ISO 27001 Annex A controls – A detailed guide 

ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their information security processes, mitigate risks and build trust among customers and stakeholders.

With the help of this standard, companies protect their information assets and implement effective measures to keep their data safe. All risks considered - technological, organisational, physical and people.

To use the standard successfully, companies and managers must identify their own risks and know the proper measures to take. We have compiled a handy overview of all 93 controls and 4 categories of measures to help you get started. Learn more about the most important ways to protect your information.

What is ISO 27001, and why should companies adopt it? 

ISO 27001 is a universal framework for managing information security. The certification is considered an international standard and guides your business’s information security management system (ISMS). It provides guidance for establishing, implementing, maintaining, and continuously improving a company’s ISMS, which helps organisations protect their information assets. In 2022, the standard was revised for the third time. The current version of the standard is ISO 27001:2022.

This framework, ISO 27001, safeguards the confidentiality, integrity and availability of the sensitive consumer information you collect. Compliance with ISO 27001 helps you prevent unauthorised access, breaches and regulatory fines.

Moreover, achieving ISO 27001 certification not only ensures robust information security but also aligns with the requirements of NIS2, the new EU Directive, emphasising its importance in the current digital landscape.

What is the ISO 27001 Annex A? 

A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from – you can pick and select from 93 measures specified in Annex A that are relevant to your organisation’s scope.

ISO 27001 Annex A is arguably the most well-known annex of all the ISO standards, as it contains the essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen the security of information assets.

The 27001 Annex A lists all relevant controls and provides guidance on how to implement the standard measures.

ISO 27001 vs. ISO 27002: What is the difference? 

ISO 27001 is the framework that gives companies a basic understanding of the controls and clauses in Annex A. While it does not go into great depth regarding each control, it does provide you with an idea of what you need to accomplish, but not how to execute it. Each control has a one-line explanation of its aim.

The ISO 27000 standard additionally includes elaborations that focus more closely on the respective controls. ISO 27002, therefore, outlines the specific controls organisations can choose to implement to establish a compliant ISMS. While ISO 27001 includes Annex A and briefly discusses the separate controls, ISO 27002 goes into more detail. It covers the objective for each control, explains how it works and elaborates on how companies are expected to achieve compliance successfully.

Learn more about the differences between ISO 27001 and ISO 27002 in this blog article.

ISO 27001:2022 Annex A Controls 

The ISO 27001 framework includes Annex A, which incorporates the list of controls and measurements that can be taken to establish a strong information security framework depending on the company’s context.

The overall objective of the ISO 27001 framework is to protect the confidentiality, integrity, and availability of information. The implementation enables organisations to:

Comply with ever-changing legal requirements through a single framework

Demonstrate prioritised information security and gain a competitive advantage

Prevent security incidents and avoid costly fines

Define processes and job roles and improve organisational structure

But what are the controls, and how do you use them effectively?

ISO 27001:2022: Eleven new controls

Since 2022, eleven new controls have been added to ISO 27001, which are assigned to different categories. Organisations are required to:

A.5.7 Threat intelligence

Collect and analyse data on potential threats to maintain information security

A.5.23 Information security for the use of cloud services

Define and monitor information security for the use of cloud services.

A.5.30 ICT readiness for business continuity

Create an ICT (information and communications technology) continuity plan to maintain business resilience.

A.7.4 Physical security monitoring

Implement appropriate monitoring tools to detect and prevent external and internal intrusions.

A.8.9 Configuration management

Establish policies for documenting, implementing, monitoring and auditing configurations across their network.

A.8.10 Information deletion

Manage data deletion to comply with laws and regulations.

A.8.11 Data masking

Use data masking techniques for personal identifiable information (PII) to comply with laws and regulations.

A.8.12 Data leakage prevention

Take technical measures to identify and prevent the disclosure and/or extraction of information.

A.8.16 Monitoring activities

Improve network monitoring activities to detect anomalous behaviour and respond to security events and incidents.

A.8.23 Web filtering

Enforce access controls and measures to restrict and control access to external websites.

A.8.28 Secure coding

Implement proven principles of secure coding to prevent vulnerabilities that could be caused by inadequate coding methods.

ISO 27001: 4 Control sets

To make things easier, controls in Annex A are categorised into different groups. That divides the context of the controls and the domain of the applicable risks. But what are the relevant categories and where do they apply?

There are 93 ISO 27001 Annex A controls that cover multiple areas of an organisation, and these controls are segmented into four different categories (domains).

These control sets can be selectively applied to your organisation based on the risk assessment results.

Each category can be attributed to a particular focus area within your organisation. Contrary to popular belief, they are not all IT-related.

