Annex A is a crucial element of ISO 27001. This ‘controls list’ is organised into 14 sections (domains) and contains 114 individual controls. However, not all of these controls are mandatory – organisations must choose and then implement appropriate controls. But, how do you choose?
Read on, as we help understand what controls there are, how to choose and the importance that risk plays.
ISO27001:2013 standard follows a risk-based approach when considering the information security of an organisation. This requires the identification of security risks and then the selection of appropriate controls to reduce, eliminate or manage those risks. We recently composed an overview of ISO27001 here.
The Standard has the controls required to meet those risk requirements at Annex A. In total there are 114 controls sub-divided in to 14 different categories. When considering these controls, it is important to note that they are simply possibilities or options. When conducting the risk process; the risk identified should have appropriate controls which have been selected from the list in Annex A.
Not every control can be implemented. For example; if your organisation does not have organic development capabilities then the control for establishing a secure development policy is not appropriate to use. How the controls are selected are down to the needs of the organisation which will be drawn out from the risk assessment and risk treatment process.
Categories of Controls
As we have discovered in our previous guide to ISO27001 the Annex contains 14 categories. They are listed as follows, with a brief overview of the nature of the controls listed:
A.5 Information security policies: This is about management guidance for information security within an organisation. The objective is to align the policies created with the organisations wider strategic goals whilst ensuring applicable regulation and legislation are fully incorporated.
Policies will form the building blocks needed to construct an effective ISMS; they will be essential if you are seeking certification for the system which is being implemented.
A.6 Organisation of information security: This domain is split in to two distinct areas. The first (A.6.1) will require that internal organisation is outlined. The goal will be to establish a framework against which the operations of information security will be conducted.
The second area (A.6.2) addresses the ever growing requirement to control risks associated with remote working and mobile devices.
A.7 Human resource security: The domain is split in to three areas with controls necessary to ensure information security considerations for the workforce are captured and considered. A.7.1 covers actions before employment; A.7.2 details requirements for employees and contractors during their employment and A.7.3 outlines controls to protect an organisation and its information after an employee or contractor has left or changed roles.
A.8 Asset management: This domain is also separated in to three distinct areas which address the controls for risks associated with information assets which an organisation will use in their day to day operations.
A.8.1 is about responsibility for these assets. This will require an organisation to identify information assets which are in scope and define and assign responsibilities for their security.
A.8.2 sets out how an organisation must consider information classification to ensure all information is assigned protection based on importance or sensitivities.
A.8.3 details media handling controls which prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
A.9 Access control: Within this domain there are a number of different areas which must be considered when organisations permit access to information.
A.9.1 details business requirements of access control. This area sets how to limit access to information and processing infrastructure securely.
A.9.2 provides considerations for user access management. The controls listed ensure users are authorised to access systems, applications and platforms in addition to ensuring that unauthorised access risks are controlled.
A.9.3 covers responsibilities of users. The objective in this segment is to make users responsible for ensuring the security of information required to permit access.
A.9.4 controls are designed to prevent unauthorised access to systems and applications including where programme source code is retained.
A.10 Cryptography: The encryption of sensitive information and the management of encryption keys, where required, will contribute to effective information security. Both considerations are outlined within this domain.
A.11 Physical and environmental security: The security of premises, equipment and physical information are a significant chunk of the overall security posture of an organisation. This includes where facilities are used to house the workforce and where remote working practice is also operationally viable. A list of controls are available to ensure the risks associated with this are controlled.
A.12 Operations security: Securing information processing facilities; includes technical security considerations such as malware protection, back up procedures, retention of log data, monitoring of ICT systems and security of operational software. Almost all organisations will have these controls implemented in some form, selection of the right controls for the risks identified will be different depending upon a number of variables.
A.13 Communications security: 13.1 is about network security management; the aim being to protect information in networks and its supporting infrastructure. The other sub-domain area, A.13.2 addresses where information is exchanged such as via e-mail or in person during a meeting.
A.14 System acquisition, development and maintenance: Security in development operations is a key consideration for any development entity and required risk controls are found within this domain. Further, where systems have been acquired off the shelf or via a partner the controls associated with ongoing maintenance are likewise listed within A.14.
A.15 Supplier relationships: Agreements to include in contracts with any external entity. All third parties should be subject to scrutiny before information is shared. These controls help to manage that process and ensure a review of previously engaged suppliers is periodically undertaken.
A.16 Information security incident management: Guide on how to identify, report and record information incidents. Provides functionality to allow appropriately responsible person to learn from incidents.
A.17 Information security aspects of business continuity management: Ensuring that your organisation is well prepared to survive disruption and ensure plans are viable through routinely testing and adjusting the plans created.
A.18 Compliance: Identify laws and regulations which will shape your organisation and record any review of your management system or security from an external source.
For additional guidance it may be beneficial to refer to ISO27002. This standard (ISO27002) provides best practice recommendations on information security controls and enhances the detail provided within ISO27001 Annex A.
Knowing which controls to implement is a crucial building block for a successful ISMS.
Before any certification audit, an organisation must have produced a Statement of Applicability (SoA). This SoA must contain at least 114 entries with each of the Categories and Controls within listed. This list must also include justification for inclusion and exclusion as necessary. There must be evidence that consideration has been given to all controls within Annex A; even if this means that they are not included within your system.
Those controls which are selected will likely form part of the risk treatment evidence and should be recorded as such. This can be within a risk register or held as separate documentation. The methodology will vary between different organisations, though demonstrating that the controls within Annex A are implemented is a consistent need.
The security provisions of the standard are not something that an organisations IT or Security team must adhere to alone. The standard requires that all aspects of the organisation be considered when examining the risks and treatment of risk. The best placed individuals to remedy and risk issues may not always be in the IT Department; the exact composition and siting of risk treatment will vary from one organisation to the other.
Annex A controls are just some of the options available to an organisation. Additional security controls not specifically outlined in Annex A can be used to provide treatment to an identified risk. So long as the Clauses and Controls within the Standard are addressed as appropriate, the ISMS will be functioning and provide good levels of Information Security.
We hope that you found this useful in demystifying some of the functions of Annex A in ISO27001. Please get in touch with us to speak about any implementation goals you have and how we may be able to assist you in reaching them. We would be delighted to talk with you informally to map out how ISO implementation would work. We have plenty of experience when it comes to achieving success for our customers, let us add to your success.
You can reach out to via firstname.lastname@example.org, LinkedIn Messenger, our contact number 03301332617 or via the form below.