ISO 27001 Annex A controls

Table of Contents
ISO 27001 Annex A controls comprise 114 individual controls across domains like information security policies, various security policies for the organization, human resources, communication, and many more. It also lists out control frameworks for incident management and continuity management. The following are the controls under Annex A,

Annex A.5 : Information Security Policies #

Annex A.5 highlights the need to have well-written and reviewed policies directing organizations towards a better information security system. The annex has two controls as follow,
  • Annex A.5.1.1 Policies for Information Security #

    This clause defines the need to have business-appropriate information security policies that are well defined, approved, and well-communicated across the organization.
  • Annex A.5.1.2 Review of the policies for information security #

    Creating policies to manage ISMS is not enough; having a regular review and updates is essential.

Annex A.6 : Organisation of Information Security #

This annex primarily deals with having a framework to initiate and control the implementation and operation of information security within the organization. The annex has a total of seven controls divided into two subsections as follows,
  • A.6.1.1 Information Security Roles & Responsibilities #

    Based on the roles and responsibilities of employees in the organization, the information security tasks should also be assigned accordingly.
  • A.6.1.2 Segregation of Duties #

    Segregation of duties is also essential in case of similar tasks and responsibilities which can overlap or undergo unauthorized and un-intentional modification.
  • A.6.1.3 Contact with Authorities #

    Establishing a good network and connections between the stakeholders is required.
  • A.6.1.4 Contact with Special Interest Groups #

    Organizations having connections with special groups, business forums, organizations are counted under this control.
  • A.6.1.5 Information Security in Project Management #

    This control highlights the need for information security in project management. Organizations should ensure detailed planning for information security throughout the life-cycle of a project.
  • A.6.2.1 Mobile Device Policy #

    A well-defined control measure should be in place in case of information access through digital devices like mobile and remote devices. Proper policies should also be there to support ISMS through digital devices.
  • A.6.2.2 Teleworking #

    In case of employees are working remotely and much sensitive information is being accessed remotely, proper security protocol and safety measures should be in place. Well-defined communication and training of such employees should also be done.

Annex A.7 : Human resource security #

To ensure organizations employ and associate with people who understand their responsibilities well. The control measures deal with recruitment specifications, background verification, employment contract, disciplinary and security controls, and termination process. Following are the six different controls listed under this annex,
  • A.7.1.1 Screening #

    This control defines the need for having a human resource security framework in place. Properly screening the potential employees conducting background verification, and creating access control to the sensitive human resource data comes under Annex A.7.1.1.
  • A.7.1.2 Terms & Conditions of Employment #

    This control is about the agreements created for employees and contractors. It instructs organizations to put helpful information related to security information in the contract.
  • A.7.2.1 Management responsibilities #

    According to this annex, employees and contractors should have proper training and information regarding information security policies. They should understand them and help create organization-wide information security compliant culture.
  • A.7.2.2 Information Security Awareness, Education & Training #

    The training of employees regarding information security should be done regularly. The process involves training, evaluation, and continuous monitoring of the information dissemination.
  • A.7.2.3 Disciplinary Process #

    This particular control highlights that having a well-defined disciplinary process to maintain related policies and a way to communicate them is essential.
  • A.7.3.1 Termination or change of employment responsibilities #

    Organizations should have safety measures in place when an employee leaves the organization. All the terms and conditions should be communicated clearly.

Annex A.8 : Asset management #

This annex deals with the need for the organizations to identify the IT assets and define the proper protection system for the same. These controls try to ensure the presence of a mechanism to identify and involve concerned stakeholders in IT assets management. Comprising of ten controls, the annex controls are as follows,
  • A.8.1.1 Inventory of Assets #

    A proper inventory management system for information security assets is essential for the organization. Identifying all the assets and managing them throughout the entire life cycle is needed.
  • A.8.1.2 Ownership of Assets #

    Ownership of all the information security assets should be well-defined.
  • A.8.1.3 Acceptable Use of Assets #

    Assets usage should follow pre-defined rules and regulations. Well documented policy should be in place for the same.
  • A.8.1.4 Return of Assets #

