Contents:
ISO 27001, sometimes referred to as ISO/IEC 27001 is an international standard that addresses organizational information security.
Issued in 2005 and with a second revision in 2013, the ISO 27001 standard describes the Information Security Management Systems requirements for global controls and safeguards meant to preserve data privacy, protect sensitive information, optimize the organizational cybersecurity posture, and reduce business risk across all vital areas.
The document is comprised of two parts – the main part, which contains clauses one through eleven, plots the organizational requirements for adopting ISO 27001, sets the roles and responsibilities, and outlines the global framework.
The second part of the standards, also called Annex A or the ISO 270001 controls, describes the guidelines for implementing the 114 controls and objectives of the ISO/IEC 27001 standard. In this article, we are going to tackle sections A5 through A18 of Annex A and discuss scopes, objectives, adopting challenges, and more. Enjoy!
Navigating Annex A of ISO 27001
Annex A of the standard contains 114 controls, which are divided into 14 areas or domains. Each domain contains an objective (i.e., scope), several controls (i.e., safeguards), and the guidelines for implementing the safeguards.
For instance, clause A.5 (i.e., Security policy) of Annex A has the objective to issue directions and support any type of information security endeavor within the confines of relevant laws/regulations and in accordance with the organization’s requirements.
Clause A5 contains 3 controls (i.e., Information security policy, Information security policy document, and Review of the information security policy) and instructions on how these safeguards should be implemented.
For example, in order to enforce sub-clause 1.1 of the A.5 domain, the owner (i.e., a member of the staff charged with information security tasks), must produce an information security document and subsequently circulate it with the management. If approved by management, the document will be made available to all employees and relevant employees, in written or digital form.
For ease of navigation, we have outlined Annex A’s domains and controls.
Domains
Clause | Description |
---|---|
A5 | Security policy. |
A6 | Organization of information security. |
A7 | Human resource security. |
A8 | Asset Management. |
A9 | Access Control. |
A10 | Cryptography. |
A11 | Physical and environmental security. |
A12 | Operations security. |
A13 | Communications security. |
A14 | System acquisition, development, and maintenance. |
A15 | Supplier relationships. |
A16 | Information security incident management. |
A17 | Information security aspects of business continuity management. |
A18 | Compliance. |
Controls
Main clause and sub-clause | Control description |
---|---|
6.1 | Internal organization |
6.1.1 | Information security roles and responsibilities |
6.1.2 | Segregation of duties |
6.1.3 | Contact with authorities |
6.1.4 | Contact with special interest groups |
6.1.5 | Information security in project management |
6.2 | Mobile devices and teleworking |
6.2.1 | Mobile device policy |
6.2.2 | Teleworking |
7 | Human resource security |
7.1 | Prior to employment |
7.1.1 | Screening |
7.1.2 | Terms and conditions of employment |
7.2 | During employment |
7.2.1 | Management responsibilities |
7.2.2 | Information security awareness, education and training |
7.2.3 | Disciplinary process |
7.3 | Termination and change of employment |
7.3.1 | Termination or change of employment responsibilities |
8 | Asset management |
8.1 | Responsibility for assets |
8.1.1 | Inventory of assets |
8.1.2 | Ownership of assets |
8.1.3 | Acceptable use of assets |
8.1.4 | Return of assets |
8.2 | Information classification |
8.2.1 | Classification of information |
8.2.2 | Labelling of information |
8.2.3 | Handling of assets |
8.3 | Media handling |
8.3.1 | Management of removable media |
8.3.2 | Disposal of media |
8.3.3 | Physical media transfer |
9 | Access control |
9.1 | Business requirements of access control |
9.1.1 | Access control policy |
9.1.2 | Access to networks and network services |
9.2 | User access management |
9.2.1 | User registration and de-registration |
9.2.2 | User access provisioning |
9.2.3 | Management of privileged access rights |
9.2.4 | Management of secret authentication information of users |
9.2.5 | Review of user access rights |
9.2.6 | Removal or adjustment of access rights |
9.3 | User Responsibilities |
9.3.1 | Use of secret authentication information |
9.4 | System and application access control |
9.4.1 | Information access restriction |
9.4.2 | Secure log-on procedures |
9.4.3 | Password management system |
9.4.4 | Use of privileged utility programs |
9.4.5 | Access control to program source code |
10 | Cryptography |
10.1. | Cryptographic controls |
10.1.1 | Policy on the use of cryptographic controls |
10.1.2 | Key management |
11 | Physical and environmental security |
11.1 | Secure areas |
