A core component of ISO 27001 is the use of controls—specific actions, processes, or tools designed to manage risks and enhance the security of information. This detailed article explores what controls are according to ISO 27001, how they are structured within the standard, and how they should be implemented within an organisation.
Definition of Controls in ISO 27001
In the context of ISO 27001, controls are measures that an organisation puts in place to ensure that identified security risks are mitigated effectively. These controls are derived from best practices for securing information and information systems, and they address various aspects of information security, including confidentiality, integrity, and availability of data.
Structure of Controls in ISO 27001
ISO 27001 controls are outlined in Annex A of the standard, which provides a comprehensive list of 114 controls, divided into 14 categories, each addressing different security aspects. Here’s an overview of these categories:
A.5 Information Security Policies - Controls that govern the management direction for information security.
A.6 Organisation of Information Security - Controls on how responsibilities are assigned; also includes controls on mobile devices and teleworking.
A.7 Human Resource Security - Controls that ensure employees, contractors, and third-party users understand their responsibilities and are suitable for the roles they are considered for, and that they are aware of information security threats and concerns.
A.8 Asset Management - Controls that help identify information assets and define appropriate protection responsibilities.
A.9 Access Control - Controls that limit access to information and information processing facilities.
A.10 Cryptography - Controls on the use, protection, and lifetime of cryptographic keys.
A.11 Physical and Environmental Security - Controls that prevent unauthorised physical access, damage, and interference to the organisation’s information and information processing facilities.
A.12 Operations Security - Controls aimed at ensuring secure operations, including protection from malware, backup, logging and monitoring, control of operational software, and more.
A.13 Communications Security - Controls that safeguard information in networks and protect the security of information transferred within and between organisations.
A.14 System Acquisition, Development, and Maintenance - Controls that ensure security is a part of information systems and information processing facilities.
A.15 Supplier Relationships - Controls to ensure that an organisation’s security requirements are met when dealing with suppliers.
A.16 Information Security Incident Management - Controls to manage information security incidents and improvements.
A.17 Information Security Aspects of Business Continuity Management - Controls to counteract interruptions to business activities and protect critical business processes from the effects of major failures or disasters.
A.18 Compliance - Controls to ensure compliance with legal, statutory, regulatory, and contractual requirements.