ISO 27001, the International Standard for information security has 14 control sets featuring more than 114 controls to help every aspect of your business, digital and physical, to keep information safe. But what are these controls?
With increased cyber threats and increasingly stringent legislation to protect personal data and business information, more and more businesses are beginning to understand that a culture of security is key to keeping their information safe for customers, stakeholders and employees.
To help businesses integrate information security throughout their organisation, the ISO (International Organisation for Standardisation) has developed ISO 27001, the Standard for information security management.
ISO 27001 helps businesses to create an information security management system (ISMS) and includes all key processes needed to protect organisations as well as legal, physical and technical risk controls for robust security management.
To create a bespoke ISMS, businesses must apply all relevant controls. This may mean that you implement all 114 controls unless your business activities make them inapplicable. These controls are listed in a section called Annex A.
Annex A is divided into 14 categories.
These categories begin at A5 rather than A1. This may seem a bit odd, but this is because the controls of Annex A correspond with those of ISO 27002, a code of practice for information security controls that provides practical guidance on the 114 controls featured in ISO 27001.
The A1 to A4 categories feature some introductions and explanations, so the controls listed in Annex A of ISO 27001 skip over these to begin at A5.
So, what are these controls? We shall now go through each category of Annex A and describe the controls contained in each section.
Annex A5: Information security policies
Annex A6: Organisation of information security
Annex A7: Human resource security
Annex A11: Physical and environmental security
Annex A12: Operations security
Annex A13: Communications security
Annex A14: System acquisition, development and maintenance
Annex A15: Supplier relationships
Annex A16: Information security incident management
Annex A17: Information security aspects of business continuity management
This section asks you to set out your management support and direction for information security, defining your security policies, communicating them and setting out how you will review them to ensure they remain applicable to identified risks.
Your policies should consider aspects such as your business strategy, current legislation and regulations and the current (as well as potential) level of security threat.
They could therefore include access control, physical security, mobile device use and malware protection, among many others.
Once these have been defined, they need to be approved by management and communicated to the rest of the business. Roles and responsibilities of key people should also be set out.
This control asks for you to review the policies you’ve developed at planned times, or if there is a significant change. A good example of this would be the outbreak of COVID-19.
To do this, you will need to make sure each policy has an owner. They will need to be able to spot opportunities for improvement and manage alterations to information security in response to any changes.
This category asks you to create a framework to implement and control information security within your business.
You need to assign information security responsibilities. You may have an overall manager, but it is likely that individuals will also still need to take ownership.
To prevent changes being made without authorisation, you need to make sure that one lone person cannot make modifications without detection. Roles should therefore be segregated, although this can be trickier in a smaller business. You could consider monitoring and supervision if segregation is difficult.
Sometimes you will need to get in touch with the police, regulatory bodies, utilities, telecomms or other supervisory authorities to report incidents, ensure security continuity and prepare for change. You therefore need to specify who, how and when these key authorities should be contacted.
Special interest groups can help you to improve your knowledge and understanding, or give you access to specialist advice. You may therefore want to think about gaining membership to relevant specialist groups or forums.
Information security should be integrated throughout your business and risks identified and addressed in all projects, not just IT-related ones.
A.6.2 Mobile devices and teleworking
The following controls relate to teleworking and the use of mobile devices such as mobile phones, laptops and tablets.
The following controls relate to teleworking and the use of mobile devices such as mobile phones, laptops and tablets.
Mobile devices that are not correctly protected can open up your business to threats. You should therefore think about policies that restrict the installation of software, the physical security of devices and keeping in-step with security updates, among other things. All of this should be laid out in a mobile device policy.
If your business uses teleworking or has remote workers – you need to set out the conditions for this – as well as any restrictions. You will need to think about its physical security, the use of home networks, malware requirements and the possibility of friends, family, etc. gaining access.
This collection of controls focuses on your staff and contractors so that you can be sure that they understand what they are doing and that they suit their roles.
Applicable background checks should be carried out to help you maintain information security. These should be carried out within the scope of relevant laws and ethics and could include character references, confirmation of qualifications and identity or a review of criminal records.
If the role involves the handling of confidential information, you may want to carry out more detailed screening, including background financial checks.
Contracts with your employees and contractors should include their responsibility for information security. This may include the need for a non-disclosure agreement, their responsibilities for handling information or their legal responsibilities for copyright. All of this should be communicated before employment begins.