11.1.1 | Physical security perimeter |
11.1.2 | Physical entry controls |
11.1.3 | Securing offices, rooms and facilities |
11.1.4 | Protecting against external and environmental threats |
11.1.5 | Working in secure areas |
11.1.6 | Delivery and loading areas |
11.2 | Equipment |
11.2.1 | Equipment siting and protection |
11.2.2 | Supporting utilities |
11.2.3 | Cabling security |
11.2.4 | Equipment maintenance |
11.2.5 | Removal of assets |
11.2.6 | Security of equipment and assets off-premises |
11.2.7 | Secure disposal or reuse of equipment |
11.2.8 | Unattended user equipment |
11.2.9 | Clear desk and clear screen policy |
12 | Operations security |
12.1 | Operational procedures and responsibilities |
12.1.1 | Documented operating procedures |
12.1.2 | Change management |
12.1.3 | Capacity management |
12.1.4 | Separation of development, testing and operational environments |
12.2 | Protection from malware |
12.2.1 | Controls against malware |
12.3 | Backup |
12.3.1 | Information backup |
12.4 | Logging and monitoring |
12.4.1 | Event logging |
12.4.2 | Protection of log information |
12.4.3 | Administrator and operator logs |
12.4.4 | Clock synchronization |
12.5 | Control of operational software |
12.5.1 | Installation of software on operational systems |
12.6 | Technical vulnerability management |
12.6.1 | Management of technical vulnerabilities |
12.6.2 | Restrictions on software installation |
12.7 | Information systems audit considerations |
12.7.1 | Information systems audit controls |
13 | Communications security |
13.1 | Network security management facilities |
13.1.1 | Network controls |
13.1.2 | Security of network services |
13.1.2 | |
13.1.3 | Segregation in networks |
13.2 | Information transfer |
13.2.1 | Information transfer policies and procedures |
13.2.2 | Agreements on information transfer |
13.2.3 | Electronic messaging |
13.2.4 | Confidentiality or nondisclosure agreements |
14 | System acquisition, development and maintenance |
14.1 | Security requirements of information systems |
14.1.1 | Information security requirements analysis and specification |
14.1.2 | Securing application services on public networks |
14.1.3 | Protecting application services transactions |
14.2 | Security in development and support processes |
14.2.1 | Secure development policy |
14.2.2 | System change control procedures |
14.2.3 | Technical review of applications after operating platform changes |
14.2.4 | Restrictions on changes to software packages |
14.2.5 | Secure system engineering principles |
14.2.6 | Secure development environment |
14.2.7 | Outsourced development |
14.2.8 | System security testing |
14.2.9 | System acceptance testing |
14.3 | Test data |
14.3.1 | Protection of test data |
15 | Supplier relationships |
15.1 | Information security in supplier relationships |
15.1.1 | Information security policy for supplier relationships |
15.1.2 | Addressing security within supplier agreements |
15.1.3 | Information and communication technology supply chain |
15.2 | Supplier service delivery management |
15.2.1 | Monitoring and review of supplier services |
15.2.2 | Managing changes to supplier services |
16 | Information security incident management |
16.1 | Management of information security incidents and improvements |
16.1.1 | Responsibilities and procedures |
16.1.2 | Reporting information security events |
16.1.3 | Reporting information security weaknesses |
16.1.4 | Assessment of and decision on information security events |
16.1.5 | Response to information security incidents |
16.1.6 | Learning from information security incidents |
16.1.7 | Collection of evidence |
17 | Information security aspects of business continuity management |
17.1 | Information security continuity |
17.1.1 | Planning information security continuity |
17.1.2 | Implementing information security continuity |
Verify, review and evaluate information security continuity | |
17.1.3 | |
17.2 | Redundancies |
17.2.1 | Availability of information processing facilities |
18 | Compliance |
18.1 | Compliance with legal and contractual requirements |
18.1.1 | Identification of applicable legislation and contractual requirements |
18.1.2 | Intellectual property rights |
18.1.3 | Protection of records |
18.1.4 | Privacy and protection of personally identifiable information |
18.1.5 | Regulation of cryptographic controls |
18.2 | Information security reviews |
18.2.1 | Independent review of information security |
18.2.2 | Compliance with security policies and standards |
18.2.3 | Technical compliance review |
Benefits of Adopting ISO 27001 Controls
Adopting ISO 27001 controls offers a multitude of advantages for organizations. Firstly, it enhances data security by providing a systematic framework for identifying, managing, and mitigating information risks.
This not only safeguards sensitive data but also builds trust with customers and stakeholders. ISO 27001 promotes operational efficiency through clearly defined processes, reducing the likelihood of security breaches and downtime.
