ISO 27001 Controls Ultimate Guide – Updated for 2022

In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002: 2013 controls and the new and updated ISO 27002: 2022 control list. What controls do you need to implement? Let’s take a deep dive.

ISO 27001 Controls Overview

ISO 27001 is the international standard for information security. It has has a check list of ISO 27001 controls. These controls are set out in the ISO 27001 Annex A. Often referred to as ISO 27002.

The list of controls changed in 2022 and is now referenced as ISO 27002: 2022.

I like the controls because they are standard controls that are easy to implement. I have summarized them in the table of contents for ease of navigation.

ISO 27001 ISMS Controls

ISO 27001 is the standard that you certify against. It is a management framework. Let’s start with a look at the ISO 27001 information security management system controls.

ISO 27001 is divided into clauses which act as domains or groups of related controls.

ISO 27001 Clause 4 Context of Organization

The context of organization controls look at being able to show that you understand the organization and its context.

ISO 27001 Clause 5 Leadership

ISO 27001 wants top down leadership and to be able to evidence leadership commitment. We require Information Security Policies that say what we do. We document the organizational roles and responsibilities.

ISO 27001 Clause 6 Planning

Planning addresses actions to address risks and opportunities. ISO 27001 is a risk based system so risk management is a key part, with risk registers and risk processes in place. We ensure that we have objectives and measure in place for the information security management system.

ISO 27001 Clause 7 Support

Education and awareness is put in place and a culture of security is implemented. A communication plan is created and followed. Resources are allocated and competency of resources is managed and understood. If it isn’t written down it does not exist so standard operating procedures are documented and documents are controlled.

ISO 27001 Clause 8 Operation

Operations are managed and controlled and risk assessments undertaken.

ISO 27001 Clause 9 Performance Evaluation

Monitors and measures as well as the processes of analysis and evaluation are implemented. As part of continual improvement audits are planned and executed, management reviews are undertaken following structured agendas.

ISO 27001 Clause 10 Improvement

Improvement is a foundation of The ISO 27001 standard. The ability to adapt and continually improve. We are going to look at how we manage non conformity and corrective actions and our processes for managing continual improvement.

ISO 27002: 2022 Controls Checklist

ISO 27002 5 Organizational controls

ISO 27002 5.1 Policies for information security

ISO 27002 5.2 Information security roles and responsibilities

ISO 27002 5.3 Segregation of duties

ISO 27002 5.4 Management responsibilities

ISO 27002 5.5 Contact with authorities

ISO 27002 5.6 Contact with special interest groups

ISO 27002 5.7 Threat intelligence – new

ISO 27002 5.8 Information security in project management

ISO 27002 5.9 Inventory of information and other associated assets – change

ISO 27002 5.10 Acceptable use of information and other associated assets – change

ISO 27002 5.11 Return of assets

ISO 27002 5.12 Classification of information

ISO 27002 5.13 Labeling of information

ISO 27002 5.14 Information transfer

ISO 27002 5.15 Access control

ISO 27002 5.16 Identity management

 ISO 27002 5.17 Authentication information – new

ISO 27002 5.18 Access rights – change

ISO 27002 5.19 Information security in supplier relationships

ISO 27002 5.20 Addressing information security within supplier agreements

ISO 27002 5.21 Managing information security in the ICT supply chain – new

ISO 27002 5.22 Monitoring, review and change management of supplier services – change

ISO 27002 5.23 Information security for use of cloud services  new

ISO 27002 5.24 Information security incident management planning and preparation – change

ISO 27002 5.25 Assessment and decision on information security events 

ISO 27002 5.26 Response to information security incidents

ISO 27002 5.27Learning from information security incidents

ISO 27002 5.28 Collection of evidence

ISO 27002 5.29 Information security during disruption – change

ISO 27002 5.30 ICT readiness for business continuity – new

ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27002 5.32 Intellectual property rights