These controls lay out the responsibilities of employees and staff while they are employed by your organisation.
This control lays out the responsibilities of management and stipulates that managers need to ensure that all employees and contractors follow the organisation’s information security policies.
Managers can do this by providing briefings, raising awareness and offering training and a method of reporting violations.
This control builds on the previous one and highlights the importance of providing training to raise awareness.
This ensures that employees and contractors know and understand your organisation’s information security policies, that they know how to report the incidents and take personal accountability for their actions.
Training can be carried out in any form, such as via eLearning, but must be planned and carried out regularly to ensure awareness remains up to date.
Breaches of information security policies require a disciplinary process, which should take into account factors such as the significance of the breach, the impact on business and the employee’s training.
The below control focuses on the process of changing or ending employment.
It is sometimes necessary for information security duties to remain in place, even after employment has ended. As a result, you should ensure that these are clearly communicated and identified in your staff’s contracts. This ensures that the information security risks linked with a member of staff are minimised.
The controls that fall within this group highlight your organisation’s assets and how they are to be protected.
In this control you must identify all of your assets that are linked to information or information processes. List these in an inventory and make sure it is updated if anything is added or removed.
Everything you have listed in the inventory for A.8.1.1 needs to have someone to ‘own’ it. In other words, take responsibility for it. This means that they need to be sure that their asset is protected, inventoried correctly, handled properly and that access to it is regularly reviewed.
This control highlights the importance of employees or other users being aware of your business’ information security requirements and understanding how to correctly use your information assets.
This control helps you to ensure that any assets are returned to your business if an employee or contractor leaves. This includes physical equipment such as laptops, as well as intellectual property.
The following controls focus on the categorisation of information to ensure that an appropriate level of protection is put in place.
To classify information correctly, you need to think about it in terms of value, relevant legal requirements, its sensitivity and how critical it is to your organisation. Remember that the sensitivity or importance of information can change over time, so this needs to be taken into account.
A key part of information sharing is having accurate labelling of classified information. You therefore need to develop a system of labelling that reflects your classification scheme. Make sure this labelling system is known by your staff and contractors.
To ensure that assets are handled correctly, you need to develop processes for your organisation to follow. These should cover the collection, handling, processing, storage and communication of information.
Depending on how the information is classified, you will need to think about whether they need access restrictions, how you will protect any temporary copies and the specifications set out by manufacturers on how their equipment should be stored and used.
We now store lots of information on different media – these controls therefore seek to prevent any information stored on media from being changed, removed or destroyed without approval.
This control focuses on removable media, such as USB sticks, and how they should be managed. This means you need to think about how they are stored, if information requires encrypting, back-ups, and how they should have their contents removed if no longer needed.
Safely disposing of all media, including paper, is a key part of information security. You therefore need processes in place for shredding, incineration and erasure, and the arrangement of any collection or disposal services. A log of what you dispose of should be kept too so that you have a clear audit trail.
This control ensures that information is protected during transportation. To fulfil this, you need to think about the reputation of any couriers that you use, processes to confirm their identity and the packaging used. Make sure you keep a log of the content being transported, the transfer times and delivery receipts.
Access control basically acts to limit access to information or the facilities used to process it. The following controls therefore develop a relevant policy to control this.
To create a detailed policy, you will want to think about information sharing and authorisation, relevant legislation, the segregation of access roles, archiving and any roles that require privileged access. When developing your policy, think about principles such as ‘need to know’ and ‘need to use’ to help you define what should be accessed and by whom.
This control asks you to set out a process so that users of your network and network services only have access to those that they are authorised to use. This is critical as public Wi-Fi or other poor network connections can affect your whole business.
Think about the networks you need to allow access to, what controls you can implement to protect access, monitoring of the networks and how they will be accessed (VPN, Wi-Fi, etc.).
The following controls build on your access control with processes to prevent unauthorised access to your systems.
To help you assign the correct access rights, you need a process that governs a user’s registration – and the removal of this registration.
This process should include the provision of unique user IDs and procedures so that they can be immediately disabled when the user leaves your business. Make sure you also have a process for reviewing user IDs so that old or redundant ones can be removed.
This control builds on 9.2.1 and creates a provisioning process for giving or disabling access rights.