Additionally, it aids in compliance with legal and regulatory requirements, preventing costly fines and legal issues. The certification also bolsters an organization’s competitive edge, as it demonstrates a commitment to data security and can be a differentiator in the marketplace.
Furthermore, ISO 27001’s continuous improvement approach ensures that security measures remain up-to-date and effective, thus contributing to a more resilient, secure, and trustworthy business environment.
ISO 27001 Controls Explained
Below, you can find all controls encompassed in the ISO 27001 standard. For additional details, press the “+” button situated next to each clause.
A.5. Security Policy
A.5.1 Information Security Policy
Objective: This section aims to establish management guidance and endorsement for information security, aligning it with business needs and applicable laws and regulations.
A.5.1.1 Documenting the Information Security Policy
Control
The information security policy document must receive approval from management, be made accessible to all employees and relevant external parties, and be effectively communicated to them.
A.5.1.2 Periodic Review of the Information Security Policy
Control
The information security policy should undergo regular assessments at planned intervals or when significant changes arise to ensure its continued appropriateness, sufficiency, and effectiveness.A.6 Organization of information security
A.6.1 Internal Organization
Objective: Ensure effective management of information security within the organization.
A.6.1.1 Commitment of Management to Information Security
Control
Management must actively endorse and support security within the organization by providing clear guidance, demonstrating their commitment, explicitly assigning roles, and acknowledging information security responsibilities
A.6.1.2 Coordination of Information Security
Control
Information security activities should be coordinated by representatives from various parts of the organization who hold relevant roles and job functions.
A.6.1.3 Allocation of Information Security Responsibilities
Control
All information security responsibilities must have well-defined and clear descriptions.
A.6.1.4 Authorization Process for Information Processing Facilities
Control
An established management authorization process for new information processing facilities must be defined and put into practice.
A.6.1.5 Confidentiality Agreements
Control
Requirements for confidentiality or non-disclosure agreements that align with the organization’s information protection needs should be identified and regularly reviewed.
A.6.1.6 Communication with Authorities
Control
Appropriate communication channels with relevant authorities must be maintained.
A.6.1.7 Engagement with Special Interest Groups
Control
Appropriate connections with special interest groups and other specialized security forums and professional associations should be upheld.
A.6.1.8 Independent Review of Information Security
Control
The organization’s approach to managing information security, including control objectives, controls, policies, processes, and procedures, must be independently reviewed at planned intervals or when significant changes to the security implementation occur.
A.6.2 External Parties
Objective: Safeguard the organization’s information and information processing facilities accessed, processed, communicated to, or managed by external parties.
A.6.2.1 Identification of Risks Related to External Parties
Control
Identify risks to the organization’s information and information processing facilities arising from business processes involving external parties, and implement appropriate controls before granting access.
A.6.2.2 Addressing Security when Dealing with Customers
Control
Address all identified security requirements before providing customers access to the organization’s information or assets.
A.6.2.3 Addressing Security in Third-Party Agreements
Control
Ensure that agreements with third parties involving access, processing, communication, or management of the organization’s information or information processing facilities, or the addition of products or services to information processing facilities, cover all relevant security requirements.
A.7 Asset management
A.7.1 Responsibility for Assets.
Objective: To establish and maintain the appropriate protection for organizational assets.
A.7.1.1 Asset Inventory
Control
All assets must be clearly identified, and a comprehensive inventory of significant assets should be created and kept up-to-date.
A.7.1.2 Ownership of Assets
Control
Information and assets associated with information processing facilities should be under the ownership of a designated department within the organization.
A.7.1.3 Acceptable Use of Assets
Control
Regulations governing the acceptable use of information and assets linked to information processing facilities need to be identified, documented, and put into practice.
A.7.2 Information Classification
Objective: Ensure that information receives the appropriate level of protection.
A.7.2.1 Classification Guidelines
Control
Information should be classified based on its value, legal requirements, sensitivity, and criticality to the organization.
A.7.2.2 Information Labeling and Handling
Control
A suitable set of procedures for labeling and handling information should be developed and implemented in alignment with the organization’s chosen classification scheme.
A.8. Human Resources Security.
A.8.1 Prior to Employment
Objective: Ensure that employees, contractors, and third-party users comprehend their responsibilities, are suited for their roles, and minimize the risk of theft, fraud, or facility misuse.
A.8.1.1 Roles and Responsibilities
Control
Clearly define and document the security roles and responsibilities of employees, contractors, and third-party users in accordance with the organization’s information security policy.
