Join 4,000+ companies who are driving their security and compliance objectives with DataGuard
ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their information security processes, mitigate risks, and build trust among customers and stakeholders.
With the help of this standard, companies protect their information assets and implement effective measures to keep their data safe against a variety of risks: technological, organizational, physical, and people.
To use the standard successfully, companies and managers must identify their own risks and know the proper measures to take. We have put together a handy overview of all 93 controls and 4 categories of measures to help you get started.
Learn more about the most important ways to protect your information.
ISO 27001 is a universal framework for managing information security. The certification is considered an international standard and guides your business’s information security management system (ISMS). It provides guidance for establishing, implementing, maintaining, and continuously improving a company’s ISMS, which helps organizations protect their information assets.
In 2022, the standard was revised for the third time. The current version of the standard is ISO 27001:2022.
A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from. From 93 measures specified in Annex A, you can select the ones that are relevant to your organization’s scope.
ISO 27001 Annex A is arguably the most well-known annexes of all the ISO standards because it contains the essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen your information assets' security.
ISO 27001 is the framework that gives companies a basic understanding of the controls and clauses in Annex A. While it does not go into great depth regarding each control, it does provide an idea of what you need to accomplish. Each control has a one-line explanation of its objective.
The ISO 27000 family of standards includes more detailed explanations that focus more closely on the respective controls. ISO 27002, as an example, includes additional information about the specific controls organizations can implement to establish a compliant ISMS.
Learn more about the differences between ISO 27001 and ISO 27002 in this blog article.
There are 93 ISO 27001 Annex A controls that cover multiple areas of operations. These controls are organized into four different categories (domains).
Each category can be attributed to a particular focus area within your organization. Contrary to popular belief, they are not all IT-related.
Grouping the controls into four themes helps decide who is responsible for implementing the measures and which measures even apply to your organization in the first place.
For example, technical controls can be carried out by the IT department, while organizational controls can be carried out by your System Operations team.
As an overview, here is a list of the four different categories of controls:
Organizational controls typically cover everything that does not fall under the topics of people, technology, or physical security. This includes things like identity management, responsibilities, and evidence collection.
New organizational controls from ISO 27001:2022 include:
The People controls section has only eight controls. It focuses on how employees handle sensitive information during their daily work.
This includes topics like remote work, nondisclosure agreements, and screenings. Onboarding and offboarding processes, as well as responsibilities for reporting incidents, are also relevant.
Physical controls include security monitoring, maintenance, facility security, and storage media.
This category is about how you protect against physical and environmental threats such as theft, natural disasters, and deliberate destruction.
The new physical controls include: 7.4: Physical security monitoring.
Technological controls cover the areas of authentication, encryption, and data leakage prevention. Various approaches, such as access rights, network security, and data masking, help to achieve stronger data protection.
New technological controls in ISO 27001:2022 include:
In this area, one innovation is particularly important, which is data leakage prevention. However, web filtering is also noteworthy: this control describes how organizations should filter online traffic to prevent users from visiting potentially harmful websites.
|
Organizational controls |
Annex A 5.1 |
Policies for Information Security |
|
Organizational controls |
Annex A 5.2 |
Information Security Roles and Responsibilities |
|
Organizational controls |
Annex A 5.3 |
Segregation of Duties |
|
Organizational controls |
Annex A 5.4 |
Management Responsibilities |
|
Organizational controls |
Annex A 5.5 |
Contact with Authorities |
|
Organizational controls |
Annex A 5.6 |
Contact with Special Interest Groups |
|
Organizational controls |
Annex A 5.7 |
Threat Intelligence |
|
Organizational controls |
Annex A 5.8 |
Information Security in Project Management |
|
Organizational controls |
Annex A 5.9 |
Inventory of Information and Other Associated Assets |
|
Organizational controls |
Annex A 5.10 |
Acceptable Use of Information and Other Associated Assets |
|
Organizational controls |
Annex A 5.11 |
Return of Assets |
|
Organizational controls |
Annex A 5.12 |
Classification of Information |
|
Organizational controls |
Annex A 5.13 |
Labelling of Information |
|
Organizational controls |
Annex A 5.14 |
Information Transfer |
|
Organizational controls |
Annex A 5.15 |
Access Control |
|
Organizational controls |
Annex A 5.16 |
Identity Management |
|
Organizational controls |
Annex A 5.17 |
Authentication Information |
|
Organizational controls |
Annex A 5.18 |
Access Rights |
|
Organizational controls |
Annex A 5.19 |
Information Security in Supplier Relationships |