Privileged access rights need to be carefully controlled using an authorised process. This means you will need to consider the privileged access rights linked to each system, how they are allocated and how you will record them, among other things.
This control asks you to create processes that ensure information is kept secret (with a confidentiality agreement, for instance), as well as processes that govern the use and provision of temporary secret authentication.
To maintain secure user access, you will need to regularly review your users’ access rights. This is because members of your team may leave, get promoted or demoted, or change job role within your organisation. Due to their higher sensitivity, those with privileged access rights should be reviewed even more regularly.
To help keep your information safe, access rights need to be removed as soon as an employee or contractor leaves your organisation. You therefore need to establish a process that ensures this happens immediately. You may also need to consider reducing or removing these rights before employment is ended.
This control focuses on making users accountable for safeguarding their authentication information.
This control ensures that you set out requirements to ensure your users follow your practices when it comes to secret authentication information. For instance, you need to stipulate that the information is kept confidential, that strong passwords are used, and that the information is not shared.
The next set of controls can be implemented if you need to prevent unauthorised access to your business’ systems and applications.
Access to information should be restricted in line with your access control policy. This means that you may want to consider controlling what data can be seen by what users, providing menus to control access to system functions and providing physical or other access controls for sensitive data or systems. Remember, the minimum amount of access should be provided for your business purposes at all times.
If your access control policy requires it, you will need to develop a secure log-on procedure. A strong and secure log-on process will generally hide the password being entered, log unsuccessful entries and terminate inactive sessions after a set period, among other things.
This control ensures that you introduce interactive password management systems that ensure quality passwords. For instance, this system should force users to change their passwords when they log in for the first time, create passwords from three random words and keep a record of previous passwords to prevent them being re-used.
Utility programs may be capable of overriding application and system controls – for this reason, they should be carefully controlled. To do this, you may need to develop identification and authorisation procedures, limit the availability of any programs and log their use.
This control focuses on the restriction of program source coding, which helps to prevent the introduction of unauthorised changes and functionality. This means that they should be managed according to established procedures, that support staff should have restricted access and that any updates should only be allowed after authorisation.
The controls within this section seek to implement effective cryptography to keep information confidential.
This control asks you to create a policy for the use of cryptography. You may want to think about the role of risk assessments, the use of removable media, and the roles and responsibilities of your employees when developing this policy to help you identify whether cryptography is appropriate.
This control focuses on the development of a policy for the use, protection and lifetime of cryptographic keys. To make a strong policy, you need to think about requirements for the generation, storage, retrieval, archiving, distribution and destruction of keys.
This next set of controls focus on protecting the organisation’s information from unauthorised damage, physical access and interference.
Information security isn’t just about digital protection – sometimes a physical defence is necessary. This control therefore asks you to set up physical protection for sensitive information or information processing facilities. This could be as simple as locked doors, but you may also have to think about reception areas to control access, physical barriers, alarms, CCTV and monitors, or detection systems.
This control focuses on the use of entry controls to protect secure areas. This means you need to think about how entry will be logged, how authorisation will be confirmed and what identification will be necessary (such as an ID badge).
For this control you need to think about how to physically secure offices and rooms by preventing easy access by the public and giving minimal evidence of their function (e.g., by reducing signage).
External and environmental threats can include flooding, fire, earthquakes, social unrest and terrorism. To find out what threats may be relevant to your organisation, it is best to seek specialist guidance.
This measure is designed to give you control over employees and external parties working in secure areas of your organisation. This means you will need to put in place processes to prevent unsupervised work, prohibit the use of recording equipment and limit knowledge to a ‘need to know’ basis.
Delivery and loading areas are potentially vulnerable for a business as they allow external parties into, or near, your organisation. This control therefore gives you the processes you need to control these areas and restrict unauthorised access.
The following controls focus on your organisation’s assets and what you can do to prevent loss, damage or theft to them.
This control helps to ensure that you position and protect your business assets so that the risk of environmental threats, such as lightning strikes, are reduced (for example by installing a lightning rod). It also helps you to reduce the risk of unauthorised access.
A failure by a supporting utility, such as an electricity company, telecommunications, water supplier or gas provider, can make your equipment vulnerable. This control ensures you consider these risks and, where necessary, put measures in place to minimise them, such as emergency lighting and communications. It also ensures you hold regular inspections and create alarms for when things go wrong.
