ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS.
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Guide on ISO 27001 Controls
1. Guide on ISO 27001
Controls
ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of
their information assets. This standard provides a solid framework for implementing an Information Security Management
System also known as an ISMS. This framework facilitates the Confidentiality, Integrity and Availability of all essential
corporate data through its secure and streamlined management processes.
ISO 27001 is one of the most recognized and internationally certified Information Security Standards. We have already
discussed everything you need to know about the ISO 27001 standard, in our previous blog that you can refer to for
more details. However, today’s article aims to take a closer look at ISO 27001 Audit Controls. The article explains in detail the
ISO27001 Audit Controls are and how they help strengthen the Cyber Security systems of your organization.
What are ISO 27001 Audit controls?
.
The ISO 27001 Audit Control Standards can be divided into two parts. The first part, which is the mandatory part, consisting 11
clauses, ranging from 0 to 10. The second part which is termed Annex A, provides a guideline for 114 control objectives and
controls. Clause 0 to 3 cover the Introduction, Scope, Normative references and the Terms and Definitions of the ISO 27001
standard.
Clauses 4 to 10 provide ISO 27001 requirements that are mandatory for any organization that wishes to be compliant with the
Standard. Annex A is a part of the Standard which exists to support these clauses and their requirements with a list of controls
that are not mandatory, but are selected as part of the Risk Management process. The 114 ISO 27001 Annex A controls can be
divided into 14 categories which we will be covering below.
ISO 27001 Information Security Management Standard – Clauses 0 – 10
1. Clause 0.1: Introduction – The ISO 27001 Standard gives you the information required to set up an efficient Information
Security Management System. This system summarizes how the standard implementation protects your data from
unauthorized users, follows various domestic and international compliance standards and also gives confidence to
stakeholders and customers as a trusted company.
2. 2. Clause 1: Scope – This Clause states that the requirements specified in the ISO 27001 standard are to be within the context of
your organization. Therefore, determining your organizational context is very important. This is so that you don’t overdo your
system and start trying to meet something you don’t need to achieve. The clause repeats that you need to use Risk
Management processes for your ISMS. It also shows how this standard organizations of all sizes.
3. Clause 2: Normative references – This Clause exists to signify that ISO 27000 is indispensable to the application of ISO
27001. Therefore, you must read, understand and apply ISO 27000 requirements and use them while building your ISMS.
4. Clause 3: Terms and Conditions – This Clause is another important reason for you to first understand ISO 27000 as all the
terms and conditions given in this Standard also apply to ISO 27001.
5. Clause 4: Context of the organization – This Clause requires the organization to determine all internal and external issues
that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself.
6. Clause 5: Leadership – This Clause requires that top management responsibilities be defined, setting the roles and
responsibilities, and contents of the top-level Information Security Policy to facilitate the smooth setup of the ISMS.
7. Clause 6: Planning – Clause no. 6 seeks to cover the “preventive action” stated in the old ISO 27001:2005. It clearly defines
requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and how these integrate with
and facilitate setting up the ISMS.
8. Clause 7: Support – The next Clause states that resources required by the ISMS to achieve the stated objectives and show
continual improvement must be defined and made available by the organization to the team implementing the system. It
seeks to define the requirements for the availability of resources, competencies, awareness, communication, and control of
documents and records.
9. Clause 8: Operation – This Clause seeks to ensure that risks and opportunities are treated properly, security objectives are
achieved, and information security requirements are met. It defines the implementation of risk assessment as well as other
processes needed to achieve information security objectives.
10. Clause 9: Performance evaluation – This Clause deals with the constant monitoring, measurement, analysis and performance
evaluation of the ISMS. Therefore, this Clause seeks to define requirements for monitoring, measurement, analysis, evaluation,
internal audit, and management review of the organization, thus establishing clear measurement metrics.
11. Clause 10: Improvement – This clause defines the requirements for nonconformities, corrections, corrective actions, and
continual improvement.
What are the 14 domains of ISO 27001?
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
1. Annex A.5. Information Security Policies:
Annex A.5 is about providing management with the right direction for information security policies. The objective in this Annex is to
manage direction and support for information security in accordance with the organization’s requirements and in line with the relevant
laws and regulations. The Annex includes two controls –
A.5.1.1 Policies for Information Security – Annex A.5.1.1 states that a set of policies for information security must be
defined, approved by management, published and communicated to employees and relevant external parties.
A.5.1.2 Review of the Policies for Information Security – Annex A.5.1.2 states that the policies for information security need
to be reviewed at planned intervals, or if significant changes occur, so that their continuing functionality remains stable,
adequate and effective.
2.Annex A.6. Organization of Information Security:
1. Annex A.6.1 is about the internal organization of information security. The objective of this Annex is to establish a
management framework that initiates and controls the implementation and operation of information security. It contains 7
controls.
2. Annex A.6.1.1 Information Security Roles & Responsibilities states that all information security responsibilities must be
defined and allocated. Information security responsibilities can be general (e.g. protecting information) and/or specific (e.g. the
responsibility for granting a particular permission).
3.Annex A.7. Human Resource Security:
3. a. Annex A.7.1 is about employment and is concerned directly with human resources. The objective here is to ensure that
employees understand their responsibilities and are properly trained and suited for their roles. This Annex also covers what
happens when people leave or change roles. The Annex is made up of 6 controls.
This covers background verification and competence checks on all candidates for employment. The contractual agreement
signed by employees and contractors must explicitly state the responsibilities the employee and the company will both
undertake for proper information security hygiene. The objective is to ensure that employees and contractors are aware of and
fulfil their information security responsibilities during employment.