|
Organizational controls |
Annex A 5.20 |
Addressing Information Security within Supplier Agreements |
|
Organizational controls |
Annex A 5.21 |
Managing Information Security in the ICT Supply Chain |
|
Organizational controls |
Annex A 5.22 |
Monitoring, Review, and Change Management of Supplier Services |
|
Organizational controls |
Annex A 5.23 |
Information Security for Use of Cloud Services |
|
Organizational controls |
Annex A 5.24 |
Information Security Incident Management Planning and Preparation |
|
Organizational controls |
Annex A 5.25 |
Assessment and Decision on Information Security Events |
|
Organizational controls |
Annex A 5.26 |
Response to Information Security Incidents |
|
Organizational controls |
Annex A 5.27 |
Learning From Information Security Incidents |
|
Organizational controls |
Annex A 5.28 |
Collection of Evidence |
|
Organizational controls |
Annex A 5.29 |
Information Security During Disruption |
|
Organizational controls |
Annex A 5.30 |
ICT Readiness for Business Continuity |
|
Organizational controls |
Annex A 5.31 |
Legal, Statutory, Regulatory, and Contractual Requirements |
|
Organizational controls |
Annex A 5.32 |
Intellectual Property Rights |
|
Organizational controls |
Annex A 5.33 |
Protection of Records |
|
Organizational controls |
Annex A 5.34 |
Privacy and Protection of PII |
|
Organisational controls |
Annex A 5.35 |
Independent Review of Information Security |
|
Organizational controls |
Annex A 5.36 |
Compliance With Policies, Rules and Standards for Information Security |
|
Organizational controls |
Annex A 5.37 |
Documented Operating Procedures Standards for Information Security |
|
People controls |
Annex A 6.1 |
Screening |
|
People controls |
Annex A 6.2 |
Terms and Conditions of Employment |
|
People controls |
Annex A 6.3 |
Information Security Awareness, Education and Training |
|
People controls |
Annex A 6.4 |
Disciplinary Process |
|
People controls |
Annex A 6.5 |
Responsibilities After Termination or Change of Employment |
|
People controls |
Annex A 6.6 |
Confidentiality or Non-Disclosure Agreements |
|
People controls |
Annex A 6.7 |
Remote Working |
|
People controls |
Annex A 6.8 |
Information Security Event Reporting |
|
Physical controls |
Annex A 7.1 |
Physical Security Perimeters |
|
Physical controls |
Annex A 7.2 |
Physical Entry |
|
Physical controls |
Annex A 7.3 |
Securing Offices, Rooms, and Facilities |
|
Physical controls |
Annex A 7.4 |
Physical Security Monitoring |
|
Physical controls |
Annex A 7.5 |
Protecting Against Physical and Environmental Threats |
|
Physical controls |
Annex A 7.6 |
Working In Secure Areas |
|
Physical controls |
Annex A 7.7 |
Clear Desk and Clear Screen |
|
Physical controls |
Annex A 7.8 |
Equipment Siting and Protection |
|
Physical controls |
Annex A 7.9 |
Security of Assets Off-Premises |
|
Physical controls |
Annex A 7.10 |
Storage Media |
|
Physical controls |
Annex A 7.11 |
Supporting Utilities |
|
Physical controls |
Annex A 7.12 |
Cabling Security |
|
Physical controls |
Annex A 7.13 |
Equipment Maintenance |
|
Physical controls |
Annex A 7.14 |
Secure Disposal or Re-Use of Equipment |
|
Technological controls |
Annex A 8.1 |
User Endpoint Devices |
|
Technological controls |
Annex A 8.2 |
Privileged Access Rights |
|
Technological controls |
Annex A 8.3 |
Information Access Restriction |
|
Technological controls |
Annex A 8.4 |
Access to Source Code |
|
Technological controls |
Annex A 8.5 |
Secure Authentication |
|
Technological controls |
Annex A 8.6 |
Capacity Management |
|
Technological controls |
Annex A 8.7 |
Protection Against Malware |
|
Technological controls |
Annex A 8.8 |
Management of Technical Vulnerabilities |
|
Technological controls |
Annex A 8.9 |
Configuration Management |
|
Technological controls |
Annex A 8.10 |
Information Deletion |
|
Technological controls |
Annex A 8.11 |
Data Masking |
|
Technological controls |
Annex A 8.12 |
Data Leakage Prevention |
|
Technological controls |
Annex A 8.13 |
Information Backup |
|
Technological controls |
Annex A 8.14 |
Redundancy of Information Processing Facilities |
|
Technological controls |
Annex A 8.15 |
Logging |
|
Technological controls |
Annex A 8.16 |
Monitoring Activities |
|
Technological controls |
Annex A 8.17 |
Clock Synchronization |
|
Technological controls |
Annex A 8.18 |
Use of Privileged Utility Programs |
|
Technological controls |
Annex A 8.19 |
Installation of Software on Operational Systems |
|
Technological controls |
Annex A 8.20 |
Networks Security |
|
Technological controls |
Annex A 8.21 |
Security of Network Services |
|
Technological controls |
Annex A 8.22 |
Segregation of Networks |
|
Technological controls |
Annex A 8.23 |
Web filtering |
|
Technological controls |
Annex A 8.24 |
Use of Cryptography |
|
Technological controls |
Annex A 8.25 |
Secure Development Life Cycle |
|
Technological controls |
Annex A 8.26 |
Application Security Requirements |
|
Technological controls |
Annex A 8.27 |
Secure System Architecture and Engineering Principles |
|
Technological controls |
Annex A 8.28 |
Secure Coding |
|
Technological controls |
Annex A 8.29 |
Security Testing in Development and Acceptance |
|
Technological controls |
Annex A 8.30 |
Outsourced Development |
|
Technological controls |
Annex A 8.31 |
Separation of Development, Test and Production Environments |
|
Technological controls |
Annex A 8.32 |
Change Management |
|
Technological controls |
Annex A 8.33 |
Test Information |
|
Technological controls |
Annex A 8.34 |
Protection of Information Systems During Audit Testing |
Since 2022, eleven new controls have been added to ISO 27001, which are assigned to different categories. These are:
A.5.7 Threat intelligence: Collect and analyze data on potential threats to maintain information security.