    This particular control discusses the obligation of employees and any related person to return all the information security assets as they exit the organization. Well documented process of asset return is expected.
  • A.8.2.1 Classification of Information #

    Information should be classified based on different security measures.
  • A.8.2.2 Labelling of Information #

    Organizations should adequately label all the information to remove any ambiguity. The rationales behind the labeling should be well defined and communicated to the relevant people.
  • A.8.2.3 Handling of Assets #

    This control instructs organizations to have a proper and well-demonstrated process for information asset handling.
  • A.8.3.1 Management of Removable Media #

    Removal of information media should follow the information classification.
  • A.8.3.2 Disposal of Media #

    In case of non-usage of any information, the disposal of the media should follow a proper secure way. Pre-defined written documents for the disposal process should be in place.
  • A.8.3.3 Physical Media Transfer #

    When the information media is transported, the information should be protected from unauthorized access or usage.

Annex A.9 : Access control #

Having a secure information security system is not enough, but having a good measure to safeguard the system is also needed. Access control and managing information dissemination is also an essential aspect of this annex. Following are the individual controls under Annex A.9,
  • A.9.1.1 Access Control Policy #

    In an organization, not everyone should have access to information. Rules and policies should be implemented for information access. Control is equally applicable for both physical and digital information.
  • A.9.1.2 Access to Networks and Network Services #

    The information stored, circulated, and communicated through the network should also be protected.
  • A.9.2.1 User Registration and Deregistration #

    To regulate, the people accessing the information should have conditional access to the data.
  • A.9.2.2 User Access Provisioning #

    The assignment and revocation of the access should be there, preferably automated. User access should always be derived from business needs.
  • A.9.2.3 Management of Privileged Access Rights #

    High-level employees or people in the management often have access to critical and sensitive data and information. Access rights for such information users should be documented and implemented well in the organization.
  • A.9.2.4 Management of Secret Authentication Information of Users #

    Establishing a formal management system to protect user access is essential. In the case of a secret authentication facility, all the related policies should be demonstrated well in a written document.
  • A.9.2.5 Review of User Access Rights #

    Monitoring the user access at a regular interval is required. After a considerable time, all the access rights should be reconsidered, modified, or changed if necessary.
  • A.9.2.6 Removal or Adjustment of Access Rights #

    User access assignment and exit policies should be well-defined.
  • A.9.3.1 Use of Secret Authentication Information #

    This clause obliges the users to follow the rules and policies regarding the information security management system.
  • A.9.4.1 Information Access Restriction #

    Role-based access and defining the level of information access are this control’s central monitoring elements.
  • A.9.4.2 Secure log-on Procedures #

    This control tries to monitor the soundness of the log-in and log-off process of the information access gateways.
  • A.9.4.3 Password Management System #

    Managing a substantial amount of password-protected data is not easy. A well-established system to control and protect the password and log-in credentials are also needed.
  • A.9.4.4 Use of Privileged Utility Programmes #

    Organizations should not share confidential details regarding the information security system. Utility programs that can override the system must be controlled strictly.
  • A.9.4.5 Access Control to Program Source Code #

    Program source codes must have restricted access.

Annex A.10 : Cryptography #

The controls under annex A.10 highlight the need for the data encryption process to maintain confidentiality and provide information security. The two controls are as follows,
  • A.10.1.1 Policy on the use of Cryptographic Controls #

    Well-defined policy to control the cryptographic nformation should be there in the organization.
  • A.10.1.2 Key Management #

    Controling the cryptgraphic keys is the focus point of this control.