Power and telecoms cabling are vulnerable to damage and interference. This control therefore focuses on providing protection for this cabling.
Malfunctioning equipment can reduce its availability and integrity, putting your organisation at risk. Implementing this control ensures that you maintain your equipment correctly, keep records of inspections, employ trained personnel to fix issues or have appropriate support contracts in place.
This control ensures that assets are not taken off site without proper authorisation. This may mean that you have to set time limits for removal, create a log to track assets and a way of documenting who has taken assets and when they were replaced.
It’s important that information security is maintained off-site too. This means that you need to consider the protection of off-site equipment, such as laptops, mobile phones, smart cards and paper documentation. When developing appropriate controls, you should also take into account the unique risks associated with different locations and equipment, which may require further controls, such as encryption.
Before equipment is disposed of or re-used, you need to ensure that any sensitive information is removed from it. With this control, you can create processes that ensure secure disk erasure or over-writing, as well as risk assessments that can help you decide if physical destruction would be a safer option.
Unattended equipment can be protected by ensuring your users terminate sessions after use, log-off from applications and that equipment is locked while not in use.
Developing this kind of policy reduces the risk of unauthorised access, damage or loss of key information. Secure storage also reduces the risks associated with environmental or external damage.
The next set of controls help your organisation to ensure that your information processing facilities are kept secure.
Documented operating procedures are needed for activities that are linked to the facilities that process and communicate information. For example, this could be a back-up process or media handling. An operating procedure should therefore cover all the specific operational instructions linked to that activity, from installation to recovery.
System or security failures can often be linked to poor control of changes to information processing facilities or systems. This control therefore seeks to reduce this risk with a formal control process.
This control focuses on the use of resources, which must be monitored and tuned. Projections also need to be made for future capacity requirements to maintain optimum performance. Make sure you pay particular attention to any resources that have long procurement times or high costs.
By separating these elements, this control seeks to reduce the risks of unauthorised access or changes to the operational environments. Failing to do so can introduce unwanted modifications or even result in system failure.
The next control focuses on ensuring that information and information processing facilities are protected from malware.
This control ensures that you introduce processes to detect, prevent and recover from malware attacks.
The following control helps to protect against the loss of data.
This control introduces processes that ensure back-ups are made of information, software and systems and that these are tested regularly. This ensures disaster does not follow if there is a media failure. Make sure your archiving requirements are taken into consideration too.
The next controls feature the processes required to record events and create evidence.
Event logs should be kept and regularly reviewed and should cover user activity, faults and any significant information security events. As these can produce personally identifiable information, you will also need to think about additional privacy security measures.
This control asks you to create processes that protect log information from being changed or accessed.
This control introduces a log of system administrator and system operator activities, which must then be protected and regularly checked.
Ensuring that clocks are set correctly is key for maintaining the accuracy of audit logs, which could be used as evidence in legal disputes. Introducing a control that governs this can ensure everything remains in sync.
The next control is focused on maintaining the integrity of operational systems.
For this control you need to develop the processes that govern the installation of software. This means you need procedures that determine who can make the installations, how these will be logged and how previous versions will be stored in case a roll-back is necessary, among other things.
For this section, the focus shifts to the prevention of exploitation of any technical vulnerabilities.
To reduce risk, this control focuses on the timely obtainment and application of measures to protect against any technical vulnerabilities, such as ‘patches’. You will therefore need to think about how to assess the risk, how to test patches and define a timeline for spotting and addressing the problem.
This control asks you to define and then enforce a policy that governs the types of software that your users can install. This reduces the risk of introduced vulnerabilities or information loss.
The objective of the following control looks to reduce the impact of audit activities on your operational systems.
Audits are a necessary part of a business, but this control ensures that these are planned to reduce the risk of disruption.
The following controls will help you to ensure that information in networks is kept safe.
To keep your information safe, you need to control your networks. This control therefore seeks to ensure that security is maintained by defining responsibilities for managing network equipment, creating controls to protect data being passed via public networks and creating appropriate logs and monitoring tools.
To maintain your network security, you need to ensure that your network service agreement identifies the necessary security measures (such as encryption), expected service levels and management needs. This service should then be regularly monitored, and you should ensure that you gain the right to audit the service too.
