What are the Annex A controls?
Below are the 14 categories and a brief description of what each collection of controls aims to achieve.
Annex A.5 – Information Security Policies
- Annex A.5.1 covers the need for information security policies, which are effectively sets of rules that govern the way in which information security is implemented within the organization. These need to be published and reviewed regularly.
Annex A.6 – Organisation of Information Security
- Annex A.6.1 is concerned with the management framework used to achieve information security and the roles and responsibilities within it. It also covers issues such as segregation of duties and relationships with external authorities (such as regulators) and special groups such as professional bodies.
- Annex A.6.2 requires that a mobile device policy be established and implemented to manage the risks associated with laptops, mobile phones and the like. A policy for teleworking (perhaps now more commonly known as remote working, something which will be addressed in the new ISO27002 controls) is also needed.
Annex A.7 – Human Resource Security
- Annex A.7.1 is about controls that apply prior to employment. The objective in this area is to ensure that employees and contractors undergo some kind of security screening and background checks and that when they join that they understand their responsibilities in information security-related areas.
- Annex A.7.2 – this covers information security responsibilities during employment. One of the most common ways to achieve this is through induction training and ongoing security briefings.
- Annex A.7.3 talks about termination and change of employment. The goal is to ensure that duties carried out by a person are reviewed and to determine impacts when employees leave the company or go into a new job role.
Annex A.8 – Asset Management
- Annex A.8.1 is about establishing what Information assets exist and define responsibility for those assets. These controls also define what employees are allowed to do or not to do with assets that are assigned to them, typically with an “acceptable use policy”, and what process is to be followed for return of assets.
- Annex A.8.2 describes the need for information classification. This is needed to ensure that information is classified and labelled appropriately so that it is protected by the correct level of controls.
- Annex A.8.3 covers the way in which removable media (such as USB memory devices and SD cards) are managed, including when they are disposed of or transported.
Annex A.9 – Access Control
- Annex A.9.1 says that an access control policy should be created and that users should only be able to access networks and services that they need to use as part of their roles.
- Annex A.9.2 describes the controls needed around the creation of user accounts and the permissions they are given, including admin accounts and password rules.
- Annex A.9.3 is a single control section that says that user must manage their authentication information, such as passwords, according to the rules.
- Annex A.9.4 requires that the systems that are put in place must be able to comply with the policy in areas such as logons, passwords and access to application functions.
Annex A.10 – Cryptography
- Annex A.10.1 is about Cryptographic controls. Cryptography is about encryption approaches, so the objective of this area is to ensure that the right type of encryption is applied in the right places to protect information. It requires policy on where it is used and the control of cryptographic key management.
Annex A.11 – Physical & Environmental Security
- Annex A.11.1 is concerned with the design and implementation of physical controls for example within a building. This may involve provisioning security via entry controls and alarms and ensuring in more general access areas that controls prevent unauthorized access to buildings and information systems.
- Annex A.11.2 covers the various ways in which equipment and other assets (and the utilities that support them) must be protected, including when they are offsite or unattended. Screens and desks must be kept clear too.
Annex A.12 – Operations Security
- Annex A.12.1 proposes the need for operating procedures to be documented, changes and capacity to be managed, and the various environments (such as development and testing) to be separated.
- Annex A.12.2 is about protection from malware. Malware protection covers the detection of malware and the preventive and recovery controls in the event of being impacted by malware.
- Annex A.12.3 is concerned with backup. The objective is to protect against data being lost and to be able to recover it in the event of an event such as a ransomware attack.
- Annex A.12.4 is about logging and monitoring. The objective in this area is to ensure that events are captured and logs processed to identify faults as well as exceptions to normal events that could indicate deliberate attempts to breach IT controls by internal and external threats.
- Annex A.12.5 relates to control over who has the appropriate privileges and methods for installing software on systems.
- Annex A.12.6 covers technical vulnerability management. The objective of this control is to prevent bugs in software being exploited, usually through patching and upgrading of software or hardware.
- Annex A.12.7 requires that audits of operational systems should be planned to minimise their impact on those systems and their use.
Annex A.13 – Communications Security
- Annex A.13.1 brings up network security management, including the segregation of networks using facilities such as VLANs. There are also controls covering the situation where networks or services are provided by external parties.
- Annex A.13.2 is about information transfer and requires appropriate policies and procedures to be in place, depending on the nature of the transfers involved. One of the biggest areas is potentially email transfer as well as data transfer between systems.
Annex A.14 – System Acquisition, Development & Maintenance
- Annex A.14.1 requires that information security requirement be identified and “baked in” to new systems and services. The first part of this is concerned with in house development, where appropriate. However, some of these aspects apply when considering the procurement of systems and deploying them in the organization.
Annex A.15 – Supplier Relationships
- Annex A.15.1 wants you to establish a policy for managing the security aspects of supplier relationships, and to address security in the contract. If you have a lot of suppliers, then it is key to understand the sensitivity of data needed by suppliers in fulfilling their contractual requirements for you.
- Annex A.15.2 covers the management of supplier services, including when they change them. A key aspect of this is measuring those suppliers are achieving quality & performance requirements.
Annex A.16 – Information Security Incident Management
- Annex A.16.1 sets out methods for identifying and managing incidents, including who will do it and how. The controls require a defined incident process and evidence that incidents are recorded, assessed and responded to, and improvements made where appropriate.
Annex A.17 – Information Security Aspects of Business Continuity Management
- Annex A.17.1 asks that information security is considered when planning for adverse situations so that controls don’t become inoperative when the worst happens. Measures need to be tested and verified too.
- Annex A.17.2 covers the failover facilities that may be put in place to cope with failures of hardware, software or other aspects.
Annex A.18 – Compliance
- Annex A.18.1 requires that the organization understands the laws and regulations that apply to them and that they meet their obligations in areas such as privacy, intellectual property and cryptography. Another key aspect of this is to perform information security reviews and to assess that the ISMS and systems remain compliant with policies, standards, and other requirements.
It’s important to note that organizations don’t need to meet all 114 controls if they’re not relevant, and they’re there as a list of opportunities based on the requirements of your organization. This will become clearer as you complete gap assessments and risk assessments as part of your ISMS compliance.