ISO 27001 Controls

ISO 27001 is the internationally recognised Standard for information security. The ISO 27001 framework offers your business an effective Information Security Management System (ISMS), with key processes to help protect your organisation from cyber threats and remain compliant with stringent legislation. 

With ISO 27001, you’ll be able to implement organisational and technical risk controls to help maintain robust security management. But, it’s not just about IT! It helps secure data security across all areas of your business – whether it’s online or offline. The Standard is suitable for businesses of all sizes, from startups to larger organisations.

The eight controls contained within the people theme help your business regulate human activity regarding all of your information security. These controls outline how working personnel interact with data and each other. Areas covered in this theme include: 

• HR management
• Personnel security
• Staff awareness
• Training procedures

The organisational theme has the most controls of the new ISO 27001 structure, with 37 in total. For your business to function and meet the ISO 27001 Standard effectively, you must be able to demonstrate organisational controls that meet the legal regulations and measures regarding data protection. Controls in this theme include: 

• Policies
• Rules
• Processes
• Procedures
• Organisational structures

The technological controls have been designed so that your organisation can adopt a set of digital regulations that help preserve a compliant IT infrastructure. This means safeguarding your business with valuable secure technology at the heart of your business, such as protection from data leaks, encryption and authentication. 

The new technological controls include: 

• Data masking 
• Configuration management 
• Information deletion 
• Data leakage prevention 
• Monitoring activities 
• Web filtering 
• Secure coding

In order to protect confidential information, physical safeguards are measures employed to ensure the security of tangible assets including: 

• Guest access protocols
• Asset disposal processes
• Storage medium measures
• Clear desk policies
• Entry and exit systems

The ISO 27001 controls have been merged, meaning the structure of the controls has been changed slightly as part of the new ISO 27001:2022. Let’s explore what these changes mean in a little more detail…

• 5.7 Threat Intelligence – Collect and analyse any information relating to information security threats to produce intelligence in response to this. 
• 5.23 Information security for use of cloud services – Offers protection over the use of cloud services by a business, ensuring no risks are posed to the confidentiality, integrity and availability of information. 
• 5.30 ICT readiness for business continuity – This control ensures that an organisation’s IT systems are not compromised in the event of disruption or a crisis. 
• 7.4 Physical security monitoring – The continuous monitoring of physical security measures to protect assets and people. 
• 8.9 Configuration management – Managing and controlling the configuration of information systems and IT infrastructure. 
• 8.10 Information deletion – Deletion of any information stored in information systems that are surplus to requirements. 
• 8.11 Data masking – Protecting sensitive or financial data by modifying this with fictitious data to maintain usability for testing. 
• 8.12 Data leakage prevention – Applying prevention measures to systems, networks and any devices that process or store sensitive information. 
• 8.16 Monitoring activities – Tracking and analysing activities to detect and react to any violations of security policies. 
• 8.23 Web filtering – This control looks at filtering employee access to websites that may cause malware infection.
• 8.28 Secure coding – The implementation of coding principles that offer maximum security of the software code.

ISO 27002:2022 is the supporting standard that offers guidance on how information security controls should be implemented. The changes in the control set published in ISO 27002:2022 are reflected in Annex A of ISO 27001:2022. 

Annex A is a brief overview, but to actively apply each control, more detail is required. And that’s exactly what ISO 27002 offers, a supplementary standard with a detailed overview of each control, providing a breakdown of how the control works and what is required to implement it.