they are required to apply information security in line with organisational policies and procedures.
The organisation must ensure that individuals receive appropriate training and regular updates.
A formal and communicated disciplinary process must also be implemented in order that action can be taken against any individual who commits an information security breach.
The final objective within this category is to protect an organisation’s interests when individuals change roles or leave the organisation by ensuring any restrictive covenants are defined, communicated and enforced.
Control Category A.8
– Asset management (3 objectives and 10 controls)
The first objective requires the identification of information assets and the definition of appropriate responsibilities to protect them.
This is achieved by implementing an asset inventory, which includes designated asset owners.
Rules for the acceptable use of these assets must be documented and implemented. Assets must also be protected and managed when returned.
The next objective is to ensure that information is appropriately protected.
To achieve this, a classification scheme must be implemented and the assets classified accordingly. As such, both electronic and physical assets need to be labelled, in line with the classification scheme.
Procedures for handling assets also need to be developed and implemented in accordance with the classification scheme.
The last objective relates to the prevention of unauthorised disclosure, modification, removal or destruction of information stored on media.
This can be achieved implementing procedures to manage removable media. These procedures must include how media is securely disposed of and how media containing information is protected during transportation.
Control Category A.9
– Access control (4 objectives and 14 controls)
The first objective is to limit access to information and information processing facilities.
In part, this is achieved by implementing and following an access control policy and ensuring that users are only provided with access to systems and those areas of the network they need to perform their duties.
The second objective is to ensure authorised user access and to prevent unauthorised access. The following controls are used to achieve this:
- A formal user registration and de-registration process
- A formal user access provisioning process
- The restriction and control of the allocation and use of privileged access rights
- A formal management process, to control the allocation of passwords, PINs, etc.
- The review of access rights
- The removal of access rights when users leave the organisation or change roles.
The third objective focuses on making users accountable for safeguarding their passwords, PINs, tokens, etc.
As such, defined practices surrounding the use of secret authentication information must be followed.
The final objective in this category is to prevent unauthorised access to systems and applications.
Controls to meet this objective must include the restriction of access to information and systems and, where appropriate, secure logon procedures.
Any utility programs that are capable of overriding system and application controls along with access to program source code must also be restricted.
Password management systems are often used for this function.
Control Category A.10
– Cryptography (1 objective and 2 controls)
The objective of this category is to ensure cryptography is used effectively, to protect the confidentiality, integrity and authenticity of information.
This is achieved by developing and implementing a cryptographic policy, including details on the use, protection and lifetime of cryptographic keys.
Control Category A.11
– Physical and environmental security (2 objectives and 15 controls)
The first objective within this category is to prevent unauthorised physical access, damage and interference to information and information processing facilities.
Controls used to meet these objectives are:
- Defining and using the physical security perimeter
- Ensuring that physical entry controls are in place and used
- Securing offices, rooms and facilities
- Protecting against external and environmental threats
- Establishing and implementing procedures for working in secure areas
- Securing delivery and loading areas, wherever they are.
The second objective is to prevent loss, damage, theft or compromise of assets and interruption to operations.
Controls to meet this objective are:
- Equipment siting and protection, to avoid information being overlooked or equipment being environmentally damaged
- The management and protection of supporting utilities, such as uninterruptible power supply (UPS), electricity, gas and water
- Protecting power and communications cables from accidental or malicious damage
- Maintaining and servicing equipment regularly, including heating, ventilation, and air conditioning (HVAC), where appropriate
- Effectively managing the removal of assets from the organisation’s premises
- Securely protecting assets that are taken off premises
- Disposing and reusing equipment in a secure manner.
- Ensuring users appropriately protect unattended equipment
- Implementing a clear desk and clear screen policy
Control Category A.12
– Operations security (7 objectives and 14 controls)
Objective one is to ensure that information processing facilities are operated correctly and securely.
To achieve this, operating procedures, need to be documented and made available.
These procedures include, change management, to control changes to business processes, information processing facilities and systems.
Capacity management also needs to be adopted to monitor and project capacity requirements.
It should also be noted that, development, testing, and operational environments must be separated, to reduce the risks of unauthorised access or changes to operational environments.
The next objective is to ensure that information and information processing facilities are protected against malware.
This is achieved by implementing anti-malware software to detect, prevent and recover from attack.
Users must be aware of the organisation’s anti-malware software and the rules for its acceptable and unacceptable use.
Objective three is concerned with protecting against loss of data, by ensuring that that backups of information, software and systems are conducted and tested regularly, in line with an agreed backup policy.
The next objective relates to recording events and generating evidence.
This is accomplished by producing, retaining, reviewing and protecting user activity logs, including administrators and general users, exception reports and logs of information security events.
