ISO 27001 Annex A: An Overview of the 14 Primary Controls

Posted on June 23, 2021 - by Sarah Berthiaume - in Building Your InfoSec Program

ISO 27001 Annex A 14 Primary Controls

If you’re trying to get your business compliant with ISO 27001, you may find yourself asking a lot of questions about Annex A, the section of security controls that functions like a checklist of requirements.

Before we dig more into what you need to know about Annex A, first let’s cover some background about ISO 27001. (Or click here to jump down to the Annex A controls overview.) The International Organization for Standardization and the International Electrotechnical Commission are organizations that develop international standards. They partnered together to create ISO 27001 as a set of standards developed to handle information security as part of the ISO/IEC 27001 encouraging businesses to create an Information Security Management System (ISMS) in order to protect data. The standard provides a great deal of information for companies on data protection in an educational way but also allows them the ability to certify that they do in fact protect data themselves as a way of proof for customers and business partners alike. 

ISO 27001 helps organizations create an ISMS by providing a framework for managing information and making information assets more secure. The framework provides guidance on the handling of security risks and threats and also the design and implementation of the ISMS itself. It also provides modes for monitoring and continuous improvement of the ISMS. 

An ISMS is a set of policies and procedures for the management of information aimed at minimizing security breaches. An effective ISMS will identify your customer and stakeholder expectations with regard to information security and how it will meet those expectations. It will address specific concerns and risks that are expected to occur to particular data assets as well as provide specific safeguards and mitigation measures. Your ISMS will provide guidance on task management and employee responsibility as it relates to security and it will consider every step of the business continuity process. 

The ISO 27001 is separated into two sections. The first section contains 11 clauses, with the first four providing general details on information security as well as scope and terms and definitions. The last seven clauses are mandatory for certification and are the most heavily audited. They outline the following:

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance Evaluation
  • Improvement

That second section of ISO 27001, Annex A, operates as a risk-based audit compliance checklist for an organization’s information security management system and offers 14 categories to follow. 

The Annex A 14 Primary Controls for ISO 27001

Although we list the 14 Primary controls here, we have the full 114-item checklist of the ISO 27001 controls and requirements built right into the Securicy platform to make sure you don’t miss a thing (goodbye excel spreadsheets and PDFs!), but this overview will give you a good sense of what you’ll need to do.

  1. Information Security Policies

In this, policies are written that go along with the information security practices of the organization. This is all about how policies are stored and organized for review by auditors. Procedure considers how the company executes the policies in place. There are two controls under this heading. 

  1. Organization of Information Security

This has seven controls under its heading and is separated into two sections. The first section handles the management of information security practices within the organization according to what tasks an organization should be responsible for. The second section deals with best practices associated with remote working conditions and proper handling of mobile devices.

  1. Human Resource Security

There are six controls divided into three sections within this heading that ensure employees and contractors are aware of their responsibilities with regard to cybersecurity and information security before they are taken on by the organization, during employment, and after termination. 

  1. Asset Management

This holds ten controls under its heading divided into three sections. It deals with securing and identifying data assets, which are any devices running applications for business function, in scope for management systems as well as classifying information for appropriate protection and finally deals with the handling of stored information to ensure that there is no unauthorized access, disclosure, or destruction of asset information. 

  1. Access Control

There are fourteen controls under this heading and four sections which maintain physical and virtual role based access to ensure that employees can only access information that is relevant to them. There is a requirement for limiting access, managing authorized users, safeguarding information based on user responsibility, and preventing unauthorized access to systems and applications. 

  1. Cryptography

This holds two controls and ensures that proper data encryption is used to protect confidentiality and integrity of data. The focus here is on the policy and on how keys are managed. 

  1. Physical and Environmental Security

There are fifteen controls divided into two sections for this annex. It is the largest within Annex A and focuses on preventing unauthorized access to physical facilities. The aim of the first section is to prevent any damage or interference to sensitive data that might occur in the event of such access. The second section deals with preventing loss or theft of equipment, files, or containers that are stored at physical premises.

  1. Operations Security

There are fourteen controls divided into seven sections which guide the secure collection and storage of data. Correct procedures and operations must be followed when collecting and storing data, proper defensive measures must be taken to mitigate any risk associated with malware, all systems must have backup and must be monitored and logged, and there must be a system for vulnerability management in place. The final control ensures minimal disruption during audit activities.

  1. Communications Security

Seven controls are divided into two sections that detail network security management and the protection of information in processing facilities. The first section deals with maintaining confidentiality, integrity and availability of that information while the second section handles information as it is transmitted from one place to another whether it be within the organization or to a third party or otherwise. 

  1. System Acquisition, Development and Maintenance

This ensures that information security remains an integral part of the organization’s information systems across the entire lifecycle. It includes thirteen controls which address security requirements for internal systems and for services over public networks.

  1. Supplier Relationships

This has five controls divided into two sections which detail interactions between organizations and third parties. The first section considers what asset information is available to third parties and what information needs special protections. The second section handles service level and information security such that enough information is available to suppliers in order to maintain service delivery in line with supplier agreements. 

  1. Information Security Incident Management

This holds seven controls and handles delegating task responsibilities for the management of information security incident response to employees. 

  1. Business Continuity Management

There are four controls divided into two sections which cover maintaining information security business processes in the event of disruption, ensuring continued productivity and availability of systems. 

  1. Compliance

This annex ensures that organizations are following the standards set forth by legal and contractual requirements in order to uphold security requirements and remain compliant with regulations. It holds eight controls.

Get Compliant with Securicy

Securicy helps organizations gain control over all their data protection and information security practices. If you need to demonstrate compliance with ISO 27001, Securicy can help by developing policies, evaluating your gaps, and implementing the necessary controls quickly. We also provide expert hands-on guidance, allow you to generate new policies in minutes, and help you delegate the related tasks to different teams and individuals in your organization. To discuss your ISO 27001 compliance needs with a team of experts, book a demo with us today.

About the author

Sarah Berthiaume is an intern Cyber Security Analyst and content provider for Securicy’s blog. She enjoys volunteering in her community and making a difference in social service. Her true passions are her family, technology, writing, and art. She hails from Sydney, Nova Scotia with her two beautiful children and her adorable cats.