- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll cover the 14 specific categories of the ISO 27001 Annex A controls. You'll learn how to decide which ISO 27001 framework controls to implement and who should be involved in the implementation process. By the end of this article, you'll have a basic understanding of ISO 27001 Annex A controls and how to implement them in your organization.
What Are ISO 27001 Annex A Controls?
Set by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27001 Annex A defines the 114 information security controls an organization can address to receive and maintain its ISO 27001 certification.
ISO 27001 defines and audits these controls during stage two of the ISO 27001 certification process. An external accredited certification body runs a series of evidentiary audits that confirm the organization's technology and processes are correctly deployed and working properly. The auditors also confirm the implemented solutions align with the controls that were declared to be in use by the organization during part one, the documentation review stage of the certification process.
Since industry compliance requirements, technology needs, and scope of operations are unique for each organization, the ISO 27001 Annex A control list serves as a framework, rather than a checklist of requirements. For the certification, however, each firm must draft a Statement of Applicability (SoA), defining the specific Annex A controls based on the company’s identified risks, legal and contractual requirements, and overall business needs.
How Many Annex A Controls Are in ISO 27001?
ISO/IEC 27001 identifies 114 unique Annex A controls or safeguards in its framework. These cover the technology, processes, and policies an organization utilizes to oversee its information security management system (ISMS) and maintain its security posture for personnel and third-party stakeholders.
The 14 Categories of ISO 27001 Annex A Controls
Because a business can deploy many combinations of security controls to cover various risks and objectives, ISO divides the Annex A controls into 14 unique ISO 27001 categories. ISO segments each category based on its scope and the business needs it supports.
These are the 14 categories of ISO 27001 Annex A controls:
1. Information Security Policies
Annex A.5 of ISO/IEC 27001, Information Security Policies, describes how leadership can provide direction and support an organization’s information security, specifically through governance. Companies can implement policies that employees, contractors, and other external stakeholders need to follow to maintain a strong security posture, promote their security vision, and comply with laws and regulations.
Besides outlining the processes for writing and communicating information security policies to personnel, Annex A.5 requires organizations to conduct periodic reviews to ensure those policies are still relevant based on the organization's current risks and regulatory requirements.
2. Organization of Information Security
Annex A.6 establishes the framework for an organization’s information security processes, both for traditional and teleworking operations. It comprises multiple focus areas, which include defining roles and responsibilities for information security activities while segregating duties to reduce risk.
Technology, processes, and policies must be in place to maintain adequate contact with authorities and special interest groups, such as associations, industry groups, or specialty security organizations. Additionally, organizations must have systems and policies for maintaining information security for special projects outside of normal day-to-day operations while using mobile devices, and during teleworking operations.
3. Human Resources Security
Annex A.7 comprises the information security controls that relate to human resources management before, during, and following employment. For example, these controls include screening and running background checks on prospective employees and implementing the terms of employment agreements.
Organizations use these policies to control how managers oversee employees and contractors and to establish procedures for providing security awareness education and training. Finally, ISO 27001 A.7 cites formal processes and responsibilities for handling employee terminations and disciplinary actions.
4. Asset Management
Annex A.8 dives into identifying and protecting a firm's technology and data assets. ISO 27001 lists specific asset management controls that govern the systems for taking inventory of assets, assigning the responsibility of ownership for each asset, outlining and enforcing acceptable use of company assets, and requiring employees to return assets to the firm after use.
Annex A.8 also requires organizations to have policies and mechanisms for classifying and labeling all managed data based on its sensitivity, value, or legal requirements. In addition, companies need processes that outline how personnel must handle certain assets based on how an asset is classified. Organizations also need a system that enables the secure management, disposal, and transfer of physical or removable media.
5. Access Control
Annex A.9 is one of the largest categories on the list, with plenty of controls relating to the management of user data access and system privileges. For example, businesses need to establish control policies that enforce the principle of least privilege for network and resource access. Organizations must have a comprehensive system for registering, deregistering, and provisioning users and for managing user rights for both standard and privileged accounts.
