ISO 27001 Controls

ISO 27001 Controls: A Definitive Guide

ByAndrew Lugsden
ISO 27001 Controls

ISO 27001:2022 Information security, cybersecurity, and privacy protection

ISO 27001 is an international standard for an Information Security Management System (ISMS) and uses the ISO 27001 Controls and Clauses to define the requirements that an ISMS must meet.

The standard is designed for all companies regardless of size or industry and defines the information security controls to establish, implement, maintain, and continually improve an ISMS.

Table of Contents

    The information security controls outline the practices your business will follow, and how you will ensure three key aspects of security:

    Confidentiality, Integrity, Availability

    Confidentiality

    Ensuring you have suitable data access protection in place and that your data remains your data.

    This aims to protect your confidential data from unauthorized access, and so requires the categorization of your data into multiple types, such as Public, Private, Confidential, and Restricted.

    Integrity

    Maintaining the accuracy, reliability, and trustworthiness of your data and systems and that no unauthorized changes have been made.

    This aims to protect your data over time, both while in storage, and also while in transit and so requires suitable data protection systems to be put in place such as secure backups and communications security.

    Availability

    Making sure the required data and systems are available to those who need it when they need it.

    This aims to ensure the accessibility of your data for those authorized to access it, which can require considerations for secure login procedures, business continuity management, redundancy solutions, and backup systems.

    The ISO 27001 Clauses

    ISO 27001 Clauses

    The ISO 27001 documentation defines Clauses 1-10. However, Clauses 1 to 3 outline the Scope, References, and Terms and Definitions for the standard.

    The relevant Clauses that detail what is required for an organization to comply with the ISO 27001 standard are then outlined within Clauses 4 to 10.

    4. Context of the Organisation

    • 4.1 Understanding the Organisation and its Context
    • 4.2 Understanding the Needs and Expectations of Interested Parties
    • 4.3 Determining the Scope of the Information Security Management System
    • 4.4 Information Security Management System

    5. Leadership

    • 5.1 Leadership and Commitment
    • 5.2 Policy
    • 5.3 Organisational Roles, Responsibilities and Authorities

    6. Planning

    • 6.1 Actions to Address Risks and Opportunities
    • 6.2 Information Security Objectives and Planning to Achieve Them
    • 6.3 Planning of Changes

    7. Support

    • 7.1 Resources
    • 7.2 Competence
    • 7.3 Awareness
    • 7.4 Communication
    • 7.5 Documented Information

    8. Operation

    • 8.1 Operational Planning and Control
    • 8.2 Information Security Risk Assessment
    • 8.3 Information Security Risk Treatment

    9. Performance Evaluation

    • 9.1 Monitoring, Measurement, Analysis and Evaluation
    • 9.2 Internal Audit
    • 9.3 Management Review

    10. Improvement

    • 10.1 Continual Improvement
    • 10.2 Nonconformity and Corrective Action
    ISO 27001 Clauses and Controls

    Additional requirements are also outlined within the ISO 27001 controls which are split into four main categories numbered 5 to 8:

    • 5. Organisational Controls
    • 6 People Controls
    • 7. Physical Controls
    • 8 Technological Controls

    Documentation for the ISO 27001 Clauses

    ISO 27001 Clauses Documentation

    The ISO 27001 clauses define a broad set of requirements for the ISMS as well as a specific set of requirements for necessary documented information, including:

    • Documenting the Scope of the ISMS
    • Documenting the Information Security Policy
    • Documenting the Information Security Risk Assessment Process
    • Documenting the Information Security Risk Treatment Process
    • Documenting the Information Security Objectives
    • Documented Information as Evidence of Competence
    • Documented Information considered necessary for the effectiveness of the ISMS
    • Documented Information to provide confidence processes are carried out as planned
    • Documented Information for the results of the risk assessment
    • Documented Information for the results of the risk treatment
    • Documented Information as evidence from Monitoring, Measurement, Analysis and Evaluation
    • Documented Information to evidence the Audit Programme
    • Documented Information to evidence the Management Reviews
    • Documented Information to evidence nonconformities and corrective actions

    Based upon these documentation requirements and the requirements outlined within the ISO 27001 controls, several documents are recommended to be prepared for most organizations.

    Information Security Management System

    Information Security Management System

    A dedicated ISMS document is recommended which details your scope, each of the ISO 27001 Clauses and how they are managed, through documents, policies, and processes.

    Statement of Applicability

    Statement of Applicability

    The Statement of Applicability will list each of the ISO 27001 Controls and should define if it is applicable, how it has been implemented, and any useful information related to its implementation.