A.5.23 Information security for the use of cloud services: Define and monitor information security for the use of cloud services.
A.5.30 ICT readiness for business continuity: Create an ICT (information and communications technology) continuity plan to maintain business resilience.
A.7.4 Physical security monitoring: Implement appropriate monitoring tools to detect and prevent external and internal intrusions.
A.8.9 Configuration management: Establish policies for documenting, implementing, monitoring, and auditing configurations across their network.
A.8.10 Information deletion: Manage data deletion to comply with laws and regulations.
A.8.11 Data masking: Use data-masking techniques for personally identifiable information (PII) to comply with laws and regulations.
A.8.12 Data leakage prevention: Take technical measures to identify and prevent the disclosure and/or extraction of information.
A.8.16 Monitoring activities: Improve network monitoring activities to detect anomalous behavior and respond to security events and incidents.
A.8.23 Web filtering: Enforce access controls and measures to restrict and control access to external websites.
A.8.28 Secure coding: Implement proven principles of secure coding to prevent vulnerabilities that could be caused by inadequate coding methods.
Organizations are not required to implement all 93 controls but are expected to identify and apply the ones most suited tof their needs.
The process of selecting applicable controls begins with a risk assessment and subsequent treatment. After risk treatment, you must measure how successful the controls were in strengthening your information security.
Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of people.
The process of gathering all required documentation and becoming ISO 27001 compliant can be challenging, which is why you and your organization may benefit from the expertise of an ISO 27001 consultant.
Identifying and addressing security risks is beneficial to any organization. The ISO 27001 controls help to clearly categorize potential risks. But what are the tangible benefits of mitigating risks?
ISO 27001 compliance demonstrates to stakeholders (such as customers and shareholders) that an organization has prioritized the implementation of information security best practices. This can lead to the following benefits:
In short, an ISO 27001 certification makes it easier to satisfy regulatory obligations, demonstrates your reliability to partners, and shows your dedication to maintaining the highest standards of information security.
Even if you're not looking for official certification, there is always the option to voluntarily comply with ISO 27001 requirements. Here are some best practices you can implement:
Gain practical insights from our work with FRÄNKISCHE, where we guided them through their internal audit, paving the way for successful third-party certification.
External Content: YouTube Video
In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.
You can find more information about the handling of your personal data in our privacy policy.
An ISO 27001 certification makes it easier to comply with broader legal requirements, demonstrates your organization's reliability to business partners, and shows your commitment to meeting the highest information security standards.
Check out our ISO 27001 checklist to find out what measures you need to implement to achieve ISO 27001.
Need help with information security or in preparing for a certification audit? Contact our experts today.
This ISO 27001 framework safeguards the confidentiality, integrity, and availability of the sensitive consumer information you collect. Compliance with ISO 27001 helps you prevent unauthorized access, breaches, and regulatory fines.
Achieving ISO 27001 certification not only ensures robust information security but also aligns with many of the requirements of NIS2, the new EU Directive, emphasizing its importance in the current digital landscape.
While ISO 27001 includes Annex A and briefly discusses separate controls, ISO 27002 goes into more detail. It covers the objective for each control, explains how it works, and elaborates on how companies are expected to achieve compliance successfully.
The ISO 27001 framework includes Annex A, which is the list of controls and measurements that can be taken to establish a strong information security framework depending on the company’s context.
The full version of ISO 27001:2022 contains 93 controls, which are assigned to four categories: organizational, people, physical, and technological. This allows responsibilities and areas to be divided according to company division.
To strengthen your company's information security, it is helpful to have an overview of the individual controls. We have provided you with a list of all 93 controls and their respective areas in the Annex A.
_EasiestSetup_EaseOfSetup.svg?width=100&height=100&name=ConsentManagementPlatform%28CMP%29_EasiestSetup_EaseOfSetup.svg)
TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.