Next, Annex A.9 requires organizations to utilize secure controls for storing authentication information, such as user credentials, and to establish policies that specify which users may access credential data. User access rights should be reviewed ongoingly and periodic adjustments should be made based on those reviews. Lastly, firms should create secure login procedures and password management systems and establish access control processes for internal software.
A short but essential category within the ISO control framework, Annex A.10 covers how an organization manages encryption and cryptographic controls to secure its sensitive data. The first control covers setting and enforcing organizational policies that require users to deploy encryption under specific circumstances and setting minimum cryptographic standards. Companies also need a procedure for managing cryptographic keys and their life cycles.
7. Physical and Environmental Security
The largest of the categories, Annex A.11 outlines controls to protect organizational assets from unauthorized access or physical damage. This category requires establishing a physical security perimeter with entry controls to secure all offices, rooms, and facilities from internal and external threats. It also emphasizes protecting physical assets from non-digital risks, such as natural disasters or unauthorized entry.
Organizations must identify and manage risk for secured areas and delivery locations. Systems should be in place for the secure installation, protection, maintenance, removal, disposal, and reuse of equipment and assets—even those located off-premises or unattended by users. Firms must establish clear desk policies for employees and have mechanisms to secure telecommunications cabling and protect equipment from utility failures.
8. Operational Security
Annex A.12 describes the secure management of data-processing operations. ISO 27001 A.12 requires systems for documenting operating procedures; overseeing change management; and managing operational capacity for data storage, processing power, and communications. Organizations need controls to separate their development, testing, and operating environments; back up their data; protect from malware; log user and network activity.
Companies must secure their log information, keep system administrators’ activity data separate from the activity data for regular users, and track all system events in a single time zone. Also, to maintain the integrity of their operating systems, organizations need to institute:
- Policies that allow or restrict software installation
- Procedures for managing system vulnerabilities
- Mechanisms for auditing information system controls
9. Communications Security
With a focus on managing network security, Annex A.13 looks to ensure businesses protect information both inside and outside their networks. Firms must implement a system that identifies, monitors, segregates, and controls access to digital resources, including applications, data, and other systems within the network.
ISO 27001 A.13 also specifically addresses the management of information security when communicating with external sources, such as customers, suppliers, and other stakeholders. Organizations need policies and procedures for external information transfers, confidential agreements between the organization and outside users, and protection mechanisms for electronic messaging.
10. System Acquisition, Development, and Maintenance
Annex A.14 addresses security across all systems and life cycles, including development, support, and test stages. Organizations must determine information security requirements, create a method for securing applications on public networks, and protect application service transactions. Companies must have policies for secure software development, change control procedures, and technical reviews of applications when changes are made to operating platforms.
ISO 27001 A.14 requires teams to restrict the changes employees can make to software packages purchased from an outside vendor and limit the customization of open-source code. Firms should also establish and enforce secure system engineering principles. They must utilize secure development environments, properly manage outsourced development, and have processes for security and acceptance testing while protecting test data.
11. Supplier Relationships
Annex A.15 discusses the control areas used to secure any assets that are accessible to third-party suppliers or partners. Organizations need policies to manage supplier relationships and address security within their service agreements.
They must also consider and address the risks associated with supply chains for managed technology systems. When using data hosting centers or infrastructure-as-a-service (IaaS) providers, for instance, organizations have minimal control over decisions or events that could compromise data and applications that are managed elsewhere. Finally, organizations should continuously monitor supplier services for delivery and be prepared to handle service changes.
12. Information Security Incident Management
Annex A.16 explains how an organization manages a cybersecurity or breach incident. Companies must establish responsibilities and incident response procedures. They also need a process for reporting information security events and system vulnerabilities.
Annex A.16 requires firms to set criteria for what qualifies as an incident, create mechanisms to learn from incidents, and implement technology that helps collect evidence of an incident.
13. Information Security Aspects of Business Continuity Management
Annex A.17 addresses the process of keeping operations running following an incident. A business should have documented and implemented business continuity plans in place. These plans explain the procedures for keeping data and resources available if the primary environments are shut down. The procedures must be verified for effectiveness and regularly tested for organizational readiness.