ISO 27002 5.33 Protection of records

ISO 27002 5.34 Privacy and protection of PII

ISO 27002 5.35 Independent review of information security

ISO 27002 5.36 Compliance with policies and standards for information security

ISO 27002 5.37 Documented operating procedures

ISO 27002 6 People controls

ISO 27002 6.1 Screening

ISO 27002 6.2 Terms and conditions of employment

ISO 27002 6.3 Information security awareness, education and training

ISO 27002 6.4 Disciplinary process

ISO 27002 6.5 Responsibilities after termination or change of employment

ISO 27002 6.6Confidentiality or non-disclosure agreements

ISO 27002 6.7 Remote working – new

ISO 27002 6.8 Information security event reporting 

ISO 27002 7 Physical controls

ISO 27002 7.1 Physical security perimeter

ISO 27002 7.2 Physical entry controls

ISO 27002 7.3Securing offices, rooms and facilities

ISO 27002 7.4 Physical security monitoring

ISO 27002 7.5 Protecting against physical and environmental threats

ISO 27002 7.6 Working in secure areas

ISO 27002 7.7 Clear desk and clear screen

ISO 27002 7.8 Equipment siting and protection

ISO 27002 7.9 Security of assets off-premises

ISO 27002 7.10 Storage media – new

ISO 27002 7.11 Supporting utilities

ISO 27002 7.12 Cabling security

ISO 27002 7.13Equipment maintenance

ISO 27002 7.14 Secure disposal or re-use of equipment

ISO 27002 8 Technological controls

ISO 27002 8.1 User endpoint devices  – new

ISO 27002 8.2 Privileged access rights

ISO 27002 8.3Information access restriction

ISO 27002 8.4 Access to source code

ISO 27002 8.5 Secure authentication

ISO 27002 8.6 Capacity management

ISO 27002 8.7 Protection against malware

ISO 27002 8.8 Management of technical vulnerabilities

ISO 27002 8.9 Configuration management

ISO 27002 8.10 Information deletion – new

ISO 27002 8.11 Data masking  – new

ISO 27002 8.12 Data leakage prevention  – new

ISO 27002 8.13 Information backup

ISO 27002 8.14 Redundancy of information processing facilities

ISO 27002 8.15 Logging

ISO 27002 8.16 Monitoring activities

ISO 27002 8.17 Clock synchronization

ISO 27002 8.18 Use of privileged utility programs

ISO 27002 8.19 Installation of software on operational systems

ISO 27002 8.20 Network controls

ISO 27002 8.21 Security of network services

ISO 27002 8.22 Web filtering – new

ISO 27002 8.23 Segregation in networks

ISO 27002 8.24 Use of cryptography

ISO 27002 8.25 Secure development lifecycle

ISO 27002 8.26 Application security requirements – new

ISO 27002 8.27 Secure system architecture and engineering principles – new

ISO 27002 8.29 Security testing in development and acceptance

ISO 27002 8.30 Outsourced development

ISO 27002 8.31 Separation of development, test and production environments

ISO 27002 8.32 Change management

ISO 27002 8.33 Test information

ISO 27002 8.34 Protection of information systems during audit and testing – new

ISO 27002: 2013 Controls Checklist

ISO 27002: 2013 is the old version of the Annex A controls and was replaced and updated in 2022. As business is still being assessed and certified against ISO 27002: 2013 we will do a deep dive into those controls.

There are 114 controls in the 2013 version of the control list. Lets break them down. Helpfully the controls start at number 5.

ISO 27002 2013 – 5 Information Security Policies

| 2 controls

ISO 27001 Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organization through having policies for information security and those policies being reviewed.

ISO 27002 2013 – 6 Organization of Information Security

| 7 controls

A management frame work for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.

ISO 27002 2013 – 7 Human resource security

| 6 controls

Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of per-employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarize as the starter, leaver, mover process.

ISO 27002 2013 – 8 Asset management 

| 10 controls

You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers.The asset management policy looks at ownership of assets, acceptable use, return of assets. There are controls on information classification and labeling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.

ISO 27002 2013 – 9 Access control

| 14 controls

Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.

ISO 27002 2013 – 10 Cryptography

| 2 controls

2 controls, so how hard can this be. A policy on cryptographic controls and a key management process.

ISO 27002 2013 – 11 Physical and environmental security

|15 controls

You are going to manage this mainly by having the right scope and probably out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.

ISO 27002 2013 – 12 Operations security

| 14 controls

If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronization, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.

ISO 27002 2013 – 13 Communications security 

| 7 controls

Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.

ISO 27002 2013 – 14 System acquisition, development and maintenance

| 13 controls

You do software development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.

ISO 27002 2013 – 15 Supplier relationships 

| 5 controls

I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation. Have a third party supplier policy and a third party supplier register.

ISO 27002 2013 – 16 Information security incident management

| 7 controls

What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents. An incident and corrective action log is a must.

ISO 27002 2013 – 17 Information security aspects of business continuity management 

| 4 controls

Having a plan, testing it, proving you tested it and having it all written down is the order of the day here. Business Continuity will keep you going when things go wrong.

ISO 27002 2013 – 18 Compliance 

| 8 controls

You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.

ISO 27001 Controls FAQ

Do I need all 114 controls in Annex A?

Yes. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.

Are the ISO 27001 controls documentation heavy?

Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.

How do I document the ISO 27001 controls?

Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.

Are there ISO 27001 controls for cloud?

Yes, the ISO 27001 controls apply to cloud as well as on premise.

Are the ISO 27001 controls referred to as Annex A?

Yes. They are an Annex to the ISO 27001 standard. On their own they are referred to as ISO 27002.

What is ISO 27002?

ISO 27002 is another name for the list of the 114 ISO 27001 controls.

How many controls ISO 27001 controls are there?

There are 114 controls in ISO 27001.

How many controls are there in ISO 27002?

There are 114 controls in ISO 27002.

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2