In this ultimate guide to the ISO 27001 controls we are going to explore the security control requirements. We will go through the ISO 27001 controls, the old version of the ISO 27002: 2013 controls and the new and updated ISO 27002: 2022 control list. What controls do you need to implement? Let’s take a deep dive.
ISO 27001 Controls Overview
ISO 27001 is the international standard for information security. It has has a check list of ISO 27001 controls. These controls are set out in the ISO 27001 Annex A. Often referred to as ISO 27002.
The list of controls changed in 2022 and is now referenced as ISO 27002: 2022.
I like the controls because they are standard controls that are easy to implement. I have summarized them in the table of contents for ease of navigation.
ISO 27001 ISMS Controls
ISO 27001 is the standard that you certify against. It is a management framework. Let’s start with a look at the ISO 27001 information security management system controls.
ISO 27001 is divided into clauses which act as domains or groups of related controls.
ISO 27001 Clause 4 Context of Organization
The context of organization controls look at being able to show that you understand the organization and its context.
ISO 27001 Clause 5 Leadership
ISO 27001 wants top down leadership and to be able to evidence leadership commitment. We require Information Security Policies that say what we do. We document the organizational roles and responsibilities.
ISO 27001 Clause 6 Planning
Planning addresses actions to address risks and opportunities. ISO 27001 is a risk based system so risk management is a key part, with risk registers and risk processes in place. We ensure that we have objectives and measure in place for the information security management system.
ISO 27001 Clause 7 Support
Education and awareness is put in place and a culture of security is implemented. A communication plan is created and followed. Resources are allocated and competency of resources is managed and understood. If it isn’t written down it does not exist so standard operating procedures are documented and documents are controlled.
ISO 27001 Clause 8 Operation
Operations are managed and controlled and risk assessments undertaken.
ISO 27001 Clause 9 Performance Evaluation
Monitors and measures as well as the processes of analysis and evaluation are implemented. As part of continual improvement audits are planned and executed, management reviews are undertaken following structured agendas.
ISO 27001 Clause 10 Improvement
Improvement is a foundation of The ISO 27001 standard. The ability to adapt and continually improve. We are going to look at how we manage non conformity and corrective actions and our processes for managing continual improvement.
ISO 27002: 2022 Controls Checklist
ISO 27002 5 Organizational controls
ISO 27002 5.1 Policies for information security
ISO 27002 5.2 Information security roles and responsibilities
ISO 27002 5.3 Segregation of duties
ISO 27002 5.4 Management responsibilities
ISO 27002 5.5 Contact with authorities
ISO 27002 5.6 Contact with special interest groups
ISO 27002 5.7 Threat intelligence – new
ISO 27002 5.8 Information security in project management
ISO 27002 5.9 Inventory of information and other associated assets – change
ISO 27002 5.10 Acceptable use of information and other associated assets – change
ISO 27002 5.11 Return of assets
ISO 27002 5.12 Classification of information
ISO 27002 5.13 Labeling of information
ISO 27002 5.14 Information transfer
ISO 27002 5.15 Access control
ISO 27002 5.16 Identity management
ISO 27002 5.17 Authentication information – new
ISO 27002 5.18 Access rights – change
ISO 27002 5.19 Information security in supplier relationships
ISO 27002 5.20 Addressing information security within supplier agreements
ISO 27002 5.21 Managing information security in the ICT supply chain – new
ISO 27002 5.22 Monitoring, review and change management of supplier services – change
ISO 27002 5.23 Information security for use of cloud services – new
ISO 27002 5.24 Information security incident management planning and preparation – change
ISO 27002 5.25 Assessment and decision on information security events
ISO 27002 5.26 Response to information security incidents
ISO 27002 5.27Learning from information security incidents
ISO 27002 5.28 Collection of evidence
ISO 27002 5.29 Information security during disruption – change
ISO 27002 5.30 ICT readiness for business continuity – new
ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27002 5.32 Intellectual property rights
ISO 27002 5.33 Protection of records
ISO 27002 5.34 Privacy and protection of PII
ISO 27002 5.35 Independent review of information security