    Information Security Policy

    Information Security Policy

    The Information Security Policy can outline your overall objectives for data security the company’s responsibility about the Confidentiality, Integrity, and Availability of data, and the scope of data to be protected.

    The policy can outline how the business will accomplish these tasks and how the policy will be regularly reviewed.

    Risk Assessment and Risk Treatment Plan

    Risk Assessment and Risk Treatment

    The risk assessment can outline all potential risks against your business, assets, and people, including information security risks and physical and environmental security risks.

    For your defined risks there should also be a grading system that applies to each risk allowing for repetition and consistency of risk scoring.

    Each risk can also list an action plan and method for risk management, describing how the risk will be addressed, how long this is expected to take, and the reduced risk score once the mitigation is in place.

    The risk documentation can also be updated as tasks are completed to verify that mitigation strategies are in place and that risks have been reduced as expected.

    Staff Skills List

    ISO 27001 Staff Skills List

    When looking to document the evidence of competence for your staff, you can use a combination of data.

    A checklist of tasks to complete for each new starter can ensure they have the necessary user access rights and equipment they need, as well as a foundation of knowledge for your business and its security processes, such as not leaving unattended user equipment.

    Documentation can also be provided to each new starter to ensure they are aware of the business and their own responsibilities for maintaining ISO 27001 compliance.

    Where your staff needs additional qualifications, skills, or training, these can also be listed with each being signed off and approved by an authorized individual within your business.

    Monitoring and Evaluation

    ISO 27001 Monitoring and Evaluation

    For each of your processes and policies, it is recommended to define what is considered to be confirmation of a task or action being completed as intended.

    You can then assign a responsible person to regularly review parts of your business to ensure it is operating as intended and document the results.

    This can help to outline areas for further staff training, improvement of operational procedures, or to raise a potential security incident or non-conformity.

    Audit Programme Reports

    ISO 27001 Audit Programme Reports

    The entire implementation of your ISO 27001 Controls and Clauses, needs to be regularly reviewed to ensure the appropriate controls are working as intended. This information can be captured within Audit Reports.

    The Audit reports should detail every point of the Clauses and Controls and describe how each point has been met, providing reference to specific documentation to verify each point.

    Where certain points are recognized to not be implemented as intended or showing signs that they can be improved, this can also be detailed within the report, and become a task to complete to demonstrate the business works towards continuous improvement.

    Non-Conformities and Incidents

    ISO 27001 NonConformity and Incidents

    Where Audits or other means, identify areas where the policies and processes are not implemented as intended, a nonconformity should be documented, and where security breaches occur, this should also be documented.

    Each of these issues can then be reviewed to determine the underlying cause, and how actions can be taken or new procedures put in place to prevent this type of issue from reoccurring.

    Management Reviews

    Management Review

    A management review meeting should be regularly held and a report discussing the status of the ISMS completed, providing evidence of the intended management direction of the business and the continued work towards improvement.

    The report can include an overview of actions and issues discussed at previous management meetings, and how these actions have affected the business.

    A review of topics and their impact on the business should also be conducted for:

    • New issues, risks, and opportunities that have been raised since the previous meeting.
    • A review of any complaints or suggestions for improvement
    • A review of the current objectives and goals for the company and whether they have been met, are still applicable, or if there are any new goals and objectives.
    • A review of all the ISO 27001 policies and documentation to determine if any changes or improvements are required, or how previous changes have impacted the business.

    Other Relevant Documentation

    ISO 27001 Documentation

    This can include evidence required to verify that a process or policy is carried out, or can be a specific documented policy or process to ensure your staff has the necessary training, or can clearly define your teams roles and responsibilities and how they are assigned within the business.

    For example, to verify access control, it may be necessary to document your existing accounts, and their permission level, and to implement controls to authorize the creation of new accounts or permissions.

    To ensure the return of assets when someone leaves the business, there can be a staff leavers checklist, and a documented asset management list that defines who has been assigned which asset within the organization, confirming physical assets and sensitive data are both returned upon leaving.

    The ISO 27001 Controls List

    ISO 27001 Controls List

    Do all the ISO 27001 Controls apply to my business?

    Within each of the control categories is the list of specific controls that should be reviewed to determine if they apply to your organization.

    There are 93 security controls in total, defined within the Annex A Controls, and these are spread across the four control categories.

    Not all controls will necessarily apply and for each control, it is useful to define a reason and justification for why it does or doesn’t apply.

    To understand how many controls may apply to your business, your organization should first determine and document several important factors.