A.8.1.2 Screening
Control
Conduct background checks on all job candidates, contractors, and third-party users in compliance with relevant laws, regulations, ethics, and commensurate with business requirements, the information access classification, and perceived risks.
A.8.1.3. Terms and Conditions of Employment.
Control
As part of their employment contract, employees, contractors, and third-party users should agree to and sign the terms and conditions, outlining their and the organization’s responsibilities for information security.
A.8.2 During Employment
Objective: Ensure that all employees, contractors, and third-party users are aware of information security threats, their responsibilities, and liabilities, and are equipped to uphold the organization’s security policy in their regular work, reducing the risk of human error.
A.8.2.1 Management Responsibilities.
Control
Management should require employees, contractors, and third-party users to adhere to security practices as per the organization’s established policies and procedures.
A.8.2.2 Information Security Awareness, Education, and Training
Control
All organization employees, and where applicable, contractors and third-party users, should receive relevant awareness training and regular updates on organizational policies and procedures tailored to their job function.
A.8.2.3 Disciplinary Process
Control
A formal disciplinary process should be in place for employees who breach security regulations.
A.8.3 Termination or Change of Employment
Objective: Ensure that employees, contractors, and third-party users depart from the organization or change their employment status in an orderly manner.
A.8.3.1 Termination Responsibilities
Control
Responsibilities for handling employment termination or employment changes should be clearly defined and assigned.
A.8.3.2 Return of Assets
Control
Upon the termination of their employment, contract, or agreement, all employees, contractors, and third-party users should return all of the organization’s assets in their possession.
A.8.3.3 Removal of Access Rights
Control
Access rights to information and information processing facilities should be revoked upon the termination of employment, contract, or agreement or adjusted in the event of a change.
A.9. Physical and environmental security.
A.9.1. Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.
A.9.1 Physical Security
Objective: To safeguard organizational assets appropriately.
A.9.1.1 Physical Security Perimeter
Control
Security perimeters, including walls, card-controlled entry gates, or manned reception desks, should be deployed to protect areas housing information and information processing facilities.
A.9.1.2 Physical Entry Controls
Control
Secure areas must have effective entry controls in place to ensure only authorized personnel gain access.
A.9.1.3 Securing Offices, Rooms, and Facilities
Control
Physical security measures for offices, rooms, and facilities need to be designed and implemented.
A.9.1.4 Protection Against External and Environmental Threats
Control
Physical safeguards against threats like fire, flood, earthquakes, explosions, civil unrest, and other natural or man-made disasters should be planned and implemented.
A.9.1.5 Working in Secure Areas
Control
Guidelines and physical protections for working in secure areas should be established and put into practice.
A.9.1.6 Public Access, Delivery, and Loading Areas
Control
Access points like delivery and loading areas, where unauthorized individuals could potentially enter the premises, should be controlled and, if feasible, separated from information processing facilities to prevent unauthorized access.
A.9.2 Equipment Security
Objective: To prevent loss, damage, theft, or compromise of assets and minimize disruptions to organizational activities.
A.9.2.1 Equipment Siting and Protection
Control
Equipment should be appropriately placed or protected to mitigate environmental risks and unauthorized access.
A.9.2.2 Supporting Utilities
Control
Equipment must be safeguarded against power failures and disruptions caused by utility failures.
A.9.2.3 Cabling Security
Control
Protect power and telecommunications cabling used for data or information services to prevent interception or damage.
A.9.2.4 Equipment Maintenance
Control
Ensure equipment is regularly maintained to guarantee its continued availability and integrity.
A.9.2.5 Security of Off-Site Equipment
Control
Apply security measures to off-site equipment while considering the unique risks of working outside the organization’s premises.
A.9.2.6 Secure Disposal or Reuse of Equipment
Control
All equipment with storage media should be checked to ensure sensitive data and licensed software are removed or securely overwritten before disposal.
A.9.2.7 Removal of Property
Control
Equipment, information, or software should not be taken off-site without prior authorization.
A.10. Communications and Operations Management.
A.10.1 Operational Procedures and Responsibilities
Objective: To ensure correct and secure operation of information processing facilities.
A.10.1.1 Documented Operating Procedures
Control
Document, maintain, and provide operating procedures to all users who require them.
A.10.1.2 Change Management
Control
Manage changes to information processing facilities and systems effectively.
A.10.1.3 Segregation of Duties
Control
Separate duties and areas of responsibility to minimize opportunities for unauthorized or unintentional modification or misuse of organizational assets.
A.10.1.4 Separation of Development, Test, and Operational Facilities
Control
Keep development, test, and operational facilities separate to reduce the risk of unauthorized access or changes to the operational system.