One of the ways of maintaining security in larger networks is to separate them into different network domains. Each one needs a clear perimeter with access between them being controlled with gateways, which should be appropriate for the level of risk associated with the domain and your access control policy.
The following controls are designed to help you maintain the security of any information that is passed within your organisation or with someone external.
For this control you need to put in place policies and processes that protect the transfer of information. This means you need to think of ways to protect it from interception, copying and destruction, as well as ways of protecting it from malware. Cryptography, personnel training and disposal guidelines should all be considered, among other suitable methods.
This control addresses the transfer of business information between you and other external parties with the creation of an agreement. This can include procedures on traceability, courier identification methods, cryptography, access control and escrow agreements.
Electronic messaging can be a weak point for businesses and must therefore be protected. This includes email, electronic data interchanges and any business social networking. Try thinking about how to ensure messages are addressed to the correct recipients, how they can be defended against unauthorised access and the reliability of your messaging services.
Sometimes information requires a non-disclosure agreement or additional confidentiality protection which external parties must agree to. These agreements protect your organisation’s information and lay out requirements that govern how information should be protected, used, disclosed and disposed of. They should be regularly reviewed to make sure they fit your organisation’s needs and should also comply with applicable laws and regulations.
This next set of controls develop information security so that it becomes an integrated part of your business. It also has requirements that focus on information systems that offer services over any public networks.
This control focuses on the inclusion of information security requirements in the requirements for new or enhanced information systems. These should reflect the business value of the information and any possible negative impacts if security is compromised. This means that risk analysis will also be necessary.
Applications that can be accessed through public networks are particularly vulnerable to network-related threats, such as fraudulent activity. To protect against this, you need to carry out detailed risk assessments, which help you to create relevant controls. These controls will probably include some element of cryptography.
To prevent or minimise the risk of incomplete transactions, unauthorised access or mis-routing, this control develops relevant protections. The controls should equate to the level of risk involved and should comply with any legal or regulatory obligations.
This next set of controls ensure that you develop your information security in line with the lifecycle of information systems.
This control focuses upon the creation of rules for the development of software and systems. This asks you to examine the security of the development environment, what security requirements need to be in place for the design phase and how developers will find and fix any vulnerabilities, among other things.
Any changes to systems within the development lifecycle need to be controlled, ideally with a change control procedure. This is because changes can affect the operational environment. Establishing good practice is therefore key, with any new systems, software or changes following a process of documentation, testing, quality control and careful implementation.
When operating platforms, including operating systems and databases, are changed, this control ensures that any business-critical applications are tested to uncover any adverse effects.
To keep vulnerabilities to a minimum, this control ensures that software changes are controlled and kept to those that are strictly necessary.
This control develops principles for secure system engineering, which should then be documented, maintained and applied to any information system implementation. They should be regularly reviewed to ensure that they stay in-step with threats and that they are still positively contributing to enhanced security.
A secure development environment includes any processes, technology and people that are linked to system development. To protect system developments, this control helps organisations to develop an environment that is secure and based on risk assessments.
With this control, organisations can ensure that any outsourced development is supervised and monitored. This means you should consider things such as licencing arrangements, evidence of sufficient testing and any contractual requirements for secure coding and design.
Systems under development need to be tested to ensure their security functionality. This control lays out a schedule and the processes for testing to ensure that the system works as expected.
This control introduces acceptance testing for new information systems as well as any new updates or versions. This testing should include security requirements and should take place in a realistic setting.
This control helps an organisation to ensure that data used for testing remains protected.
To maintain information security, this control ensures that test data is selected carefully and is then protected and controlled. This is because system and acceptance testing can involve large amounts of test data that closely resemble operational data. Test data must therefore not be ‘live’ or contain any personally identifiable information.
The next set of controls focus on keeping safe organisational assets that are accessible by suppliers.
If your suppliers have inadequate information security, they can put your information at risk. Creating controls for any supplier with access to your information or information processing facilities is therefore key. This means you may need to think about the use of non-disclosure agreements and controls to safely govern the transfer and access of information.
This control focuses on the information security requirements that need to be agreed upon with each supplier that may have access or other contact with your business’ information. These agreements should be comprehensive and ensure that there can be no misunderstandings when it comes to the suppliers’ responsibilities. They should also be based on your organisation’s unique risks.
