Annex A controls: Understanding the ISO 27001 Part 8

Annex A of the ISMS controls a list of 93 controls grouped into 4 themes:

1. Organizational controls

2. People controls

3. Physical controls

4. Technological controls

In the ISO 27001:2013 version, Annex A contained 114 controls and 14 domains but the 27001:2022 has 93 controls and 4 domains.

Organizational controls(37 controls)

Organizational control concentrates on the policies, procedures, roles, responsibilities, and other organizational-level measures necessary for maintaining a strong information security posture. They include:

• Information secure policy and other core policies
• Contact with special interest groups and authorities
• Identify and access control
• Legal and Compliance
• Threat intelligence and monitoring
• Defined responsibilities for top management and the people responsible for managing the ISMS
• Asset Management Classifying, transferring, and labeling information

People control (8 controls)

Information security revolves around people, processes, and technology. People especially employees are the weak link and they play a crucial part in the information security equation.

This control includes:

• Pre-employment screening
• Staff awareness and training
• Non-disclosure agreements (NDA)
• Remote working
• Reporting security events
• Contracts

Physical Controls (14 controls)

Physical controls focus on the physical environment of the ISMS. The physical environment is as important as the technological or digital environment for ensuring information security. This control relates to the following:

• Security perimeters
• Working in secure areas
• Supporting utilities
• Secure Cabling
• Equipment Maintenance

Technological controls (34 controls)

Technological controls are controls implemented through technology to protect the security of information. This section includes:

• Malware protection
• Backups
• Secure coding
• Test and production environment segregation
• Segregation of duties
• Network security
• Development practices etc.

Since 2022, ISMS has integrated eleven new Annex A controls ?which are:

• A.5.7 Threat Intelligence
• A.5.23 Information Security for the use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration Management
• A.8.10 Information Deletion
• A.8.11 Data Masking
• A.8.12 Data Leakage Prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

Why is Annex A important?

1. Annex A affords organizations a straightforward guide through which they can craft a well-structured information security plan that suits their environment and personalized needs.
2. Annex A also serves as a time and resource-saving tool for first-time certification, and surveillance audit purposes and can serve as the basis for strategic planning. It lays out a formal approach to information security.

Thanks for reading so far