The document summarizes the structure and controls outlined in ISO 27001:2013. It lists the 18 control categories in Annex A, providing a brief description of what each controls. These controls cover a wide range of topics, including information security policies, human resources, asset management, access control, cryptography, physical security, operations, communications, system acquisition/development, vendor relations, incident management, business continuity planning, and compliance. The document notes that while ISO 27001 is often seen as computer-centric, it actually involves various other aspects across the organization. Controls in Annex A form an essential part of ISO 27001 implementation and organizations can determine applicability of controls based on their risk assessment.
2. Controls (Annex A)
• A.5: Information Security Policies – Controlling how policies are written
and revised
• A.6: Information Security Organization – Controls on how responsibilities
are assigned; also includes controls for mobile devices
• A.7: Human Resources Security – Pre-employment, during and after
employment controls
• A.8: Asset management – Asset inventory and acceptable use controls;
also for information classification and media management
• A.9: Access control – Access control policy, user access management,
system and application access control
• A.10: Cryptography – Encryption and Key Management Controls
3. • A.11: Physical and environmental security – Controls defining secure areas, entry controls,
protection against threats, security of the equipment, secure removal, clear desk and clear screen
policy, etc.
• A.12: Operational security – Procedures and responsibilities, malware, backup, logging,
monitoring, installation, vulnerability etc.
• A.13: Communications Security – Network security, information transfer, e-mail security checks
etc.
• A.14: Acquisition, development and maintenance of the system – Controls defining security
requirements and security in the development and support processes
• A.15: Vendor Relations – Controls on what to include in agreements and how to monitor
suppliers
• A.16: Information Security Incident Management – Controls to signal events and weaknesses,
define responsibilities, assessment of events, response and learn from incidents and collection of
evidences
• A.17: Aspects of information security in the management of continuity of operations –
Controlling the planning, implementation and review of the continuity of information security
operations.
4. A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of
Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information
One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves
various aspects as mentioned above in Annexure.
Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an
organization can decide the applicability of the controls with valid rationale.