Clocks on all relevant information processing systems must also be synchronised to a single reference time source, such as the network time protocol (NTP).
Objective five is aimed at ensuring the integrity of operational systems. This is achieved by implementing and using control procedures to manage the installation of software on operational systems.
The next objective is to prevent the exploitation of technical vulnerabilities. This objective can be satisfied by obtaining information on technical vulnerabilities, evaluating the risks they may pose and taking actions to address them.
Furthermore, rules governing the installation of software must also be established and implemented.
The final objective in this category is to minimise the impact of audit activities on operational systems.
As such, plans must be agreed regarding the audit requirements and activities involving verification of operational systems, to minimise disruptions.
Control Category A.13
– Communications security (2 objectives and 7 controls)
The second objective is to maintain the security of information transferred both internally and externally.
This can be achieved by implementing formal transfer policies, procedures and controls to protect information being transferred through the use of all types of communication facilities, including electronic messaging through emails, communications platforms and social media.
As such, information transfer agreements must address the secure transfer of business information.
Control Category A.14
– System acquisition, development and maintenance (3 objectives and 13 controls)
The first objectives if to ensure that information security is an integral part of information systems across the entire lifecycle, including the requirements for information systems providing services over public networks.
This means that information security requirements must be included in specified requirements for any new information systems or enhancements to existing ones.
Another control to help meet this objective is to protect information involved in application services passing over public networks.
Information involved in application service transactions must also be protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.
The next objective relates directly to design and development activities, to ensure that information security is designed and implemented within the development lifecycle.
The following controls can help to meet this objective:
- Rules for the development of software and systems must be established and applied
- Changes to systems within the development lifecycle must be controlled using formal change control procedures
- When operating platforms are changed, business critical applications must be reviewed and tested for adverse impacts on operations and security.
- Modifications to software packages must be discouraged. If required, they must be limited to necessary changes, which will be strictly controlled
- Secure system engineering principles must be established, documented, maintained and applied to any information system implementation efforts
- Secure development environments must be established and appropriately protected
- If any development activities are outsourced, they must be supervised and monitored
- Testing of security functionality must be conducted during development
- System acceptance testing programs and related criteria must be established for new information systems, upgrades and new versions.
The final objective relates to ensuring the protection of data used for testing by carefully selecting data, protecting it by anatomisation or other techniques and controlling it by only allowing authorised personnel access to it.
Control Category A.15
– Supplier relationships (2 objectives and 5 controls)
The first objective in this category is to protect assets that can be accessed by suppliers. To accomplish this, information security requirements to mitigate the risks linked to suppliers having access to assets must be fully documented in a supplier management policy.
As such, formal agreements must also be established and implemented with each supplier, including all relevant requirements, as noted in the supplier management policy.
These formal agreements must include addressing the information security risks associated with information and communications technology services and the supply chain.
The second objective is to maintain an agreed level of information security and service delivery, in line with supplier agreements.
To achieve this, suppliers must be regularly monitored, reviewed and in some cases audited.
Changes to supplier services also need to be managed as do maintaining and improving existing information security policies, procedures and controls; considering the criticality of business information, systems, the processes involved and the re-assessment of risks.
Control Category A.16
– Information security incident management (1 objective and 7 controls)
There is only one objective in this category and that is to ensure a consistent and effective approach to the management of info security incidents, including communications regarding security events and weaknesses.
The following controls can help to meet this objective:
- Management responsibilities and procedures must be established and implemented for a quick, effective and orderly response to information security incidents.
- Information security events must be reported through appropriate management channels in a timely manner
- Employees and contractors must report any observed or suspected information security weaknesses
- Information security events must be assessed appropriately, to establish if they classified as events. weaknesses or incidents
- Information security incidents must be responded to in line with documented procedures.
- Knowledge gained from analysing and resolving information security incidents must be used to reduce the likelihood or impact of future incidents
- The identification, collection, acquisition and preservation of information, which can be used as evidence must be documented in defined and implemented procedures.
Control Category A.17
– Information security aspects of business continuity management (2 objectives and 4 controls)
The first objective in the category is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
To meet this objective, requirements for information security and the continuity of information security management in adverse situations must be determined.
Following on from this, processes, procedures and controls must be established, documented, implemented and maintained.
Once in place, these arrangements must be verified and tested regularly to ensure that they are effective.
The second objective is to ensure availability of information processing facilities.
This is accomplished by implementing information processing facilities with appropriate redundancies, to meet availability requirements.
Control Category A.18
– Compliance (2 objectives and 8 controls)
This category’s first objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
Controls which can help satisfy this objective include:
- Identifying and documenting relevant legislative, statutory, regulatory and contractual requirements and the approach to meeting them.