This control ensures that your agreements with suppliers also include requirements that are put in place to address the security risks linked with the provision of communication and information technology services.
The following controls help you to ensure that your organisation receives an expected level of service and information security, as laid out in your supplier agreements.
This control ensures that you have a process to regularly monitor, audit and review the delivery service of your suppliers. This gives you the opportunity to check that your suppliers are keeping to information security agreements and that issues are being handled correctly.
This control ensures that any changes made by suppliers to their service are carefully managed. These changes could include the use of new technology, a change of supplier or enhancement to services. This means that risks are re-assessed and information security policies, procedures and controls are maintained or improved.
This next set of controls help to ensure that there is a consistent approach to information security, including communication on security events and any weaknesses.
To ensure that your organisation is able to respond quickly and promptly to an information security incident, you need to have the right procedures in place. This control helps you to develop these processes, including procedures for incident response planning and reporting on information security events.
This control sets out the processes you need to report an information security incident and to do so quickly. This includes making your employees aware of their responsibility to make incident reports and how they should do so.
To ensure incidents are quickly dealt with, they need to be reported at the earliest opportunity. Staff and contractors using your systems and services therefore need to know how to spot and report anything suspicious.
To decide if something is an information security incident, they need to be assessed and then classified using an incident classification scale.
This control lays out how information security incidents should be reacted to. This includes gathering evidence, the logging of responses and dealing with any identified weaknesses.
Using your learnings from an information security incident can help you to avoid or reduce the risk of a repeat incident. This control therefore highlights the importance of evaluating incidents for future training and responses.
This control calls for your organisation to define and create processes for the identification, acquisition, collection and storage of information. This is so that it can be kept as evidence should it ever be needed in court or other legal or disciplinary action.
This next set of controls looks at how information security management can be integrated into your organisation’s business continuity strategies.
In order to develop an information security continuity plan, you must first define your requirements with regards to information security. This means you may like to carry out a business impact analysis to see if your information security needs change at all during a business disruption or if they remain the same.
Once you have established your requirements, this control asks you to create, document, implement and maintain the processes your organisation needs to maintain information continuity.
This control then asks for you to verify your continuity controls regularly to ensure that they remain the best fit for your organisation. Verification is a little different to general security testing and shouldn’t be done while you’re testing any changes. Instead, try to time them with wider business continuity or disaster recovery tests.
This next control is designed to help you ensure that your information processing facilities always remain available.
In order to meet your availability needs, this control asks you to implement appropriate redundancies. This means you have to first establish your needs and then investigate if any redundant components or architectures are needed if availability cannot be guaranteed.
This group of controls is designed to help you avoid legal/regulatory, contractual or statutory breaches relating to your information security.
This control asks you to identify any legislation or contractual obligations which your organisation must abide by when it comes to information security. These could be specific to your industry or more wide-ranging, such as UK GDPR (General Data Protection Regulation). Once you’ve identified them, you must document them and ensure these documents stay up to date.
When it comes to intellectual property rights, your organisation needs to ensure it stays compliant by creating processes to protect this kind of material, which could include design rights, software code, apps, trademarks or patents.
It’s important to keep records safe from damage, destruction, alteration and unauthorised access. These records could be key for demonstrating that your business has remained compliant. Classification of information and careful consideration of its storage is therefore key.
This control requires your organisation to ensure that the confidentiality of personally identifiable information (PII) is maintained. This means you need to develop your data policy for privacy and create an appropriate control and management structure.
This control sets out the use of cryptographic controls, which should be used as laid out in agreements, legislation and relevant regulations.
The objective of this final set of controls is to ensure that your information security measures are implemented in line with your policies and procedures.
To ensure that your information security measures are being rolled out in accordance with your organisation’s policies, an independent review is needed. This should be carried out at set intervals or if there is a significant change within your organisation.
To maintain compliance, this control ensures that managers regularly review the compliance of the organisation’s information procedures and methods of processing. This should be checked against the relevant security policies, standards and any other key requirements.
Technical compliance reviews can include penetration testing and vulnerability assessments, as well as a review of operational systems. This helps to ensure continued compliance with your policies and standards.
If you want to know more about ISO 27001 generally, take a look at our dedicated webpage.
Alternatively, you can get in touch with us on 0333 344 3646 or by emailing us at [email protected].