A.10.2 Third-Party Service Delivery Management
Objective: Implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements.
A.10.2.1 Service Delivery
Control
Ensure that the security controls, service definitions, and delivery levels outlined in third-party service delivery agreements are effectively implemented, operated, and maintained by the third party.
A.10.2.2 Monitoring and Review of Third-Party Services
Control
Regularly monitor and review the services, reports, and records provided by third parties, and conduct regular audits.
A.10.2.3 Managing Changes to Third-Party Services
Control
Manage changes to service provision, including the maintenance and enhancement of existing information security policies, procedures, and controls. Consider the criticality of business systems and processes and reassess risks.
A.10.3 System Planning and Acceptance
Objective: Minimize the risk of system failures.
A.10.3.1 Capacity Management
Control
Monitor resource utilization, tune systems, and project future capacity requirements to ensure required system performance.
A.10.3.2 System Acceptance
Control
Establish acceptance criteria for new information systems, upgrades, and new versions, and conduct suitable tests during development and prior to acceptance.
A.10.4 Protection Against Malicious and Mobile Code
Objective: Protect the integrity of software and information.
A.10.4.1 Controls Against Malicious Code
Control
Implement detection, prevention, and recovery controls to safeguard against malicious code, along with appropriate user awareness procedures.
A.10.4.2 Controls Against Mobile Code
Control
Configure authorized mobile code to operate according to a clearly defined security policy and prevent unauthorized mobile code from executing.
A.10.5 Backup
Objective: Maintain the integrity and availability of information and information processing facilities.
A.10.5.1 Information Backup
Control
Regularly create backup copies of information and software following the agreed backup policy and test them for reliability.
A.10.6 Network Security Management
Objective: Ensure information in networks and the supporting infrastructure is protected.
A.10.6.1 Network Controls
Control
Properly manage and control networks to protect against threats and maintain security for systems and applications using the network, including information in transit.
A.10.6.2 Security of Network Services
Control
Identify the security features, service levels, and management requirements for all network services, whether in-house or outsourced and include them in network services agreements.
A.10.7 Media Handling
Objective: Prevent unauthorized disclosure, modification, removal, or destruction of assets and business interruptions.
A.10.7.1 Management of Removable Media
Control
Establish procedures for managing removable media.
A.10.7.2 Disposal of Media
Control
Dispose of media securely and safely when no longer needed, following formal procedures.
A.10.7.3 Information Handling Procedures
Control
Establish procedures for handling and storing information to protect it from unauthorized disclosure or misuse.
A.10.7.4 Security of System Documentation
Control
Protect system documentation against unauthorized access.
A.10.8 Exchange of Information
Objective: Maintain the security of information and software exchanged within the organization and with external entities.
A.10.8.1 Information Exchange Policies and Procedures
Control
Implement formal policies, procedures, and controls to protect the exchange of information using various communication facilities.
A.10.8.2 Exchange Agreements
Control
Establish agreements for the exchange of information and software between the organization and external parties.
A.10.8.3 Physical Media in Transit
Control
Protect media containing information from unauthorized access, misuse, or corruption during transportation beyond the organization’s physical boundaries.
A.10.8.4 Electronic Messaging
Control
Ensure the security of information involved in electronic messaging.
A.10.8.5 Business Information Systems
Control
Develop and implement policies and procedures to protect information related to interconnected business information systems.
A.10.9 Electronic Commerce Services
Objective: Ensure the security of electronic commerce services and their secure use.
A.10.9.1 Electronic Commerce
Control
Protect information involved in electronic commerce when transmitted over public networks from fraudulent activity, contract disputes, unauthorized disclosure, and modification.
A.10.9.2 On-line Transactions
Control
Secure information involved in online transactions to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay.
A.10.9.3 Publicly Available Information
Control
Protect the integrity of information made available on publicly accessible systems to prevent unauthorized modification.
A.10.10 Monitoring
Objective: Detect unauthorized information processing activities.
A.10.10.1 Audit Logging
Control
Generate and maintain audit logs recording user activities, exceptions, and information security events for an agreed period to aid future investigations and access control monitoring.
A.10.10.2 Monitoring System Use
Control
Establish procedures for monitoring the use of information processing facilities and regularly review the results.
A.10.10.3 Protection of Log Information
Control
Safeguard logging facilities and log information from tampering and unauthorized access.
A.10.10.4 Administrator and Operator Logs
Control
Log the activities of system administrators and operators.
A.10.10.5 Fault Logging
Control
Log faults, analyze them, and take appropriate action.