Annex A.11 : Physical and environmental security #

The aim of annex A.11 is to establish a secure access management system for organization-wide information. The control parameters for preventing unauthorized access to information and preventing damage to the ISMS are framed in this section. The fifteen controls listed below are part of annex A.11,
  • A.11.1.1 Physical Security Perimeter #

    The physical perimeter of the space where information assets are placed and maintained should also be protected. This must include the physical access restriction maintenance of the safety measures.
  • A.11.1.1 Physical Security Perimeter #

    The physical perimeter of the space where information assets are placed and maintained should also be protected. This must include the physical access restriction maintenance of the safety measures.
  • A.11.1.3 Securing Offices, Rooms, and Facilities #

    Along with the security of information assets, the safety of the physical office buildings, rooms, and other assets. Tracking people going in and out of the office or establishment is also required.
  • A.11.1.4 Protecting against External & Environmental Threats #

    Organizations are subject to various external threats that might be unprecedented. One should have planned to protect the ISMS from such anomalies.
  • A.11.1.5 Working in Secure Areas #

    Secure areas should be well defined. Everyone having access to enter or restricted to enter must understand the boundaries and rationales behind so. Proper monitoring must be practiced.
  • A.11.1.6 Delivery & Loading Areas #

    Delivery points and loading areas have high chances of infiltration by external people; hence, such physical points should be controlled well.
  • A.11.2.1 Equipment Siting & Protection #

    Equipments used for the information security system must be protected. The monitoring and protection process should be present for on-site and remote workers.
  • A.11.2.2 Supporting Utilities #

    This control tries to protect equipments from different system failures like mechanical errors in machine power failures and many others.
  • A.11.2.3 Cabling Security #

    In cases where cables carry information, proper maintenance and security measure should be implemented.
  • A.11.2.4 Equipment Maintenance #

    Equipments must be maintained regularly.
  • A.11.2.5 Removal of Assets #

    Proper management planning is needed when any information system asset is removed or mobilized from a place.
  • A.11.2.6 Security of Equipment & Assets Off-Premises #

    In the case of off-side equipments, proper identification and analysis of all possible threats and suitable measures to manage those are essential.
  • A.11.2.7 Secure Disposal or Re-use of Equipment #

    The disposal method for equipment should be done following a pre-defined process. Deletion of sensitive information or over-writing the data should be done before disposal.
  • A.11.2.8 Unattended User Equipment #

    Unattended equipment must be protected using passwords or physical restrictions.
  • A.11.2.9 Clear Desk & Screen Policy #

    According to the clear desk and screen policy, no information asset or system should remain unattended or unprotected.

Annex A.12 : Operations security #

Annex A.12 is all about gaining operational security across the organization. It tries to ensure secure operations of information processing facilities through fourteen different control measures as discussed below,
  • A.12.1.1 Documented Operating Procedures #

    Documenting the operating procedure and communicating them to the concerned stakeholders is essential. This control describes the need for creating and maintaining written documents for oprtaion
  • A.12.1.2 Change Management #

    Change is inevitable in any organization; hence, changes in the ISMS are also expected. Every organization must ensure a well-defined change management process for the same.
  • A.12.1.3 Capacity Management #

    Defining the capacity for the information security system is essential. Monitoring the capacity usage and proactive measure to manage it is needed.
  • A.12.1.4 Separation of Development, Testing & Operational Environments #

  • A.12.2.1 Controls Against Malware #

    Protecting the system against any malware is expected.
  • A.12.3.1 Information Backup #

    A sound data backup system is required to reduce the risk of data destruction and gain the ability to re-generate the information.
  • A.12.4.1 Event Logging #

    Logging all the events of loging in and information usage is also important spect of the ISMS.
  • A.12.4.2 Protection of Log Information #

    The information generated through log-ins must be protected.
  • A.12.4.3 Administrator & Operator Logs #

    System logs by administrators and operators must be monitored reviewed at regular intervals.
  • A.12.4.4 Clock Synchronisation #

    The clock must be synchronized for all the information processing systems within the organization.
  • A.12.5.1 Installation of Software on Operational Systems #

    It is good to outline a proper installation guideline for software in the operational system.
  • A.12.6.1 Management of Technical Vulnerabilities #

    Identifying the technical vulnerabilities that the system might undergo must be reviewed at regular intervals, and appropriate measures should be in place.
  • A.12.6.2 Restrictions on Software Installation #

    The proper rule must be outlined to restrict the software installation. The authorities must define what type of software is allowed to be installed how the access must be controlled.
  • A.12.7.1 Information Systems Audit Controls #

    Auditing of the information system must be considered for business contunuation. Audit planning and activity reporting are a must.

