The ISO27001 international standard for information security was updated in 2022 and is commonly accepted as a leading framework around which an organization can base its cybersecurity defences. One of the aspects of this standard that is often mentioned is the ISO 27001 controls of Annex A. But what are the controls, and how do they relate to the rest of the standard?
ISO27001 is a requirements standard, which means it’s possible for an organization to become certified to it, and then advertise this fact to any interested parties who will listen. But in some ways it’s unlike some of the other common requirements standards, such as ISO9001 (quality management) and ISO14001 (environmental management) in that it is effectively split into two parts:
The first of these is very similar to other standards, largely because ISO has deliberately made them the same over the last ten years or so, with its “Harmonized Structure“.So if you read the management system requirements for ISO27001 you’ll see that the headings and much of the wording is the same.
But the second part, Annex A, is unusual. This is not to say that other standards don’t have annexes; they do. But generally they are informative, or they offer guidance to supplement the requirements. Annex A of ISO27001 is different in that it forms part of the requirements and is a list of ISO 27001 controls.
What is a control and why do we need them? To understand this, we need to step back into the management system part of ISO27001 and look at the idea of risk.
In Clause 6. Planning, ISO27001 requires an organization to determine the risks that need to be addressed to prevent, or reduce, undesired effects (amongst other things), and then to plan actions to address these risks. In essence, a risk is something that could go wrong in the future, and the actions are intended to make it less likely to happen, or to have less of an impact if it does.
And helpfully, ISO27001 provides a standard list of these actions in the form of the Annex A controls.
For example, if you believe that your organization is at risk of recruiting people who may steal your information then you may like to adopt control A.6.1 Screening, which requires background verification checks on all candidates to become personnel.
Or if you think there is a risk of your information being uploaded into the cloud without consideration or authorisation, then control A.5.23 Information security for use of cloud services will probably help to reduce that risk.
Within Annex A there are a total of ninety-three controls, grouped into four themes:
A.5 Organizational controls
A.6 People controls
A.7 Physical controls
A.8 Technological controls
So Annex A is a list of “reference” controls that can be used to reduce risk. But depending on what your organization does and how it does it, you may not need all ninety-three of them. Accordingly, the standard requires you to define a “Statement of Applicability” which says whether or not each control applies to you, and whether you have implemented it.
If you like, Annex A is a menu of good ideas to help you reduce your organization’s risk.
Annex A of ISO27001 doesn’t go into much detail about the controls, but if you want the full story about what they mean, there is a separate document, ISO27002, which gives chapter and verse on their interpretation.
But remember that ISO27002 is only guidance, so you don’t have to do everything it says in order to become certified to the ISO27001 standard.
The ISO 27001 Controls of Annex A is a great list of sensible ideas to help to prevent your organization falling victim to a cyber incident. Allied to the management system parts, it provides an effective framework around which to build your information security defences.
For more information on the ISO 27001 controls and the standard, download our free comprehensive ISO27001 Implementation Guide.
Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.