    Interested parties should be defined, as they may have legal and contractual requirements that dictate how your business needs to operate, which in turn may impact your operational security and applicable ISO 27001 controls.

    Your organisation should also understand the scope and extent of the ISMS as this can also impact the controls that are relevant to your company.

    Documenting the ISO 27001 Controls

    Documenting ISO 27001:2022 Controls

    Each of the controls should be documented and defined within a Statement of Applicability document.

    This document will detail each of the controls, if they are relevant to your business, and justification for why they may have been excluded.

    Where a control is applicable, it should describe which document or process has been used to define how it is implemented within the business.

    For example, where access controls need to be considered, you may have several documents in place that describe how accounts and permissions are created and assigned, how access is managed as part of the new starters process, and how access is removed for any leavers.

    In addition, there may be other policies in place related to access, such as access to physically restricted areas of your business, or how guests and third parties are provided with access where required. Each of these relevant policies or processes should be outlined within the Statement of Applicability.

    It can also be useful to detail whether you have currently implemented a control or it is something that still needs to be worked on within your information security system, as well as how each control has been implemented, and who has implemented the control.

    ISO 27001:2022 Organisational Controls

    Organisational Controls

    Who The Organisational Controls Apply To

    The Organisational controls will largely apply to most companies as they define control objectives for the management of multiple different policies including assets, and the transfer and identification of information.

    Implementing The Organisational Controls

    These controls are implemented by creating policies and processes for how you govern your information, people, assets, third parties, security incidents, and more.

    The Organisational Controls List

    • 5.1 Policies For Information Security
    • 5.2 Information Security Roles and Responsibilities
    • 5.3 Segregation Of Duties
    • 5.4 Management Responsibilities
    • 5.5 Contact With Authorities
    • 5.6 Contact With Special Interest Groups
    • 5.7 Threat Intelligence
    • 5.8 Information Security In Project Management
    • 5.9 Inventory Of Information And Other Associated Assets
    • 5.10 Acceptable Use Of Information And Other Associated Assets
    • 5.11 Return Of Assets
    • 5.12 Classification of Information
    • 5.13 Labelling of Information
    • 5.14 Information Transfer
    • 5.15 Access Control
    • 5.16 Identity Management
    • 5.17 Authentication Information
    • 5.18 Access Rights
    • 5.19 Information Security In Supplier Relationships
    • 5.20 Addressing Information Security Within Supplier Agreements
    • 5.21 Managing Information Security In The Information And Communication Technology (ICT) Supply Chain
    • 5.22 Monitoring, Review, And Change Management Of Supplier Services
    • 5.23 Information Security For Use Of Cloud Services
    • 5.24 Information Security Incident Management Planning And Preparation
    • 5.25 Assessment And Decision On Information Security Events
    • 5.26 Response To Information Security Incidents
    • 5.27 Learning From Information Security Incidents
    • 5.28 Collection Of Evidence
    • 5.29 Information Security During Disruption
    • 5.30 ICT Readiness For Business Continuity
    • 5.31 Legal, Statutory, Regulatory And Contractual Requirements
    • 5.32 Intellectual Property Rights
    • 5.33 Protection Of Records
    • 5.34 Privacy Of Records
    • 5.35 Independent Review Of Information Security
    • 5.36 Compliance With Policies, Rules, And Standards For Information Security
    • 5.37 Documented Operating Procedures

    ISO 27001:2022 People Controls

    People Controls

    Who The People Controls Apply To

    The People controls will also largely apply to most companies as they intend to outline the requirements for employees of the company and aim to ensure their familiarity with the requirements of the ISO 27001 controls.

    Implementing The Organisational Controls

    These controls are implemented by ensuring the experience, training, education, and skills of your staff, so that they may carry out their roles and responsibilities as intended and in line with your documented policies and procedures.

    This may include conducting background checks, assigning appropriate protection responsibilities, and implementing operations security for your staff.

    The People Controls List

    • 6.1 Screening
    • 6.2 Terms And Conditions Of Employment
    • 6.3 Information Security Awareness, Education And Training
    • 6.4 Disciplinary Process
    • 6.5 Responsibilities After Termination Or Change Of Employment
    • 6.6 Confidentiality Or Non-Disclosure Agreements
    • 6.7 Remote Working
    • 6.8 Information Security Event Reporting

    ISO 27001:2022 Physical Controls

    Physical Controls

    Who The Physical Controls Apply To

    Many of the Physical controls will also apply to most businesses, as it is important to take steps to protect the physical security perimeter of your offices and assets.

