SlideShare a Scribd company logo
1 of 3
Download to read offline
ISO 27001
A GUIDE TO ANNEX A
50,000
GLOBALLY
CERTIFICATES 90TRANSPARENT
The Standard has the controls required to meet those
risk requirements at Annex A. In total there are 114
controls sub-divided in to 14 different categories.
When considering these controls, it is important to
note that they are simply possibilities or options. When
conducting the risk process; the risk identified should
have appropriate controls which have been selected
from the list in Annex A.
Not every control can be implemented. For example;
if your organization does not have remote working
practice then the control for establishing a teleworking
policy is not appropriate to use. How the controls are
selected are down to the needs of the organization
which will be drawn out from the risk assessment and
risk treatment process.
ISO 27001:2013 is the international standard
which outlines best practice for an Information
Security Management System (ISMS).
If you are familiar with our previous
implementation guide available here, then
you will have already examined the clauses
contained within the standard. You would
have also learned that this standard follows
a risk-based approach when considering the
information security of an organization. This
requires the identification of security risks and
then the selection of appropriate controls to
reduce, eliminate or manage those risks.
A.5 Information security policies:
Guidance on how policies are written and reviewed.
A.6 Organization of information security:
How to assign responsibilities for security tasks including:
• Contact with third parties appropriate to the functionality of the ISMS
• Security considerations for projects • Mobile and Teleworking policy provision
A.7 Human resource security:
Security considerations for recruiting and maintaining a workforce including security considerations on departure within
contracts.
A.8 Asset management:
Securing information assets through inventory and ownership of assets. Includes labelling of information and media.
A.9 Access control:
Controlling access to information within an organization so that there is no unauthorised access to information. Further;
only appropriate entities have administrative access where it is necessary.
A.10 Cryptography:
The encryption of sensitive information and the management of encryption keys.
A.11 Physical and environmental security:
The security of premises, equipment and physical copy information.
A.12 Operations security:
Securing information processing facilities; includes technical security considerations such as malware protection, back up
procedures, event capture etc.
A.13 Communications security:
Security of networks; includes the use of electronic messaging.
A.14 System acquisition, development and maintenance:
Security in development operations. Ensures that security considerations are considered fully in the development process.
A.15 Supplier relationships:
Agreements to include in contracts with any external entity. All third parties should be subject to scrutiny before
information is shared. These controls help to manage that process.
A.16 Information security incident management:
Guide on how to identify, report and record information incidents. Provides functionality to allow appropriately responsible
person to learn from incidents.
A.17 Information security aspects of business continuity management:
Ensuring that your organization is well prepared to survive disruption and ensure plans are viable.
A.18 Compliance:
Identify laws and regulations which will shape your organization and record any review of your management system or
security from an external source.
CATEGORIES OF CONTROLS
As mentioned the Annex contains 14 categories. They are listed as follows:
FURTHER
CONSIDERATIONS
Before the certification audit, an organization
must have produced a Statement of Applicability
(Please refer to the ISO 27001 guide for additional
information – Clause 6). This SoA must contain
at least 114 entries with each of the Categories
and Controls within listed. This list must also
include justification for inclusion and exclusion
as necessary. There must be evidence that
consideration has been given to all controls within
Annex A; even if this means that they are not
included within your system.
Those controls which are selected will likely form
part of the risk treatment evidence and should
be recorded as such. This can be within a risk
register or held as separate documentation.
The methodology will vary between different
organizations; though demonstrating that the
controls within Annex A are implemented is a
consistent need.
The security provisions of the standard are not
something that an organizations IT or Security
team must adhere to alone. The standard requires
that all aspects of the organization be considered
when examining the risks and treatment of risk. The
best placed individuals to remedy and risk issues
may not always be in the IT Department; the exact
composition and siting of risk treatment will vary
from one organization to the other.
www.nqa.com
FINALLY
Annex A controls are just some of the options
available to an organization. Additional security
controls not specifically outlined in Annex A can be
used to provide treatment to an identified risk. So
long as the Clauses and Controls within the Standard
are addressed as appropriate, the ISMS will be
functioning and provide good levels of Information
Security.