A.10.10.6 Clock Synchronization
Control
Synchronize the clocks of all relevant information processing systems within an organization or security domain with a reliable time source.
A.11 Access Control
Objective: To manage access to information.
A.11.1 Business Requirement for Access Control
Control
Establish, document, and periodically review an access control policy based on business and security requirements.
A.11.2 User Access Management
Objective: To ensure authorized user access and prevent unauthorized access to information systems.
A.11.2.1 User Registration
Control
Implement a formal procedure for user registration and de-registration to grant and revoke access to information systems and services.
A.11.2.2 Privilege Management
Control
Restrict and control the allocation and use of privileges.
A.11.2.3 User Password Management
Control
Control password allocation through a formal management process.
A.11.2.4 Review of User Access Rights
Control
Conduct regular management reviews of users’ access rights using a formal process.
A.11.3 User Responsibilities
Objective: To prevent unauthorized user access and protect information and facilities.
A.11.3.1 Password Use
Control
Ensure users adhere to good security practices when selecting and using passwords.
A.11.3.2 Unattended User Equipment
Control
Ensure unattended equipment has adequate protection.
A.11.3.3 Clear Desk and Clear Screen Policy
Control
Adopt clear desk and clear screen policies for papers, removable storage media, and information processing facilities.
A.11.4 Network Access Control
Objective: To prevent unauthorized access to networked services.
A.11.4.1 Policy on Use of Network Services
Control
Provide users access only to services they are specifically authorized to use.
A.11.4.2 User Authentication for External Connections
Control
Use appropriate authentication methods to control remote user access.
A.11.4.3 Equipment Identification in Networks
Control
Consider automatic equipment identification to authenticate connections from specific locations and equipment.
A.11.4.4 Remote Diagnostic and Configuration Port Protection
Control
Control physical and logical access to diagnostic and configuration ports.
A.11.4.5 Segregation in Networks
Control
Segregate groups of information services, users, and information systems on networks.
A.11.4.6 Network Connection Control
Control
Restrict users’ ability to connect to the network on shared networks, especially those extending across organizational boundaries, in alignment with the access control policy and business application requirements.
A.11.4.7 Network Routing Control
Control
Implement routing controls on networks to ensure that computer connections and information flows comply with the business application’s access control policy.
A.11.5 Operating System Access Control
Objective: To prevent unauthorized access to operating systems.
A.11.5.1 Secure Log-On Procedures
Control
Control access to operating systems through secure log-on procedures.
A.11.5.2 User Identification and Authentication
Control
Assign all users unique identifiers (user IDs) for personal use, and choose suitable authentication methods to confirm a user’s claimed identity.
A.11.5.3 Password Management System
Control
Implement interactive password management systems that ensure high-quality passwords.
A.11.5.4 Use of System Utilities
Control
Restrict and tightly control the use of utility programs that could potentially override system and application controls.
A.11.5.5 Session Time-Out
Control
Automatically shut down inactive sessions after a defined period of inactivity.
A.11.5.6 Limitation of Connection Time
Control
Use connection time restrictions to enhance security for high-risk applications.
A.11.6 Application and Information Access Control
Objective: To prevent unauthorized access to information in application systems.
A.11.6.1 Information Access Restriction
Control
Restrict access to information and application system functions in accordance with the defined access control policy.
A.11.6.2 Sensitive System Isolation
Control
Dedicate isolated computing environments to sensitive systems.
A.11.7 Mobile Computing and Teleworking
Objective: Ensure information security when using mobile computing and teleworking facilities.
A.11.7.1 Mobile Computing and Communications
Control
Establish a formal policy and adopt security measures to protect against the risks of using mobile computing and communication facilities.
A.11.7.2 Teleworking
Control
Develop and implement policies, operational plans, and procedures for teleworking activities.
A.12 Information Systems Acquisition, Development, and Maintenance
A.12.1 Security Requirements of Information Systems
Objective: Ensure security is an integral part of information systems.
A.12.1.1 Security Requirements Analysis and Specification
Control
Specify security control requirements in business requirements for new information systems or enhancements to existing information systems.
A.12.2 Correct Processing in Applications
Objective: Prevent errors, loss, unauthorized modification, or misuse of information in applications.
A.12.2.1 Input Data Validation
Control
Validate data input to applications to ensure correctness and appropriateness.
A.12.2.2 Control of Internal Processing
Control
Incorporate validation checks into applications to detect information corruption due to processing errors or deliberate actions.
A.12.2.3 Message Integrity
Control
Identify requirements for ensuring message authenticity and integrity in applications, and implement appropriate controls.