ISO 27002 5.36 Compliance with policies and standards for information security
ISO 27002 5.37 Documented operating procedures
ISO 27002 6 People controls
ISO 27002 6.1 Screening
ISO 27002 6.2 Terms and conditions of employment
ISO 27002 6.3 Information security awareness, education and training
ISO 27002 6.4 Disciplinary process
ISO 27002 6.5 Responsibilities after termination or change of employment
ISO 27002 6.6Confidentiality or non-disclosure agreements
ISO 27002 6.7 Remote working – new
ISO 27002 6.8 Information security event reporting
ISO 27002 7 Physical controls
ISO 27002 7.1 Physical security perimeter
ISO 27002 7.2 Physical entry controls
ISO 27002 7.3Securing offices, rooms and facilities
ISO 27002 7.4 Physical security monitoring
ISO 27002 7.5 Protecting against physical and environmental threats
ISO 27002 7.6 Working in secure areas
ISO 27002 7.7 Clear desk and clear screen
ISO 27002 7.8 Equipment siting and protection
ISO 27002 7.9 Security of assets off-premises
ISO 27002 7.10 Storage media – new
ISO 27002 7.11 Supporting utilities
ISO 27002 7.12 Cabling security
ISO 27002 7.13Equipment maintenance
ISO 27002 7.14 Secure disposal or re-use of equipment
ISO 27002 8 Technological controls
ISO 27002 8.1 User endpoint devices – new
ISO 27002 8.2 Privileged access rights
ISO 27002 8.3Information access restriction
ISO 27002 8.4 Access to source code
ISO 27002 8.5 Secure authentication
ISO 27002 8.6 Capacity management
ISO 27002 8.7 Protection against malware
ISO 27002 8.8 Management of technical vulnerabilities
ISO 27002 8.9 Configuration management
ISO 27002 8.10 Information deletion – new
ISO 27002 8.11 Data masking – new
ISO 27002 8.12 Data leakage prevention – new
ISO 27002 8.13 Information backup
ISO 27002 8.14 Redundancy of information processing facilities
ISO 27002 8.15 Logging
ISO 27002 8.16 Monitoring activities
ISO 27002 8.17 Clock synchronization
ISO 27002 8.18 Use of privileged utility programs
ISO 27002 8.19 Installation of software on operational systems
ISO 27002 8.20 Network controls
ISO 27002 8.21 Security of network services
ISO 27002 8.22 Web filtering – new
ISO 27002 8.23 Segregation in networks
ISO 27002 8.24 Use of cryptography
ISO 27002 8.25 Secure development lifecycle
ISO 27002 8.26 Application security requirements – new
ISO 27002 8.27 Secure system architecture and engineering principles – new
ISO 27002 8.29 Security testing in development and acceptance
ISO 27002 8.30 Outsourced development
ISO 27002 8.31 Separation of development, test and production environments
ISO 27002 8.32 Change management
ISO 27002 8.33 Test information
ISO 27002 8.34 Protection of information systems during audit and testing – new
ISO 27002: 2013 Controls Checklist
ISO 27002: 2013 is the old version of the Annex A controls and was replaced and updated in 2022. As business is still being assessed and certified against ISO 27002: 2013 we will do a deep dive into those controls.
There are 114 controls in the 2013 version of the control list. Lets break them down. Helpfully the controls start at number 5.
ISO 27002 2013 – 5 Information Security Policies
| 2 controls
ISO 27001 Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.5 being The Management Setting the direction of Information Security in the organization through having policies for information security and those policies being reviewed.
ISO 27002 2013 – 6 Organization of Information Security
| 7 controls
A management frame work for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations. As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies.
ISO 27002 2013 – 7 Human resource security
| 6 controls
Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of per-employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training. Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarize as the starter, leaver, mover process.
ISO 27002 2013 – 8 Asset management
| 10 controls
You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers.The asset management policy looks at ownership of assets, acceptable use, return of assets. There are controls on information classification and labeling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.
ISO 27002 2013 – 9 Access control
| 14 controls
Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. There are no surprises here. User management with registering and de registering users, provisioning accounts, managing those privilege and admin accounts, password management and of course reviewing the user access rights. Having a secure logon, which is pretty basic, and if applicable restricting those utility programs and applications and proper access to source code.