    Implementing The Organisational Controls

    The physical controls are implemented through your physical assets. Ensuring you have documentation of each asset your business owns, where it is located, and who has access to it.

    Proactive steps should also be made to confirm that all equipment is well maintained, never left in an insecure environment, and is recorded as being collected and disposed of where necessary.

    The Physical Controls List

    • 7.1 Physical Security Perimeters
    • 7.2 Physical Entry
    • 7.3 Securing Offices, Rooms And Facilities
    • 7.4 Physical Security Monitoring
    • 7.5 Protecting Against Physical And Environmental Threats
    • 7.6 Working In Secure Areas
    • 7.7 Clear Desk And Clear Screen
    • 7.8 Equipment Siting And Protection
    • 7.9 Security Of Assets Off-Premises
    • 7.10 Storage Media
    • 7.11 Supporting Utilities
    • 7.12 Cabling Security
    • 7.13 Equipment Maintenance
    • 7.14 Secure Disposal Or Reuse Of Equipment

    ISO 27001:2022 Technological Controls

    Tecnological Controls

    Who The Technological Controls Apply To

    Although many of the Technological controls will also apply, if your organisation does not work on code and software development, it is likely that many sections in this control category will not apply to your business.

    Implementing The Technological Controls

    Your Technological controls are implemented through the software, hardware, and firmware of your devices, as well as your user management for these devices.

    It is important to ensure only necessary accounts are created with only the necessary permissions and access controls assigned, that you have secure password management systems, and that these accounts are used to carry out approved tasks.

    Those with the relevant authority and account permissions can also be assigned roles and responsibilities to configure your technology to ensure adherence to the technical controls.

    The Technological Controls List

    • 8.1 User End Point Devices
    • 8.2 Privileged Access Rights
    • 8.3 Information Access Restriction
    • 8.4 Access To Source Code
    • 8.5 Secure Authentication
    • 8.6 Capacity Management
    • 8.7 Protection Against Malware
    • 8.8 Management Of Technical Vulnerabilities
    • 8.9 Configuration Management
    • 8.10 Information Deletion
    • 8.11 Data Masking
    • 8.12 Data Leakage Prevention
    • 8.13 Information Backup
    • 8.14 Redundancy Of Information Processing Facilities
    • 8.15 Logging
    • 8.16 Monitoring Activities
    • 8.17 Clock Synchronisation
    • 8.18 Use Of Privileged Utility Programs
    • 8.19 Installation Of Software On Operational Systems
    • 8.20 Networks Security
    • 8.21 Security Of Network Services
    • 8.22 Segregation Of Networks
    • 8.23 Web Filtering
    • 8.24 Use Of Cryptography
    • 8.25 Secure Development Life Cycle
    • 8.26 Application Security Requirements
    • 8.27 Secure System Architecture And Engineering Principles
    • 8.28 Secure Coding
    • 8.29 Security Testing In Development And Acceptance
    • 8.30 Outsourced Development
    • 8.31 Separation Of Development, Test And Production Environments
    • 8.32 Change Management
    • 8.33 Test Information
    • 8.34 Protection Of Information Systems During Audit Testing

    In addition to defining how you will manage each of these aspects of your business, you should also outline how you will ensure the policies and procedures are carried out as defined.

    It is important to outline how often you will conduct reviews to ensure everything is operating as intended and assign responsibilities to people within your organisation to confirm this.

    Conclusion

    ISO 27001 Controls Conclusion

    The ISO 27001 standard aims to improve your organization’s overall security, through implementing best practices for your people, processes, and technology.

    The ISO 27001 Controls outline the core of your Information Security Management System, detailing how you will manage and control all aspects of your business and ensure business continuity.

    ISO 27001 also works to raise your awareness of the security of your business as a whole, by completing tasks to consider your potential risks and security incidents in advance and proactively mitigating these risks.

    The standard also requires a level of technical vulnerability management, with cyber security testing included in the Development cycle and also for businesses to actively identify security requirements.

    These security requirements should be identified for applications, network services, hardware and software best practice security configurations, and the identification of vulnerabilities, as well as the remediation of vulnerabilities, introduced into your systems to ensure information security continuity.

    The process of implementing ISO 27001 can be an in-depth and time-consuming process that can require small changes to several aspects of your business as well as major overhauls to your current processes.

    However, the benefits of implementing the ISO 27001 controls are considered worthwhile for any company working to improve its security controls, and will often benefit your organization in the long run when working on establishing supplier relationships and improving operational security.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Contact Us Today

    Similar Posts