More Related Content

What's hot

Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 

What's hot (20)

Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Isms
IsmsIsms
Isms
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 

Similar to NQA ISO 27001 A Guide to Annex A

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 ControlsVISTA InfoSec
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
D1 security and risk management v1.62
D1 security and risk management  v1.62D1 security and risk management  v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxKinetic Potential
 
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...Under Controls
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1sharing notes123
 

Similar to NQA ISO 27001 A Guide to Annex A (20)

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
Guide on ISO 27001 Controls
Guide on ISO 27001 ControlsGuide on ISO 27001 Controls
Guide on ISO 27001 Controls
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
D1 security and risk management v1.62
D1 security and risk management  v1.62D1 security and risk management  v1.62
D1 security and risk management v1.62
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech  Principles of  Computer Securit.docx1chapter42BaseTech  Principles of  Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
HIPAA Security Risk Assessment
HIPAA Security Risk Assessment HIPAA Security Risk Assessment
HIPAA Security Risk Assessment
 
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...
Stay Ahead of Data Security Risks_ How ISO 27001 Compliance Software Can Help...
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 

More from NA Putra

NQA ISO 50001:2018 Implementation Guide
NQA ISO 50001:2018 Implementation GuideNQA ISO 50001:2018 Implementation Guide
NQA ISO 50001:2018 Implementation GuideNA Putra
 
NQA Migration OHSAS to ISO 45001
NQA Migration OHSAS to ISO 45001NQA Migration OHSAS to ISO 45001
NQA Migration OHSAS to ISO 45001NA Putra
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNA Putra
 
NQA ISO 22000:2018 Implementation Guide
NQA ISO 22000:2018 Implementation GuideNQA ISO 22000:2018 Implementation Guide
NQA ISO 22000:2018 Implementation GuideNA Putra
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NA Putra
 
NQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNA Putra
 
NQA ISO 22000:2018 Transition Gap Guide
NQA ISO 22000:2018 Transition Gap GuideNQA ISO 22000:2018 Transition Gap Guide
NQA ISO 22000:2018 Transition Gap GuideNA Putra
 
NQA ISO 50001:2018 energy management gap guide
NQA ISO 50001:2018 energy management gap guideNQA ISO 50001:2018 energy management gap guide
NQA ISO 50001:2018 energy management gap guideNA Putra
 
NQA - ISO 13485 Transition Checklist
NQA - ISO 13485 Transition ChecklistNQA - ISO 13485 Transition Checklist
NQA - ISO 13485 Transition ChecklistNA Putra
 
NQA - Aerospace transition strategy key changes final
NQA - Aerospace transition strategy key changes finalNQA - Aerospace transition strategy key changes final
NQA - Aerospace transition strategy key changes finalNA Putra
 
NQA - 10 Steps to IMS Guide
NQA - 10 Steps to IMS GuideNQA - 10 Steps to IMS Guide
NQA - 10 Steps to IMS GuideNA Putra
 
6 Tips for ISO
6 Tips for ISO6 Tips for ISO
6 Tips for ISONA Putra
 
NQA Brochure 2018
NQA Brochure 2018NQA Brochure 2018
NQA Brochure 2018NA Putra
 
NQA - Guide to transferring certification
NQA - Guide to transferring certificationNQA - Guide to transferring certification
NQA - Guide to transferring certificationNA Putra
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guideNA Putra
 
NQA - ISO 13485 Gap Guide
NQA - ISO 13485 Gap GuideNQA - ISO 13485 Gap Guide
NQA - ISO 13485 Gap GuideNA Putra
 
NQA - ISO 45001 Implementation Guide
NQA - ISO 45001 Implementation GuideNQA - ISO 45001 Implementation Guide
NQA - ISO 45001 Implementation GuideNA Putra
 
