Search Knowledge Base Articles

ISO/IEC 27001:2013 Controls List: the 14 control sets of Annex A

Annex A.5 – Information security policies (2 controls)

This annex ensures policies are written and reviewed in line with the overall direction of the organisation’s information security practices.

Annex A.6 – Organisation of information security (7 controls)

This annex covers the assignment of responsibilities for specific tasks.

Annex A.6.1 – Establishes a framework for implementing and maintaining information security practices within the organisation.
Annex A.6.2 – Addresses mobile devices and remote working to ensure appropriate practices for anyone working outside of the office.

Annex A.7 – Human resource security (6 controls)

This annex covers employees and contractors’ responsibilities.

Annex A.7.1 – Addresses individuals’ responsibilities prior to employment.
Annex A.7.2 – Covers individuals’ responsibilities during employment.
Annex A.7.3 – Addresses responsibilities when individuals no longer hold their role.

Annex A.8 – Asset management (10 controls)

This annex concerns how information assets are identified and protected.

Annex A.8.1 – Involves identifying information assets within the scope of the ISMS.
Annex A.8.2 – Information classification to ensure appropriate levels of defense.
Annex A.8.3 – Media handling to prevent unauthorized disclosure, modification, removal, or destruction of sensitive data.

Annex A.9 – Access control (14 controls)

This annex ensures that employees can only view information that’s relevant to their job. It addresses business requirements of access controls, user access management, user responsibilities, and system and application access controls.

Annex A.10 – Cryptography (2 controls)

This annex addresses the management of sensitive information and data encryption to ensure proper and effective use of cryptography to protect data.

Annex A.11 – Physical and environmental security (15 controls)

This annex addresses physical and environmental security.

Annex A.11.1 – Prevents unauthorised physical access, damage or interference to premises or sensitive data.
Annex A.11.2 – Deals with equipment to prevent loss, damage, or theft of information asset containers.

Annex A.12 – Operations security (14 controls)

This annex ensures secure information processing facilities and covers operational procedures and responsibilities, malware defenses, backup requirements, logging and monitoring, integrity of operational software, technical vulnerability management, and information systems audit considerations.

Annex A.13 – Communications security (7 controls)

This annex concerns the protection of information in networks.

Annex A.13.1 – Ensures network security management.
Annex A.13.2 – Deals with the security of information in transit.

Annex A.14 – System acquisition, development and maintenance (13 controls)

This annex ensures that information security remains a central part of the organisation’s processes across the entire lifecycle, covering security requirements for internal systems and those providing services over public networks.

Annex A.15 – Supplier relationships (5 controls)

This annex concerns the contractual agreements organisations have with third parties.

Annex A.15.1 – Addresses protection of valuable assets accessible to, or affected by, suppliers.
Annex A.15.2 – Ensures that both parties maintain the agreed level of information security and service delivery.

Annex A.16 – Information security incident management (7 controls)

This annex covers how to manage and report security incidents to ensure a consistent and effective approach to the lifecycle of incidents and response.

Annex A.17 – Information security aspects of business continuity management (4 controls)

This annex aims to create an effective system to manage business disruptions.

Annex A.17.1 – Addresses information security continuity.
Annex A.17.2 – Looks at redundancies to ensure the availability of information processing facilities.

Annex A.18 – Compliance (8 controls)

This annex ensures that organisations identify relevant laws and regulations to understand their legal and contractual requirements, mitigating the risk of non-compliance and associated penalties.

ISO/IEC 27001 Controls List: Annexure A Implementation documentation:

Acceptable Use of Assets Policy
Access Control Policy
Backup Policy
Bring Your Own Device Policy
Change Management Policy
Clear Desk and Clear Screen Policy
Configuration Management Policy
Cryptographic Controls Policy
Disaster Recover and Business Continuity Policy
Information Classification Policy
Password Policy
Removable Media Policy
Retention Destruction Deletion and Decommissioning Policy
Secure Development Policy
Supplier Security Policy
Teleworking Policy

Did you find this article useful?

ISO/IEC 27001:2013 Implementation Template

Document Identification This article provides an overview of the Information Security Management Sys...
ISO/IEC 27001:2013 Certification: Step-by-Step Guide

Any organisation wishing to become ISO certified needs to implement and maintain an ISO Management S...
ISO/IEC 27001:2013 Clauses: Implementation Documentation

Clause 1: Scope This section outlines the scope of the Information Security Management System (ISMS)...
Issues/Tickets Priority List

Priority Description P0 (Priority 0) - Emergency A critical issue that requires immediate attentio...