What are the ISO 27001 Controls? - Assent Risk Management

PLEASE NOTE: ISO 27001:2013 was revised in 2022. The new standard has 93 controls, 11 of which are new.

Read more about the new ISO 27001:2022 Standard:

What Has Changed in ISO 27002:2022?

ISO 27001:2022 Consultants.

Unlike other management system standards, ISO 27001 for Information Security, provides a lengthy annex of 114 controls and control objectives.

It is mandatory to address the controls within Annex A of the standard, and while you aren’t required to implement EVERY control, you do need to justify their inclusion or exclusion from your management system.

Usually justification for inclusion falls within one of several categories including:

to treat a risk
it is a legal requirement
it is a contractual requirement
it’s best practice

While justifying the exclusion of controls must be for a valid reason, for example excluding the control for ‘Outsourced Software Development’ because you do not outsource your software development.

What Are the Controls?

The controls fall into 14 categories. We won’t address every control here but the broad headings are:

A5 Information Security Policies

A6 Organisation of Information Security

A7 Human Resources Security

A8 Asset Management

A9 Access Control

A10 Cryptography

A11 Physical & Environmental Security

A12 Operational Security

A13 Communications Security

A14 System Acquisition, Development & Maintenance

A15 Supplier Relationships

A16 Incident Management

A17 Information Security in Business Continuity Management

A18 Compliance

As you can see, the controls cover wide ranging aspects of the organisation and should not ordinarily be the sole responsibility of the I.T department.

Why do the ISO 27001 Controls Start at A5?

It may seem odd that the controls in Annex A start at A5 rather than A1. This is because the controls of Annex A correspond directly to those in another standard from the ISO 27000 Family, ISO 27002.

In ISO 27002 there are some introductory and explanatory sections 1-4, so the controls begin at section 5.

During an ISO 27001 Certification audit, you will be audited against the control text within ISO 27001 only. However, there are many benefits to reading the extended guidance on each control within ISO 27002.

What is a Statement of Applicability (SOA)?

As described above, it is a mandatory requirement to justify either the reason for including a control in your management system, or the reason for excluding it.

This justification should go into a document called the Statement of Applicability (SOA), which tells interested parties which controls you have applied.

The SOA should be kept under review, as things change and you may find you need to bring different controls in/out of scope.

The SOA Version number is also printed on your ISO Certificate as evidence of the scope that has been audited. If you change your SOA version you may require additional audits or at least a new certificate.

Is a Policy Needed for Every Control?

NO.

It is tempting to produce a document for every control in the standard, and in some very complex organisations that may be appropriate.

However, there are drawbacks to this approach including:

Too much documentation will not be read or understood by stakeholders.
Over time, there may be contradictions between policies as your management system evolves.
It can be difficult to keep documents up-to-date.
Reviewing large amounts of documents can be time consuming.
Raising awareness of large amounts of documentation can be difficult.

There are some controls where there is an obvious mandate for a policy, for example the Access Control Policy.

However, you should take a control-by-control approach to Annex A ensuring you can evidence each control.

What if a control is not Applicable to us?

You may exclude a control if it can be justified that the control does not apply to you.

You should write the reason for the exclusion in your SOA document.

However, the vast majority of the controls will apply, with the number of exclusions usually in single figures.

I don’t really understand what the control means.

This is perfectly understandable. The standard has been produced over time, last updated in 2013, and includes contributions from national standards bodies across the world.

The text in ISO 27001 only includes one or two lines of explanation per control.

If you are stuck on the meaning or intention of a particular control, refer to that control within ISO 27002. Here you will find a much longer explanation of the requirement with some examples.

ISO 27002 can be downloaded here.

Get Started with ISO 27001.

This blog is part of a series exploring ISO 27001 implementation and certification.

Assent Risk Management are experienced ISO 27001 Consultants who can support you in a variety of ways including:

– ISO 27001 Gap Analysis,

– ISO 27001 Implementation Project,

– ISO 27001 Internal Audits

We also have a Gap, App & Wrap scheme utilising our online project management system.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.