NQA - ISO 14001 Implementation Guide
NQA - ISO 14001 Implementation GuideNQA - ISO 14001 Implementation Guide
NQA - ISO 14001 Implementation GuideNA Putra
 
NQA - ISO 9001 Implementation Guide
NQA - ISO 9001 Implementation GuideNQA - ISO 9001 Implementation Guide
NQA - ISO 9001 Implementation GuideNA Putra
 
NQA - Start Your Journey with NQA
NQA - Start Your Journey with NQANQA - Start Your Journey with NQA
NQA - Start Your Journey with NQANA Putra
 

More from NA Putra (20)

NQA ISO 50001:2018 Implementation Guide
NQA ISO 50001:2018 Implementation GuideNQA ISO 50001:2018 Implementation Guide
NQA ISO 50001:2018 Implementation Guide
 
NQA Migration OHSAS to ISO 45001
NQA Migration OHSAS to ISO 45001NQA Migration OHSAS to ISO 45001
NQA Migration OHSAS to ISO 45001
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
 
NQA ISO 22000:2018 Implementation Guide
NQA ISO 22000:2018 Implementation GuideNQA ISO 22000:2018 Implementation Guide
NQA ISO 22000:2018 Implementation Guide
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
NQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIMNQA ISO 27701:2019 - PIM
NQA ISO 27701:2019 - PIM
 
NQA ISO 22000:2018 Transition Gap Guide
NQA ISO 22000:2018 Transition Gap GuideNQA ISO 22000:2018 Transition Gap Guide
NQA ISO 22000:2018 Transition Gap Guide
 
NQA ISO 50001:2018 energy management gap guide
NQA ISO 50001:2018 energy management gap guideNQA ISO 50001:2018 energy management gap guide
NQA ISO 50001:2018 energy management gap guide
 
NQA - ISO 13485 Transition Checklist
NQA - ISO 13485 Transition ChecklistNQA - ISO 13485 Transition Checklist
NQA - ISO 13485 Transition Checklist
 
NQA - Aerospace transition strategy key changes final
NQA - Aerospace transition strategy key changes finalNQA - Aerospace transition strategy key changes final
NQA - Aerospace transition strategy key changes final
 
NQA - 10 Steps to IMS Guide
NQA - 10 Steps to IMS GuideNQA - 10 Steps to IMS Guide
NQA - 10 Steps to IMS Guide
 
6 Tips for ISO
6 Tips for ISO6 Tips for ISO
6 Tips for ISO
 
NQA Brochure 2018
NQA Brochure 2018NQA Brochure 2018
NQA Brochure 2018
 
NQA - Guide to transferring certification
NQA - Guide to transferring certificationNQA - Guide to transferring certification
NQA - Guide to transferring certification
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
 
NQA - ISO 13485 Gap Guide
NQA - ISO 13485 Gap GuideNQA - ISO 13485 Gap Guide
NQA - ISO 13485 Gap Guide
 
NQA - ISO 45001 Implementation Guide
NQA - ISO 45001 Implementation GuideNQA - ISO 45001 Implementation Guide
NQA - ISO 45001 Implementation Guide
 
NQA - ISO 14001 Implementation Guide
NQA - ISO 14001 Implementation GuideNQA - ISO 14001 Implementation Guide
NQA - ISO 14001 Implementation Guide
 
NQA - ISO 9001 Implementation Guide
NQA - ISO 9001 Implementation GuideNQA - ISO 9001 Implementation Guide
NQA - ISO 9001 Implementation Guide
 
NQA - Start Your Journey with NQA
NQA - Start Your Journey with NQANQA - Start Your Journey with NQA
NQA - Start Your Journey with NQA
 

Recently uploaded

一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookVarun Mithran
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...mikehavy0
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样ayvbos
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)Obat Cytotec
 
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec JeddahAbortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddahmarufhussain782445
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowIdeoholics
 

Recently uploaded (20)

一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
@OBAT ABORSI 3 BULAN@ OBAT PENGGUGUR KANDUNGAN 3 BULAN (087776558899)
 
