ISO27001 CONTROLS

What Are ISO27001 controls?

Improving the security of information assets is an intensely complex process that varies according to organizational need, industry, and risk level. Therefore, the ISO 27001 controls list that a specific company focuses upon would be tailored to its digital configurations, regulatory requirements, etc. The controls outlined in the standard are safeguards that a business can implement to protect its digital properties.

The complete ISO 27001 controls list can be found in Annex A of the standard and is organized into a series of 14 domains. These include sections on the following:

  • Organizational issues
  • Human resources
  • Physical security
  • Information technology
  • Legal issues.

Annex A contains a total of 114 information security controls distributed throughout the 14 domains. In effect, it is a catalog of the most effective safeguards that a company can use to protect its digital security. Businesses can either utilize the annex as an ISO 27001 controls checklist to assess their overall risk profile or select the measures that are compatible with their organization’s scope.

After doing so, they must comply with additional clauses in the main part of ISO IEC 27001 that require them to define the responsibilities for managing these controls, measuring their effectiveness, and correcting any issues that arise so that security objectives can be attained.

ISO 27001 Controls List

ISO 27001 is comprised of two parts: the information security management system (ISMS) and the 114 Annex A controls that are sometimes referred to as ISO 27002. Organizations must provide a Statement of Applicability explaining which controls will be audited and which will not along with documentation that explains why. The ISO 27001 2013 controls include the following:

  • Information security: management direction and all aspects of information security policies including definition, publication, communication, and review procedures.
  • Organization of information security. This includes internal procedures, roles and responsibilities, duty segregation, contact with authorities and special interest groups, project management, mobile devices, and teleworking.
  • Human resources: onboarding employees, screening, terms and conditions of employment, information security awareness and training, disciplinary processes, termination, or change of employment.
  • Asset management: responsibility, inventory, ownership, acceptable use and return of assets, classification and labeling of information, handling of assets, managing, disposal, and transfer of removable media.
  • Access control: policies and procedures describing who can access information and facilities, user registration, user access provisioning, management of privileged access rights and secret authentication, regular review of rights, termination or transfer of rights, system and application access control, access restrictions, logon and password procedures, use of privileged utility programs and access to source code.
  • Cryptography: policy and management of cryptographic keys and procedures.
  • Physical and environmental security: security of perimeter, entrances, offices, and all internal spaces; also procedures in place to protect against environmental disasters and physical attack, security for on- and off-site equipment and a clear screen and clear desk policy.
  • Operations security: documented operating procedures, change management, capacity management, separation of development, testing and operational environments, protecting against malware, backup procedures, logging and monitoring, operator logs, clock synchronization, integrity of operational software, technical vulnerabilities, and information systems audits.
  • Communications security: network controls, network security, network segregation, transfer policies and agreements, messaging, and confidentiality.
  • System acquisition, development, and maintenance: applications on public networks, system change controls, technical review, secure development environment, and testing.
  • Supplier relationships: vendor security policies, information, and communication technology used with and between vendors, monitoring and review, and change management.
  • Information security incident management: responsibilities and procedures, reporting, assessment, response, learning from events, and collection of evidence.
  • Business continuity management information security: planning for and implementing information security during crises and identifying redundancies.
  • Compliance with legal and contractual requirements: identification, intellectual property, and contractual compliance, protection of records and personally identifiable information, cryptographic controls, and information security reviews.

How Do I Get ISO 27001 Certified?

Many organizations of all sizes are certified to the ISO 27001 standard. This means they have chosen the ISO 27001:2013 controls that pertain to their unique digital situation. When a company is certified, this internationally recognized stamp of approval signifies that the business takes its digital security seriously. 

Self-assessments, completing an ISO 27001 controls checklist, and attestations of compliance are not enough. A company must hire a third-party auditor to thoroughly review all aspects of ISMS before certification is granted. 

It is important to entrust the examination of an entire ISMS to an objective service provider who is not only experienced in the field but also willing to take the business’s unique security priorities and systems into consideration to pinpoint the ISO 27001:2013 controls on which to focus.

What Are the ISO 27001 Requirements?

For some industries, ISO 27001 certification is required; for others, it is not mandatory but serves as a way to assure customers and investors of a company’s ongoing commitment to security. 

Although each organization can customize the ISO27001 2013 controls it wishes to focus on during an audit, each business must walk through the following general steps:

  • Examine the organization and the context within which it operates.
  • Establish an information security policy that specifies authorities, roles, and responsibilities in all areas of information security.
  • Describe steps taken to assess risk and protect the confidentiality, integrity, and availability of information.
  • Delegate tasks, document progress, and utilize resources in such a way as to promote security, awareness, and strong communications.
  • Provide evidence that steps have been taken for operational planning and control.
  • Monitor how well the security measures protecting the ISMS are working via documentation, internal audits, and managerial review, taking corrective action where necessary.

How Do My Firewalls Relate to the ISO 27001 Control Checklist? 

The loss of data confidentiality, integrity, and availability can be devastating for any organization. Firewalls are just one tool in your security arsenal that can manage the connections among your various internal and external networks. 

Firewalls can accept, reject, or filter traffic, thereby promoting a higher level of protection and functioning as an integral part of an ISMS. As such, the existence and use of firewalls should be documented in your ISMS policies. 

It might be a good idea to draft a separate document strictly for your firewalls as on ISO 27001 that concerns networks, event logs, and configuration, including parameters of the connections: rules and operation mode. 

With a robust firewall system in place, you can safeguard the internal and external network traffic that, when left unmonitored, can endanger your sensitive data and other assets. 

Furthermore, documenting your use of this and other security systems can help to minimize your risk exposure. As you strive for ISO 27001 certification, this can be a positive factor in your favor.