What are 'controls' according to ISO 27001?
A core component of ISO 27001 is the use of controls—specific actions, processes, or tools designed to
manage risks and enhance the security of information. This detailed article explores what controls are
according to ISO 27001, how they are structured within the standard, and how they should be
implemented within an organisation. Controls are measures that an organisation puts in place to ensure
that identified security risks are mitigated effectively. These controls are derived from best practices for
securing information and information systems, and they address various aspects of information security,
including confidentiality, integrity, and availability of data.
Structure of Controls in ISO 27001
ISO 27001 controls are outlined in Annex A of the standard, which provides a comprehensive list of 93
controls, divided into 4 categories, each addressing different security aspects. Here’s an overview.
- Information security roles and responsibilities
- Segregation of duties
- Contact with authorities
- Contact with special interest groups
- Information security in project management
- Inventory of information and other associated assets
- Acceptable use of information and other associated assets
- Return of assets
- Classification of information
- Labelling of information
- Information transfer
- Access control
- Identity management
- Authentication information
- Access rights
- Information security in supplier relationships
- Addressing information security within supplier agreements
- Management of information security incidents and improvements
- Information security during disruption
- ICT readiness for business continuity
- Information security for the use of cloud services
- Legal, statutory, regulatory and contractual requirements
- Intellectual property rights
- Protection of records
- Privacy and protection of PII (personally identifiable information)
- Independent review of information security
- Compliance with policies, rules and standards for information security
- Information security in the relationships with suppliers and third parties
- Information security training and awareness
- Responsibilities after termination or change of employment
- Remote working
- Secure development lifecycle
- Application security requirements
- Secure system architecture and engineering principles
- Secure coding
- Security testing in development and acceptance
- Outsourced development
- Screening
- Terms and conditions of employment
- Information security awareness, education and training
- Disciplinary process
- Responsibilities after termination or change of employment
- Confidentiality or non-disclosure agreements
- Remote working
- Information security event reporting
- Physical security perimeter
- Physical entry controls
- Securing offices, rooms and facilities
- Physical security monitoring
- Protection against physical and environmental threats
- Working in secure areas
- Clear desk and clear screen policy
- Equipment siting and protection
- Security of assets off-premises
- Storage media
- Supporting utilities
- Cabling security
- Equipment maintenance
- Secure disposal or re-use of equipment
- User endpoint devices
- Privileged access rights
- Information access restriction
- Access to source code
- Secure authentication
- Capacity management
- Protection against malware
- Management of technical vulnerabilities
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Information backup
- Use of cryptography
- Key management
- Network security
- Security of network services
- Segregation of networks
- Web filtering
- Use of mobile devices
- Application control
- Information transfer
- Logging
- Monitoring activities
- Clock synchronisation
- Installation of software
- Software updates
- Event logging and correlation
- Anomaly detection
- Prevention of misuse
- Security of email and messaging
- Intrusion prevention and detection
- Remote access
- Secure development tools