A.12.2.4 Output Data Validation
Control
Validate data output from applications to ensure processing of stored information is correct and appropriate to the circumstances.
A.12.3 Cryptographic Controls
Objective: Protect the confidentiality, authenticity, or integrity of information through cryptographic means.
A.12.3.1 Policy on Use of Cryptographic Controls
Control
Develop and implement a policy for the use of cryptographic controls to protect information.
A.12.3.2 Key Management
Control
Establish key management practices to support the organization’s use of cryptographic techniques.
A.12.4 Security of System Files
Objective: Ensure the security of system files.
A.12.4.1 Control of Operational Software
Control
Implement procedures to control the installation of software on operational systems.
A.12.4.2 Protection of System Test Data
Control
Carefully select, protect, and control test data.
A.12.4.3 Access Control to Program Source Code
Control
Restrict access to program source code.
A.12.5 Security in Development and Support Processes
Objective: Maintain the security of application system software and information.
A.12.5.1 Change Control Procedures
Control
Control the implementation of changes using formal change control procedures.
A.12.5.2 Technical Review of Applications After Operating System Changes
Control
Review and test critical business applications when operating systems change to ensure no adverse impact on operations or security.
A.12.5.3 Restrictions on Changes to Software Packages
Control
Discourage and strictly control modifications to software packages, limiting changes to what is necessary.
A.12.5.4 Information Leakage
Control
Prevent opportunities for information leakage.
A.12.5.5 Outsourced Software Development
Control
Supervise and monitor outsourced software development.
A.12.6 Technical Vulnerability Management
Objective: Reduce risks from exploitation of known technical vulnerabilities.
A.12.6.1 Control of Technical Vulnerabilities
Control
Obtain timely information about technical vulnerabilities in used information systems, assess the organization’s exposure to such vulnerabilities, and take appropriate measures to address associated risks.
A.13. Information Security Incident Management.
A.13.1 Reporting Information Security Events and Weaknesses
Objective: Ensure timely communication of information security events and weaknesses.
A.13.1.1 Reporting Information Security Events
Control
Promptly report information security events through appropriate management channels.
A.13.1.2 Reporting Security Weaknesses
Control
Require employees, contractors, and third-party users to report observed or suspected security weaknesses in systems or services.
A.13.2 Management of Information Security Incidents and Improvements
Objective: Apply a consistent and effective approach to manage information security incidents.
A.13.2.1 Responsibilities and Procedures
Control
Establish management responsibilities and procedures for quick, effective responses to information security incidents.
A.13.2.2 Learning from Information Security Incidents
Control
Implement mechanisms to quantify and monitor the types, volumes, and costs of information security incidents.
A.13.2.3 Collection of Evidence
Control
When pursuing legal actions against individuals or organizations after an information security incident, collect, retain, and present evidence in compliance with relevant jurisdictional rules for evidence.
A.14. Business Continuity Management.
A.14.1 Information Security Aspects of Business Continuity Management
Objective: Counteract interruptions to business activities and protect critical processes from major information system failures or disasters.
A.14.1.1 Including Information Security in the Business Continuity Management Process
Control
Develop and maintain a managed process for business continuity throughout the organization, addressing information security requirements for business continuity.
A.14.1.2 Business Continuity and Risk Assessment
Control
Identify events that can interrupt business processes, assess the probability and impact of such interruptions, and consider their consequences for information security.
A.14.1.3 Developing and Implementing Continuity Plans, Including Information Security
Control
Develop and implement plans to maintain or restore operations and ensure information availability at required levels and within specified timeframes after interruptions or critical business process failures.
A.14.1.4 Business Continuity Planning Framework
Control
Maintain a unified framework for business continuity plans to ensure consistency, address information security requirements, and identify priorities for testing and maintenance.
A.14.1.5 Testing, Maintaining, and Reassessing Business Continuity Plans
Control
Regularly test and update business continuity plans to keep them current and effective.
A.15 Compliance
A.15.1 Compliance with Legal Requirements
Objective: Avoid breaches of legal, regulatory, and contractual obligations, as well as security requirements.
A.15.1.1 Identification of Applicable Legislation
Control
Explicitly define, document, and update all relevant statutory, regulatory, and contractual requirements, as well as the organization’s approach to meeting these requirements for each information system and the organization.
A.15.1.2 Intellectual Property Rights (IPR)
Control
Implement appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements regarding the use of materials subject to intellectual property rights and proprietary software products.
A.15.1.3 Protection of Organizational Records
Control
Protect important records from loss, destruction, and falsification in compliance with statutory, regulatory, contractual, and business requirements.