Annex A.13 : Communications security #

Information network security and guidance on protecting information are guided through annex A.13 controls. Below is the list of controls,
  • A.13.1.1 Network Controls #

    Protecting the network through which the information security assets are connected, and information flows must be protected.
  • A.13.1.2 Security of Network Services #

    Security of network services must be integrated into the process.
  • A.13.1.3 Segregation in Networks #

    Organizations managing a massive volume of data must have a process to segregate them and make a more efficient network management system. The method for doing the same must be well-formated and communicated.
  • A.13.2.1 Information Transfer Policies & Procedures #

    In the case of information transfer, proper policy and rules must be implemented.
  • A.13.2.2 Agreements on Information Transfer #

    Concerned parties involved in the process of information transfer should consider having an agreement for the same. This ensures the creation of a secure network for information dissemination.
  • A.13.2.3 Electronic Messaging #

    Any information being shared through electronic messaging method must be safeguarded.
  • A.13.2.4 Confidentiality or Non-Disclosure Agreements #

    Another aspect of protecting information is to create confidentiality agreements and non-disclosure agreements between the organization and employees/users.

Annex A.14 : System acquisition, development and maintenance #

Annex A.14 controls ensure that information security remains an integral part of the organization throughout the entire life-cycle.Below are the controls for the same,
  • A.14.1.1 Information Security Requirements Analysis & Specification #

    Information security requirements must be identified as per the business compliance requirements.
  • A.14.1.2 Securing Application Services on Public Networks #

    Information going out in the public network must be protected from all sorts of fraudulent activities. Confidentiality and integrity must always be protected.
  • A.14.1.3 Protecting Application Services Transactions #

    Information involved in the application of the application service should be protected to prevent incomplete transfers, inaccuracies, unauthorized message modifications, unauthorized disclosures, duplicate messages or playback.
  • A.14.2.1 Secure Development Policy #

    Software development programs should be developed and applied within the organization. Secure upgrades are required for building a secure service, architecture, software, and system.
  • A.14.2.2 System Change Control Procedures #

    Formal change management procedures should be documented and enforced to ensure the system’s integrity, applications, and products. Systematic change management procedures are designed to reduce the risk of accidental or deliberate vulnerability in ISMS.
  • A.14.2.3 Technical Review of Applications After Operating Platform Changes #

    When operating platforms are changed, critical applications in the business must be reviewed and tested for compatibility with the changes.
  • A.14.2.4 Restrictions on Changes to Software Packages #

    Modification of software packages should be discouraged, limited to required changes and all changes should be strictly controlled.
  • A.14.2.5 Secure System Engineering Principles #

    Secure information system engineering systems based on security engineering principles should be developed, documented, and applied to the engineering functions of the internal information system.
  • A.14.2.6 Secure Development Environment #

    The organization must develop an environment to protect information systems from any malicious incident.
  • A.14.2.7 Outsourced Development #

    In the case of outsourced system development, proper supervision and monitoring must be implemented.
  • A.14.2.8 System Security Testing #

    Regular testing of all the security measures must be carried out.
  • A.14.2.9 System Acceptance Testing #

    The acceptance must be tested when implementing a new program or updating the existing one.
  • A.14.3.1 Protection of Test Data #

    All the data and insights must be protected from any unauthorized use.

Annex A.15 : Supplier relationships #

Annex A.15 lists out the controls to measure the information security in supplier relationships. It helps protect the organizations’ information that a supplier has access to. This annex contains five controls, namely,
  • A.15.1.1 Information Security Policy for Supplier Relationships #

    A reasonable policy frame should be there to mitigate the risk associated with suppliers.
  • A.15.1.2 Addressing Security Within Supplier Agreements #

    All relevant information security requirements must be established and agreed upon with each supplier who can access, process, store, communicate with, or provide IT components of the organization’s information infrastructure.
  • A.15.1.3 Information & Communication Technology Supply Chain #

    The control necessitates describing the guidelines and information related to the information security in the supplier agreement.
  • A.15.2.1 Monitoring & Review of Supplier Services #

    Organizations must have the evaluation process and parameters for the suppliers.
  • A.15.2.2 Managing Changes to Supplier Services #

    Changes in provider service delivery, including the maintenance and improvement of information security policies, procedures, and controls, should be managed, taking into account the business information, systems, processes and procedures involved and risk assessments.