Finally, Annex A.18 describes the management of legal and contractual obligations. Businesses must identify the applicable compliance requirements for information security, understand their intellectual property rights, and have systems that protect records that fall under a compliance umbrella. There should be solid controls to safeguard personally identifiable information (PII) and deployed cryptographic technology that follows contractual and regulatory requirements across all territories.
The compliance and information security evaluation component of Annex A.18 outlines that firms should obtain independent, third-party reviews of their information security risks and controls and of their adherence to compliance requirements. Organizations must also perform internal evaluations to ensure compliance with their own security policies and procedures, as well as conduct technical reviews of internal software, security technology, and other information systems.
How to Decide Which ISO 27001 Controls to Implement
Deciding which Annex A controls to implement is a crucial step that determines whether an organization becomes ISO 27001 certified. To assess their SoA for implementing controls, firms must consider various factors, such as their industry, operations model, IT environment, organizational size, technology stack, and information-security risks.
For example, if a healthcare facility is seeking compliance certification for the Health Insurance Portability and Accountability Act (HIPAA) through the Health Information Trust Alliance (HITRUST), the organization will need a comprehensive system for each control area defined in the Compliance category.
The Supplier Relationships category will be relevant only to organizations that work with suppliers. Likewise, the Physical and Environmental Security category will be irrelevant to a business that works remotely and relies solely on cloud-based applications; however, that organization will need to implement comprehensive controls in the Access Control and Communications Security categories.
Who Should Implement ISO 27001 Controls?
Because the ISO 27001 control categories cover a wide range of business functions, personnel from different areas of the organization will need to collaborate during the ISO implementation process. If ISO 27001 is to be implemented by an in-house team, a dedicated ISO 27001 lead must oversee the entire operation.
Specific ISO 27001 control categories require certain roles to provide input and complete specific tasks. For example,
- A human resources director will manage some of the Human Resource Security activities, such as running background checks on candidates.
- An in-house attorney will draft specific organizational policies across the various Annex A categories.
- An IT manager will install software to protect network assets and endpoints relevant to the categories that require software controls to improve security.
Alternatively, companies can opt to invest in outside consultants who will help implement the ISO 27001 controls list. While individual departments within the organization will still need to be involved, a dedicated contractor with ISO 27001 experience can bring skills, resources, and an outside perspective that an in-house lead often lacks.
How to Implement ISO 27001 Controls
The checklist for implementing ISO 27001 controls starts with assigning and coordinating with all the personnel involved in the process, including human resources, legal, supplier relations, IT management, DevOps, and cybersecurity department representatives. The next step is to establish the organization’s SoA by running risk assessments and thoroughly reviewing the 114 ISO 27001 security controls to determine which areas apply to the business's operational, technology, and compliance needs.
Once those control requirements are determined, firms should run a gap analysis to compare the controls necessary for the organization to those already implemented in their current ISMS. Based on the gaps, they can implement the new controls by updating company policies, hiring personnel, developing new processes, and purchasing new technology to upgrade the ISMS.
After implementing the new security systems, organizations must train personnel in the operations of the new controls. Finally, once everything is in place, they start the ISO 27001 certification process by conducting an internal audit.
How StrongDM Can Help with ISO 27001 Controls
StrongDM’s People-first Access Platform fulfills many ISO 27001 control requirements. For instance, organizations can manage Access Control (Annex A.9) through StrongDM's all-in-one access and authentication management system. The capabilities include automated user provisioning, least-privileged access deployment, one-click user onboarding, and tools for securely storing user credentials.
StrongDM helps businesses maintain visibility in their IT environments by providing a robust system for collecting activity data across all applications, databases, and networks. Additionally, StrongDM assists with Annex A.12, Operational Security, by allowing system administrators to collect and view activity logs to enforce compliance with their access policies and prepare for their next audit.
Start Your Journey to ISO 27001 Compliance with StrongDM
ISO 27001 Annex A includes 114 security controls an organization can use to deploy the technology, processes, and personnel needed to create a holistic ISMS that meets ISO 27001 compliance requirements. StrongDM offers an easy-to-use and robust platform for adhering to various essential Annex A controls categories, including Access Control and Operational Security Management.
Ready to get started? Check out our infrastructure access management solution today with a 14-day free trial of StrongDM.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.