This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you
would like additional information or assistance with the customization and implementation of a balanced risk management
process for your security program then please contact Mark @ 604-349-6557 or email@example.com
The CyberSecurity Framework based on ISO/IEC 27001:2013 has two sets of controls, one
considered to be mandatory outlined in table “A” provides the overarching management system.
The second set of controls can be risk justified in or out of scope for the CyberSecurity Program.
These controls are shown in table “B” below. Table “B” is based on control objectives documented
in Annex ‘A’. More details describing these control points are available in supplementary standard
documents like ISO/IEC 27002:2013.
Below I have provided a high-level summary of each section within a table format known in Quality
Management as the Conformity Matrix. This document is very similar to a GAP Assessment. During
the implementation and adoption of ISO 27001 I identify business process owners and walk through
each control to clarify accountability, location of evidence if any. This table will help to clarify
governance and set the stage for the next step the risk assessment.
Table “A” Mandatory ISO 27001 Control Points
There are 148 control points failure to meet any single control point is considered a major
nonconformity and grounds for decertification and during adoption any organization missing any
one of these control points will not be recommended for registration /certification.
Table “B” Discretionary ISO 27001 Annex “A” Control Objectives
Conformity with the following Control Objectives will need to be documented for scoping and
integration purposes. These controls are not mandatory and can be risk justified in or out of scope,
but the selection of controls objectives must meet the scope of information handling as it pertains
to the scope statement and business reasons for adopting ISO 27001.