Annex A.16 : Information security incident management #

Tracking, managing, and reporting incidents are controlled under Annex A.16.This control framework aims to establish a transparent incident and vulnerability management process.
  • A.16.1.1 Responsibilities & Procedures #

    It deals with how the management can establish procedures to ensure a quick, effective and orderly response to address weaknesses, events and security incidents.
  • A.16.1.2 Reporting Information Security Events #

    It requires that information security incidents can be reported via suitable management channels as soon as possible.
  • A.16.1.3 Reporting Information Security Weaknesses #

    It includes that incidents and event once reported might be treated differently.
  • A.16.1.4 Assessment of & Decision on Information Security Events #

    It calls for information security events to be assessed and then only it can be decided if they should be classified as information security incidents or events of weaknesses.
  • A.16.1.5 Response to Information Security Incidents #

    It requires assigning owners, and be clear on actions and retain information for audit purposes.
  • A.16.1.6 Learning from Information Security Incidents #

    It requires the policy needs to demonstrate that the knowledge gained from analysing and resolving information security incidents will be used to help reduce the likelihood or impact of any future incidents.
  • A.16.1.7 Collection of Evidence #

    It requires organizations to apply controls to identify, collect, acquire and preserve informations.

Annex A.17 : Information security aspects of business continuity management #

Integration of ISMS with the organizations’ continuity planning is the focus of the controls listed under Annex A.17. Below is the list of all the relevant controls,
  • A.17.1.1 Planning Information Security Continuity #

    It requires organizations to determine its requirements for information security in adverse situations.
  • A.17.1.2 Implementing Information Security Continuity #

    It require organizations to set, implement, maintain and processes. This is required to ensure a required level of information security continuity.
  • A.17.1.3 Verify, Review & Evaluate Information Security Continuity #

    It requires organizations to verify the information security continuity controls that has already been established and implemented in order to ensure that they are valid and effective during these situations.
  • A.17.2.1 Availability of Information Processing Facilities #

    It describes how information processing facilities should be implemented to meet requirements.

Annex A.18 : Compliance #

Annex A.18 helps to ensure that organizations identify relevant laws and regulations and understand their legal and contractual requirements. It helps understand organizations’ risks associated with non-compliance and associated penalties. The following are the controls under this annex,
  • A.18.1.1 Identification of Applicable Legislation & Contractual Requirements #

    It requires organizations to ensure that it is staying up to date with legislation and regulation that can affect business objectives and ISMS outcome.
  • A.18.1.2 Intellectual Property Rights #

    It requires organizations to implement appropriateprocess and procedures which will ensure it complies with all its requirements.
  • A.18.1.3 Protection of Records #

    It includes how records should be protected from loss, destruction, unauthorised access and unauthorised release.
  • A.18.1.4 Privacy & Protection of Personally Identifiable Information #

    It involves how privacy and protection of PII is assured for relevant legislation and regulation.
  • A.18.1.5 Regulation of Cryptographic Controls #

    It defines how cryptographic controls are to be used in compliance with relevant regulations.
  • A.18.2.1 Independent Review of Information Security #

    It deals with an organization’s approach to managing and implementation of information security.
  • A.18.2.2 Compliance with Security Policies & Standards #

    It requires managers to review the information processing and procedures regulrly.
  • A.18.2.3 Technical Compliance Review #

    It requires organizations to regularly review their information systems with their information security policies and standards.

Powered by BetterDocs

Ready to get Started?

Experience our Award-winning GRC platform!

Drive efficiency and value across your business with VComply’s user-friendly platform.
Product Enquiry
For any product enquiries, get in touch with a product specialist today!
Help Desk
Find your answers in our expansive knowledge base.
Start for Free
Speak to Our Compliance Expert
Get Case Study
Get Case Study
Get Case Study
Get Case Study
Get Case Study
Start a Free Trial