There are 14 “domains” in Annex A of ISO 27001. They are divided into sections A.5-18. These sections contain the following:
A.5. Information security Policies: These controls describe how to deal with information security policies.
A.6. Organization of information Security: These controls provide the fundamental framework for the operation and implementation of information safety by defining the organization’s internal structure (e.g., roles and responsibilities). ), and through organizational aspects of information security like project management and the use of mobile devices and teleworking.
A.7. Human resources security: This section addresses the issues of human resource security and disciplinary action.
A.8. Asset management: This section provides controls to ensure that information security resources (e.g. data, storage devices, processing devices, etc.), are properly managed. Are identified, assigned security responsibilities, and know how to deal with them according predefined levels.
A.9. Access control: These controls limit access to information according to business requirements. These controls apply to both physical as well as logical access.
A.10. Cryptography: This section provides the guidelines for using encryption solutions to protect information’s confidentiality, authenticity, integrity, and/or privacy.
A.11. Security and protection of the environment and equipment: These controls prevent unauthorized access to areas and protect facilities and equipment from being damaged by natural or human intervention.
A.12.. In addition, this section requires that controls be able to record and generate evidence and periodically verify for vulnerabilities.
A.13. Communications security: These controls protect both the network infrastructures and services as they transmit information.
A.14. System purchase, development , and maintenance. The controls in this section ensure information security when upgrading or purchasing new information systems.
A.15. Supplier relationships: These controls ensure that partners and suppliers use the appropriate information security controls. They also describe how to monitor third parties security performance.
A.16. Information security incident Management: These controls are a framework that ensures the timely resolution of security incidents and events. They also describe how to preserve evidence as well as how you can learn from incidents to prevent them happening again.
A.17. Information security aspects for business continuity management. The controls in this section assure the continuity of information security during disruptions and the availability information systems.
A.18. Compliance: The controls described in this section are designed to ensure compliance and prevent legal, regulatory, and contractual violations.
This shows that managing information security goes beyond IT security (e.g. anti-virus, firewalls, etc.). Management of processes, legal protection, managing people resources, and so forth.
What ISO 27001 controls do you use?
The ISO 27001 controls (also called safeguards) are practices that should be followed to reduce risks to acceptable levels. Controls can come in many forms: legal, administrative, physical, and human.
How numerous controls are in ISO 27001’s
ISO 27001 Annex A lists all 114 controls that are organized in the 14 sections A.5-18 listed above.
What are the steps to implement ISO 27001 controls in
Technical control is primarily implemented within information systems. This includes software, hardware, as well as firmware components. E.g. Backup, antivirus, etc.
Organizational controls can be implemented by setting rules that must be followed and defining expected behavior from equipment, users, and other systems. E.g. Access Control Policy, BYOD Policy, etc.
Legal control is implemented to ensure that rules, expected behaviors, and contracts are observed and enforced according to the laws, regulations, and similar legal instruments that the company must follow. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
Physical Control is implemented primarily using equipment and devices that have a physical connection with people or objects. E.g. CCTV cameras, alarm systems, locks, etc.
Human resource control is implemented by giving knowledge, education, or experience to people to enable them to complete their activities in a safe and secure manner. E.g. Training on security awareness and ISO 27001 Internal Auditor Training, etc.
ISO 27001 provides a minimum set for policies, procedures, plans and records that will be required to ensure compliance.
ISO 27001 requires that the following documents be prepared:
Scope and purpose of the ISMS (clause 4.3)
Information Security Policy and Objectives. Clauses.5.2 and 6.6.2.
Clause 6.1.2: Risk Assessment Methodology and Risk Treatment Methodology
Statement of Applicability (clause 61.3 d).
Risk Treatment Plan (clauses 61.3 e & 6.2)
Risk Assessment Report (clause 9.2)
Definition of security roles, responsibilities (controls a.7.1.2 and a.13.2.4).
Inventory of Assets
Acceptable Use Of Assets (control A.8.1.3)
Access Control Policy – control A.9.1.1
Operating Procedures in IT Management (control 18.104.22.168).
Secure System Engineering Principles, control A.14.2.5
Supplier Security Policy (control C.15.1.1).
Incident Management Procedure (control A.16.1.5)
Business Continuity (control A.17.1.2).
Control A.18.1.1 – Statutory, regulatory, and contractual requirements
These are the mandatory records
Clause 7.2: Record of training, experience, qualifications and certificates
Monitoring and measurement results (clause 9).
Internal Audit Program, clause 9.2
Clause 9.2: Results from internal audits
Results of the management assessment (clause 8.3)
Results of corrective measures (clause 10.1)
Logs of user actions, exceptions, security events (controls a.12.4.1, a.12.4.3)
If necessary, a company might decide to add security documents.
What is ISO 27001 certified?
A company can seek ISO 27001 certification by inviting an accredited body to audit the company. The audit will determine if the company is eligible for the ISO 27001 certificate. This certificate will prove that the company is compliant with the ISO 27001 standard.
You can get ISO 27001 certification by passing the ISO 27001 training. This certificate signifies that the student has learned the relevant skills during the course.