ISO 27001 Controls

What are the 114 controls of ISO 27001?

Keeping information safe

ISO 2700 1 is the internationally recognised Standard for information security. The ISO 27001 framework offers your business an effective Information Security Management System (ISMS), with key processes to help protect your organisation from cyber threats and remain compliant with stringent legislation. 

With ISO 27001 Accreditation, you’ll be able to implement organisational and technical risk controls to help maintain robust security management. But, it’s not just about IT! It helps secure data security across all areas of your business – whether it’s online or offline. The Standard is suitable for businesses of all sizes, from startups to larger organisations.

What are the changes to ISO 27001?

In October 2022, the ISO 27001 Standard was updated with several changes to the structure. ISO 27001:2022 is the latest version of the Standard, which replaced the previous version – ISO 27001:2013. 

In the previous version, Annex A was divided into 14 categories, which correspond with the guidance of ISO 27002. The ISO 27001 controls were made up of 14 clauses, containing 114 different controls. There are now 93 controls, grouped into four themes: 

  • People (8 controls – ISO 27001 6.1-6.8)
  • Organisational (37 controls – ISO 27001 5.1-5.37)
  • Technological (34 controls – ISO 27001 8.1-8.34)
  • Physical (14 controls – ISO 27001 7.1-7.13) 

The changes reflect a modernised approach to managing and dealing with information security risks. For a little more background information about the new controls, check out the section below!

Glasses, phone, pencil case, notepad and laptop on desk

ISO 27001 - People Controls

The eight controls contained within the people theme help your business regulate human activity regarding all of your information security. These controls outline how working personnel interact with data and each other. Areas covered in this theme include: 

  • HR management
  • Personnel security
  • Staff awareness
  • Training procedures

ISO 27001 - Organisational Controls

The organisational theme has the most controls of the new ISO 27001 structure, with 37 in total. For your business to function and meet the ISO 27001 Standard effectively, you must be able to demonstrate organisational controls that meet the legal regulations and measures regarding data protection. Controls in this theme include: 

  • Policies
  • Rules
  • Processes
  • Procedures
  • Organisational structures

ISO 27001 - Technological Controls

The technological controls have been designed so that your organisation can adopt a set of digital regulations that help preserve a compliant IT infrastructure. This means safeguarding your business with valuable secure technology at the heart of your business, such as protection from data leaks, encryption and authentication. 

The new technological controls include: 

  • Data masking 
  • Configuration management 
  • Information deletion 
  • Data leakage prevention 
  • Monitoring activities 
  • Web filtering 
  • Secure coding

ISO 27001 - Physical Controls

In order to protect confidential information, physical safeguards are measures employed to ensure the security of tangible assets including: 

  • Guest access protocols
  • Asset disposal processes
  • Storage medium measures
  • Clear desk policies
  • Entry and exit systems

What are the 11 new controls in ISO 27001?

The ISO 27001 controls have been merged, meaning the structure of the controls has been changed slightly as part of the new ISO 27001:2022. Let’s explore what these changes mean in a little more detail…

  • 5.7 Threat Intelligence – Collect and analyse any information relating to information security threats to produce intelligence in response to this. 
  • 5.23 Information security for use of cloud services – Offers protection over the use of cloud services by a business, ensuring no risks are posed to the confidentiality, integrity and availability of information. 
  • 5.30 ICT readiness for business continuity – This control ensures that an organisation’s IT systems are not compromised in the event of disruption or a crisis. 
  • 7.4 Physical security monitoring – The continuous monitoring of physical security measures to protect assets and people. 
  • 8.9 Configuration management – Managing and controlling the configuration of information systems and IT infrastructure. 
  • 8.10 Information deletion – Deletion of any information stored in information systems that are surplus to requirements. 
  • 8.11 Data masking – Protecting sensitive or financial data by modifying this with fictitious data to maintain usability for testing. 
  • 8.12 Data leakage prevention – Applying prevention measures to systems, networks and any devices that process or store sensitive information. 
  • 8.16 Monitoring activities – Tracking and analysing activities to detect and react to any violations of security policies. 
  • 8.23 Web filtering – This control looks at filtering employee access to websites that may cause malware infection.
  • 8.28 Secure coding – The implementation of coding principles that offer maximum security of the software code.


What’s the difference between ISO 27001 and ISO 27002?

ISO 27002:2022 is the supporting standard that offers guidance on how information security controls should be implemented. The changes in the control set published in ISO 27002:2022 are reflected in Annex A of ISO 27001:2022. 

Annex A is a brief overview, but to actively apply each control, more detail is required. And that’s exactly what ISO 27002 offers, a supplementary standard with a detailed overview of each control, providing a breakdown of how the control works and what is required to implement it.

Check out our ISO 27001 services

Stay ahead of cyber criminals and new emerging threats by partnering with us. We now offer ISO 27001:2022 certification, meaning you can put all the necessary controls in place to protect and safeguard information security for your business. 

Our ISO 27001 auditors can test your information security management system, offering you advice and guidance to improve ISO 27001 requirements and processes within your business. 

Find out more information about what ISO 27001 is here, and discover the many benefits the Standard provides by visiting our dedicated ISO 27001 Benefits page.

Code on a computer screen

QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only