4.Annex A.8. Asset management:
Annex A.8.1 is about responsibility for assets. The objective of this Annex is to identify and define information assets in scope
for the management system. Appropriate protection responsibilities must also be assigned to them. The Annex consists of 10
controls. All assets associated with information processing facilities must be identified and managed under this Annex. There
should be a compiled inventory of assets that shows how the assets are managed and controlled in detail.
5.Annex A.9. Access Control:
a.Annex A.9.1 is about the business requirements of access control. The objective of this Annex control is to limit access to
information and information processing facilities. This Annex is made up of 14 controls. Under this Annex an access control
policy must be established, documented and reviewed regularly while keeping the business requirements for the assets in
scope. Users should only get access to the network and network services they need to use or know about for their job. A
process must be implemented to assign or revoke access rights for all user types to all systems and services.
6.Annex A.10. Cryptography:
a. Annex A.10.1 is about Cryptographic controls. The objective here is to ensure proper and effective use of cryptography to
protect the confidentiality, authenticity and/or integrity of information. This Annex contains 2 controls. Under the requirements
of this Annex a policy should be established on the use and protection of Cryptographic Keys. This policy should be
implemented throughout the lifecycle of the keys. There should also be a process in place for the creation, distribution,
changes, backup and storage of cryptographic key material through to its end of life and destruction.
7.Annex A.11. Physical and environmental Security:
a. Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent
unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
It consists of 15 internal controls. This Annex should contain a detailed description of the security perimeters and boundaries
for areas that contain either sensitive or critical information. This also includes areas with information processing facilities such
as computers, laptops etc. Secure areas need to be secured with appropriate entry controls to ensure only authorized
personnel are allowed access. This Annex also covers loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
8.Annex A.12. Operations security:
a. Annex A.12.1 is about Operational Procedures and Responsibilities. The objective of this Annex is to ensure correct and
secure operations of information processing facilities. It is made up of 14 controls. Under this Annex operating procedures
must be documented and then made available to all users who need them. Operating procedures that have been documented
in such a manner ensures consistent operation of systems even in the case of new staff or changing resources, and can often
be critical for disaster recovery, business continuity and for when staff availability is compromised. This Annex also covers
protection from malware. The objective is to ensure that information and information processing facilities are protected
against malware from entering.
9.Annex A.13. Communications security:
a. Annex A.13.1 is about Network Security Management. The objective of this Annex is to ensure the protection of
information in networks and its supporting information processing facilities. This Annex is made up of 7 controls. Networks
must be managed and controlled to protect information within systems and applications. This means that the organization
should use methods that ensure that the information within its systems and applications is protected.
b.Annex A.13.2 is about information transfer. The objective of this Annex is to maintain the security of information transferred
within the organization and with any external entity e.g. a customer, supplier or other interested parties.
4. 10. Annex A.14. System Acquisition, Development and Maintenance:
a. Annex A.14.1 is about security requirements of information systems. The objective is to ensure that healthy information
security practices remain an integral part of information systems across their entire lifecycle. This includes requirements for
information systems that provide services over public networks. This Annex consists of 13 controls. Information security-related
requirements must be included in any requirements for new information systems or enhancements to the existing information
systems.
b. Annex A.14.2 is about security in development and support processes. The objective of this Annex is to ensure that
information security is designed and implemented within the development lifecycle of information systems.
11.Annex A.15. Supplier Relationships:
a. Annex A.15.1 is about Information Security in supplier relationships. The objective is to protect the organization’s valuable
assets that are accessible to or affected by suppliers. Other key relationships such as business partners should also be covered
here. This Annex contains 5 controls.
b. Annex A.15.2 is about Supplier Service Development management. The objective of this Annex is to ensure that an agreed
level of Information Security and service delivery is maintained in line with supplier agreements.
12.Annex A.16. Information Security Incident Management:
a. Annex A.16.1 is about management of Information Security Incidents, events and weaknesses. The objective is to ensure a
consistent and effective approach to the lifecycle of incidents, events and weaknesses. This Annex is made up of 7 controls.
These controls describe how management must establish responsibilities and procedures to ensure a quick, effective and
orderly response to weaknesses, events and security incidents.
13.Annex A.17. Information Security Aspects of Business Continuity Management:
a. Annex A.17.1 is about Information Security Continuity. The objective is to embed Information Security Continuity into the
organization’s Business Continuity Management Systems. This Annex contains 4 controls. The organization must determine its
unique requirements for Information Security and take into account the continuity of Information Security Management in
adverse situations, e.g. during a crisis or disaster.
14.Annex A.18. Compliance: Annex
a. A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory,
regulatory or contractual obligations related to information security and of any security requirements. This Annex contains 8
controls.
b. Annex A.18.2 is about Information Security reviews. The objective is to ensure that Information Security is implemented and
operated in accordance with the organizational policies and procedures.
Also Read:- Benefits Of ISO 27001 Certification
Using the 14 domains of ISO 27001
All of this might seem like too much information, which is where experienced cyber security firms such as VISTA InfoSec can
step in and help make the process easier. As we discussed earlier, organizations are not required to implement all 114 of ISO
27001’s controls.
It is simply a list of requirements that is required to be done based on your organization’s risk assessment. The standard works
as a guide for you and your management team for establishing, implementing, maintaining and continually improving an
efficient Information Security Management System. With all of the above-mentioned necessary controls in place you will
establish a seamless process that will help your organization identify and mitigate potential risks in time.
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC
Dowritetousyourfeedback,commentsandqueriesor,ifyouhaveanyrequirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744