- Implementing appropriate procedures to ensure compliance with legislative, statutory, regulatory and contractual requirements related to intellectual property rights and the use of proprietary software products
- Protecting records against loss, destruction, falsification, unauthorised access and unauthorised release, in line with legislative, statutory, regulatory, contractual and business requirements
- Ensuring the privacy and protection of personally identifiable information, as required in relevant legislation and regulations.
- Using cryptographic controls in compliance with all relevant international and domestic agreements, legislation and regulations.
The second objective is to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.
This is achieved by having independent reviews of the approach to managing information security and its implementation at planned intervals or when significant changes occur.
Managers must also regularly review the compliance of information processing and procedures within their areas of responsibility.
Finally, information systems must be regularly reviewed for compliance, which can be achieved through penetration tests.
Who is Responsible for Implementing Annex A Controls?
There are two important points to consider in answering this question:
- Less than 40% of controls in Annex A of ISO 27001 are technology-based
- Typically, information security issues occur due to human behaviour.
As such, IT (as is often believed) cannot and should not be the only solution.
The fact of the matter is, that information security is about building a set of robust controls, which mature over time.
In the current Annex A framework, the following percentages apply to where controls fall within an organisation:
- 37% – Technology
- 36% – Organisational/documentation
- 13% – Physical security
- 5% – Supplier and buyers
- 5% – Human resource management
- 4% – Legal protection
Therefore, implementing the controls documented in Annex A is, and must, always be the responsibility of a number of individuals and departments within an organisation, dependant naturally on its size and complexity.
Using the Controls of ISO 27001
The controls found in Annex A of ISO 27001 are a fundamental element of risk treatment and must be selected following a thorough assessment of an organisation’s information security risks.
Typically, selected controls must be justified by a:
- Risk assessment
- Business need or best practice
- Legal or contractual requirement
Once controls have been selected, organisations are required to produce a Statement of Applicability (SoA), which must include, as a minimum, all 114 controls documented in Annex A of ISO 27001, along with the justifications for inclusions and ideally, brief explanations of how they have been implemented.
The SoA then serves as a mechanism for top management to have accurate information on the level of risk their organisations are exposed to and the status of the risk treatment activities.
Identifying ISO 27001 Controls You Should Implement
The identification of which controls should be implemented can only follow a robust assessment of an organisation’s inherent information security risks.
Once the risks are understood, controls can be selected to treat them. Arguably, the more controls selected the more likely it is that the organisation can prevent or, at least, minimise exposure to identified risks.
However, controls from Annex A can be excluded if it is believed they are not relevant. An example of this is where an organisation does not develop any software.
Clearly, there would be no need for a secure development policy.
If a control is to be excluded a full justification will be required to be documented in the SoA.
And What About ISO 27001:2022?
In Q4 2022, an updated version of ISO 27001 is due to be published. Whilst it is anticipated that there will not be substantive changes to the mandatory main clauses (4 to 10) of the Standard, there will be significant changes in Annex A, which will reflect the controls that were introduced by ISO 27002:2022 in February 2022. URM has produced a blog on the changes introduced by ISO 27002, but here are the main headlines.
The previous 114 controls have been reduced to 93, but don’t be deceived, this reduction is mainly due to the merging of 57 controls into 24. 58 of the previous controls have been updated, with 11 new controls being introduced, to reflect the need to address emerging threats etc.
Those of you familiar with the Annex A from ISO 27001:2013 will be familiar with the 14 clauses. These have been replaced with 4 ‘themes’, in order to group controls into the common categories of Organisational (37 controls), People (8 controls), Physical (14 controls) and Technological (34 controls).
One of the most noteworthy changes with ISO 27002:2022 was the introduction of attributes, where you can assign hashtags to controls to enable you to filter, sort, or present controls in different ways, e.g., by information security properties so you can sort and prioritise those controls that relate to confidentiality, integrity or availability. The Standards refers to 5 attributes and you can also include attributes relevant to your organisation. Using attributes can help reduce your compliance burden and better integrate your security processes, thereby making your information security management system (ISMS) easier to implement and manage.
For those organisations looking to transition from ISO 27001:2013 to ISO 27001:2022, URM will be delivering a number of transition courses where we will provide clear guidance on how to best meet the updated clauses, new control requirements and take advantage of the attributes feature.
To register your interest, please use the form provided below.
Stay in the loop
Please provide your contact details and we will email you with details of ISO 27001:2022, along with the contents of URM’s online 1 day ISO 27002:2022 Control Migration and 2 day ISO 27001:2022 Transition courses.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.
Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories.
If your organisation is looking to transition to ISO 27001:2022, URM’s blog provides practical and invaluable guidance on meeting the new requirements.