ISO 27002 2013 – 10 Cryptography
| 2 controls
2 controls, so how hard can this be. A policy on cryptographic controls and a key management process.
ISO 27002 2013 – 11 Physical and environmental security
You are going to manage this mainly by having the right scope and probably out sourcing what is in scope to someone that has ISO 27001 certification and covers this for you. Still, lets take a look at the physical controls. For this you are in to secure perimeters, physical entry controls to secure those offices and server rooms. Protecting against environmental threats like floods and earthquakes, working in areas that need to be more secure, considering loading bays if you have them, making sure equipment is installed properly, looking at your power supplies and utilities. We have more policy on clear desk and clear screen, unattended user equipment and what needs to happen for equipment of site.
ISO 27002 2013 – 12 Operations security
| 14 controls
If it isn’t written down it doesn’t exist is a good rule to live life by when it comes to ISO 27001. All that good stuff you no doubt do, needs writing down. Change management, capacity management, anti virus, back ups. All this stuff you do, that you just do, well it needs documenting. Logging and monitoring, clock synchronization, installs of software, managing vulnerabilities and patching. Who can install what. All to write down and document.
ISO 27002 2013 – 13 Communications security
| 7 controls
Network security time. There is nothing more that network people like doing than documenting stuff. Wait till you ask them and see how pleased they are. Network diagrams, segregation in networks, information transfer, polices, procedures, documentation. Confidentiality agreements, managing those network suppliers. You have this covered.
ISO 27002 2013 – 14 System acquisition, development and maintenance
| 13 controls
You do software development as a company. I feel for you. 13 controls for your delight. From documenting requirements in the specifications, securing over networks, protecting service transactions, having and software development lifecycle written down that includes information security requirements. A policy, a system change control, technical reviews, secure engineering principles. Dev, test, live. Testing. Test data. Outsourced development. All to document.
ISO 27002 2013 – 15 Supplier relationships
| 5 controls
I am a big fan of this section. Outsource what you can, where you can and make it someone else’s problem. When you do you need controls around supplier registers, selecting suppliers, vetting them, monitoring, measuring them and the associated legal documentation. Have a third party supplier policy and a third party supplier register.
ISO 27002 2013 – 16 Information security incident management
| 7 controls
What happens and what do you do when things go wrong. Controls here on roles and responsibilities, reporting, assessing, responding, and learning from incidents. An incident and corrective action log is a must.
ISO 27002 2013 – 17 Information security aspects of business continuity management
| 4 controls
Having a plan, testing it, proving you tested it and having it all written down is the order of the day here. Business Continuity will keep you going when things go wrong.
ISO 27002 2013 – 18 Compliance
| 8 controls
You made it to the last of the ISO 27001 Annex A controls. Compliance is compliance. What legal and regulatory compliance applies? If you document it make sure you can show you meet it. Intellectual property, protecting records, data protection ( GDPR ), regulations on encryption, compliance with all these controls and the standard and then independent reviews by someone who should know what they are doing.
ISO 27001 Controls FAQ
Do I need all 114 controls in Annex A?
Yes. Or a good reason why you don’t. In reality they are not mandatory so don’t have them for the sake of it. If you don’t have them or need them just document why. Remember this is an international standard based on best practice and years of refinement. We find software development is usually the one that gets left out, for those that don’t do software development of course.
Are the ISO 27001 controls documentation heavy?
Yes. If it is not written down it does not exist. Even though you are doing great things you will have to document what you do and be able to provide evidence that you do it. Sorry.
How do I document the ISO 27001 controls?
Using a word processor and a spreadsheet. You can consider a portal or web based application but the cheapest, simplest, fastest and most flexible approach for an SME business is basic office applications. You already know how to use them and you already own them.
Are there ISO 27001 controls for cloud?
Yes, the ISO 27001 controls apply to cloud as well as on premise.
Are the ISO 27001 controls referred to as Annex A?
Yes. They are an Annex to the ISO 27001 standard. On their own they are referred to as ISO 27002.
What is ISO 27002?
ISO 27002 is another name for the list of the 114 ISO 27001 controls.
How many controls ISO 27001 controls are there?
There are 114 controls in ISO 27001.
How many controls are there in ISO 27002?
There are 114 controls in ISO 27002.