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec JeddahAbortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
Abortion Pills In Jeddah+966572737505 & Get cytotec Jeddah
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 

NQA ISO 27001 A Guide to Annex A

  • 1. ISO 27001 A GUIDE TO ANNEX A 50,000 GLOBALLY CERTIFICATES 90TRANSPARENT The Standard has the controls required to meet those risk requirements at Annex A. In total there are 114 controls sub-divided in to 14 different categories. When considering these controls, it is important to note that they are simply possibilities or options. When conducting the risk process; the risk identified should have appropriate controls which have been selected from the list in Annex A. Not every control can be implemented. For example; if your organization does not have remote working practice then the control for establishing a teleworking policy is not appropriate to use. How the controls are selected are down to the needs of the organization which will be drawn out from the risk assessment and risk treatment process. ISO 27001:2013 is the international standard which outlines best practice for an Information Security Management System (ISMS). If you are familiar with our previous implementation guide available here, then you will have already examined the clauses contained within the standard. You would have also learned that this standard follows a risk-based approach when considering the information security of an organization. This requires the identification of security risks and then the selection of appropriate controls to reduce, eliminate or manage those risks.
  • 2. A.5 Information security policies: Guidance on how policies are written and reviewed. A.6 Organization of information security: How to assign responsibilities for security tasks including: • Contact with third parties appropriate to the functionality of the ISMS • Security considerations for projects • Mobile and Teleworking policy provision A.7 Human resource security: Security considerations for recruiting and maintaining a workforce including security considerations on departure within contracts. A.8 Asset management: Securing information assets through inventory and ownership of assets. Includes labelling of information and media. A.9 Access control: Controlling access to information within an organization so that there is no unauthorised access to information. Further; only appropriate entities have administrative access where it is necessary. A.10 Cryptography: The encryption of sensitive information and the management of encryption keys. A.11 Physical and environmental security: The security of premises, equipment and physical copy information. A.12 Operations security: Securing information processing facilities; includes technical security considerations such as malware protection, back up procedures, event capture etc. A.13 Communications security: Security of networks; includes the use of electronic messaging. A.14 System acquisition, development and maintenance: Security in development operations. Ensures that security considerations are considered fully in the development process. A.15 Supplier relationships: Agreements to include in contracts with any external entity. All third parties should be subject to scrutiny before information is shared. These controls help to manage that process. A.16 Information security incident management: Guide on how to identify, report and record information incidents. Provides functionality to allow appropriately responsible person to learn from incidents. A.17 Information security aspects of business continuity management: Ensuring that your organization is well prepared to survive disruption and ensure plans are viable. A.18 Compliance: Identify laws and regulations which will shape your organization and record any review of your management system or security from an external source. CATEGORIES OF CONTROLS As mentioned the Annex contains 14 categories. They are listed as follows:
  • 3. FURTHER CONSIDERATIONS Before the certification audit, an organization must have produced a Statement of Applicability (Please refer to the ISO 27001 guide for additional information – Clause 6). This SoA must contain at least 114 entries with each of the Categories and Controls within listed. This list must also include justification for inclusion and exclusion as necessary. There must be evidence that consideration has been given to all controls within Annex A; even if this means that they are not included within your system. Those controls which are selected will likely form part of the risk treatment evidence and should be recorded as such. This can be within a risk register or held as separate documentation. The methodology will vary between different organizations; though demonstrating that the controls within Annex A are implemented is a consistent need. The security provisions of the standard are not something that an organizations IT or Security team must adhere to alone. The standard requires that all aspects of the organization be considered when examining the risks and treatment of risk. The best placed individuals to remedy and risk issues may not always be in the IT Department; the exact composition and siting of risk treatment will vary from one organization to the other. www.nqa.com FINALLY Annex A controls are just some of the options available to an organization. Additional security controls not specifically outlined in Annex A can be used to provide treatment to an identified risk. So long as the Clauses and Controls within the Standard are addressed as appropriate, the ISMS will be functioning and provide good levels of Information Security.