A.15.1.4 Data Protection and Privacy of Personal Information
Control
Ensure data protection and privacy in accordance with relevant legislation, regulations, and contractual clauses, if applicable.
A.15.1.5 Prevention of Misuse of Information Processing Facilities
Control
Dissuade users from using information processing facilities for unauthorized purposes.
A.15.1.6 Regulation of Cryptographic Controls
Control
Apply cryptographic controls in compliance with all relevant agreements, laws, and regulations.
A.15.2 Compliance with Security Policies and Standards, and Technical Compliance
Objective: Ensure systems comply with organizational security policies and standards.
A.15.2.1 Compliance with Security Policies and Standards
Control
Ensure that managers correctly implement all security procedures within their areas of responsibility to achieve compliance with security policies and standards.
A.15.2.2 Technical Compliance Checking
Control
Regularly check information systems for compliance with security implementation standards.
A.15.3 Information Systems Audit Considerations
Objective: Maximize the effectiveness of information systems audits and minimize interference.
A.15.3.1 Information Systems Audit Controls
Control
Plan audit requirements and activities related to checks on operational systems carefully and in collaboration to minimize the risk of disruptions to business processes.
A.15.3.2 Protection of Information Systems Audit Tools
Control
Protect access to information systems audit tools to prevent misuse or compromise.
ISO 27001 Controls FAQ (Frequently Asked Questions)
Q: What are the key components of an ISO 27001 Information Security Management System (ISMS)?
A: The key components of an ISO 27001 ISMS include a structured framework, a risk assessment process, security policies and procedures, an organization’s security objectives, and a continual improvement process.
Q: How does ISO 27001 define the scope of an ISMS, and what documentation is required?
A: ISO 27001 defines the scope of an ISMS through the Statement of Applicability (SoA). Required documentation includes the Information Security Policy, Risk Assessment Report, and various procedures and work instructions.
Q: Can you explain the significance of ISO 27001 controls in mitigating information security risks?
A: ISO 27001 controls play a crucial role in mitigating information security risks by providing technical and administrative safeguards to protect sensitive data and systems, reducing vulnerabilities, and enforcing security measures.
Q: What’s the role of the Statement of Applicability (SoA) in ISO 27001, and how is it prepared?
A: The Statement of Applicability (SoA) is a critical document in ISO 27001, specifying which security controls are applicable and justifying their inclusion based on risk assessment. It requires technical expertise to prepare and align controls with organizational requirements.
Q: In the context of ISO 27001, how is risk assessed, and what methodologies can be employed?
A: ISO 27001 provides guidance on risk assessment methodologies. Common approaches include quantitative and qualitative risk analysis, as well as frameworks like OCTAVE or FAIR.
Q: What are the specific technical controls and safeguards outlined in ISO 27001, such as encryption or access control?
A: Technical controls in ISO 27001 encompass access control mechanisms, encryption protocols, secure configuration management, intrusion detection systems, and other safeguards to protect information and systems.
Q: How does ISO 27001 address the concept of business continuity and disaster recovery?
A: ISO 27001 addresses business continuity and disaster recovery through technical controls like redundant data centers, backup systems, and failover procedures to ensure data availability and system resilience.
Q: What is the relationship between ISO 27001 and other security standards like ISO 27002 or NIST SP 800-53?
A: ISO 27001 is harmonized with ISO 27002, which provides detailed guidelines on information security controls. Organizations often map ISO 27001 controls to other security standards, such as NIST SP 800-53, to ensure compliance with various requirements.
Q: Can you elaborate on the auditing and certification process for ISO 27001 compliance, including stages and criteria?
A: The auditing and certification process involves an initial audit by a certification body to assess compliance with ISO 27001. It includes stages such as planning, documentation review, on-site audit, and issuance of the ISO 27001 certificate based on established criteria.
Q: How does ISO 27001 promote continual improvement, and what are the technical aspects involved in this process?
A: ISO 27001 promotes continual improvement through regular reviews and updates of the ISMS. Technical aspects involve monitoring security controls, conducting vulnerability assessments, and addressing any weaknesses or gaps to enhance the overall security posture. This process is vital for adapting to evolving threats and technologies.
Conclusion
Adopting ISO 27001 is paramount for organizations in today’s data-driven landscape. It ensures robust data security, legal compliance, operational efficiency, and competitive advantage.
The benefits of ISO 27001, including enhanced trust, resilience, and continuous improvement, underscore its vital role in safeguarding sensitive information and fostering long-term success in an increasingly interconnected world.
If you want to keep up to date with everything we post, don’t forget to follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.