Grouping the controls into four themes helps organisations decide who is responsible for implementing the measures and which measures apply to their respective organisation. For example, technical controls can be carried out by the IT department, while organisational controls can be carried out by your system operations team.

To achieve a better overview, here is a list of the four different categories of controls:

• Organisational controls (37 measures)
  
  
• People controls (8 measures)
  
  
• Physical controls (14 actions)
  
  
• Technological controls (34 measures)

Organisational Controls: Measurements for organisational safety

Organisational controls typically cover everything that does not fall under the topics of people, technology, or physical security. This includes things like identity management, responsibilities, and evidence collection.

New organisational controls include:

5.7: Threat Intelligence

5.23: Information security for use of cloud services

5.30: ICT readiness for business continuity

Threat Intelligence in particular is an exciting innovation in this area - as this measure goes beyond detecting malicious domain names. Threat intelligence helps organisations better understand how they can be attacked.

People controls: Staff-related measures to protect staff.

The people controls section comprises only eight controls. It focuses on how employees handle sensitive information during their daily work. This includes topics like remote work, nondisclosure agreements and screenings. Onboarding and offboarding processes, as well as responsibilities for reporting incidents, are also relevant.

Physical Controls: Physical measures for the physical protection of the organisation.

Physical controls include security monitoring, maintenance, facility security and storage media. This category is about how you protect against physical and environmental threats such as theft, natural disasters, and deliberate destruction.

The new physical controls include: 7.4: Physical security monitoring.

Technological Controls: Technological measures for technical security.

Technological controls cover the areas of authentication, encryption, and data leakage prevention. Technology must be properly secured to protect data. Various approaches, such as access rights, network security and data masking, help to achieve this.

New technology controls include:

8.1: Data masking

8.9: Configuration management

8.10: Information deletion

8.12: Data leakage prevention

8.16: Monitoring activities

8.23: Web filtering

8.28: Secure coding

In this area, one innovation is particularly important - data leakage prevention. However, web filtering is also noteworthy: this control describes how organisations should filter online traffic to prevent users from visiting potentially harmful websites.

How to implement the Annex A controls? 

What is most useful when implementing new structures? Right – a checklist.

ISO 27001 serves as the perfect checklist of ISO controls. Organisations are not required to implement all 93 controls but are expected to identify and apply the most suitable controls for their needs. The process of selecting applicable controls begins with risk assessment and treatment. After the treatment of risks, you must measure how successful the controls were in achieving information security.

Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of people.

The process of gathering all required documentation and becoming ISO 27001 compliant can be challenging, which is why you and your organisation may benefit from the expertise of an ISO 27001 consultant.

Benefits of ISO 27001: Why should companies adopt ISO 27001?  

Identifying and addressing security risks is beneficial to any organisation. The ISO 27001 controls help to clearly categorise potential risks. But what are the tangible benefits of mitigating risks?

Not all organisations choose to adopt ISO 27001 certification, but many use it as a framework to keep their ISMS safe from the risk of information security breaches.

ISO 27001 compliance demonstrates to stakeholders (such as customers and shareholders) that an organisation has prioritised the implementation of information security best practices. This can lead to the following benefits:

• Improved competitiveness
  
  
• Reduced risks of fines and losses due to data protection breaches
  
  
• Improved brand perception
  
  
• Compliance with relevant business, legal, economic and statutory requirements
  
  
• Improved structure and focus
  
  
• Reduced number of required audits
  
  
• Unbiased assessment of the organisation’s security posture

In short, ISO 27001 certification makes it easier to satisfy regulatory obligations, demonstrates your organisation’s reliability to partners, and shows your dedication to maintaining the highest standards of information security. It also increases the value of your brand, resulting in a win-win situations.

Our checklist: How to achieve ISO 27001 compliance   

Even if they are not seeking official certification, there is always the option for organisations to pursue compliance with the ISO 27001 standard requirements. The following list shows the best practices you can implement to achieve this and can be used very well as a checklist:

• Talk to your stakeholders to understand their information security expectations.
  
  
• Define the scope of your ISMS and the information security measures you will implement.
  
  
• Define a clear security policy.
  
  
• Conduct a risk assessment to identify any existing and potential risks to your information security.
  
  
• Implement measures and risk management methods that set clear objectives.
  
  
• Regularly evaluate the effectiveness of your information security practices and conduct risk assessments.

Gain practical insights from our work with FRÄNKISCHE, where we guided them through their internal audit, paving the way for successful external certification.

ISO 27001: Enhanced security with the right controls      

ISO 27001 certification makes it easier to comply with legal requirements, demonstrates your organisation's reliability to business partners and shows your commitment to meeting the highest information security standards.

Check out our ISO 27001 checklist to find out what measures you need to implement to achieve ISO 27001.

Need help with information security or in preparing for a certification audit? Contact our experts today.