Understanding ISO 27001:2022 Annex A Controls (Security Measures for Data Protection)

The worldwide standard for information security is ISO 27001. Organizations must assess information security threats in accordance with their framework and choose the right measures to address them.

The Standard’s clauses 4 – 10 provide the more general specifications for an ISMS (information security management system). However, they don’t specify individual controls.

How Annex A works?

The component of the standard that provides the goals and controls for information security management systems (ISMS) is referred to as Annex A in ISO/IEC 27001: 2022. An extensive list of security measures that may be implemented by organisations to handle different information security needs and threats is provided in Annex A. These controls are divided into 14 domains, each of which focuses on a specific aspects of information security.

For organizations looking to create, implement, maintain, and continuously enhance their ISMS in compliance with ISO/IEC 27001 criteria, the controls listed in Annex A provide a framework of reference. Organizations may successfully manage information security risks, safeguard sensitive information assets, and prove compliance with relevant legal, regulatory, and contractual obligations by putting the procedures outlined in Annex A into practice.

Annex A contains a list of 93 security controls, grouped into 4 themes:

  1. Organizational
  2. People
  3. Physical
  4. Technological

What the Annex A controls are?

1.    Organisational controls (37 controls)

Organizational controls are all of the formal procedures and guidelines that a company uses to manage its information security. These controls, which are described in the standard’s Annex A, cover a range of information security management topics, such as establishing roles and duties inside the company and creating policies and procedures.

Organisations may create strong frameworks for protecting their information assets, reducing risks, and maintaining the availability, confidentiality, and integrity of sensitive data by following organizational controls.

Organizational Controls based on ISO27001 : 2022 are given below:

Annex’sCONTROLSDESCRIPTION
5.1Policies for information securityInformation security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur –
5.2Information security roles and responsibilitiesInformation security roles and responsibilities should be defined and allocated according to the organization needs.
5.3Segregation of dutiesConflicting duties and conflicting areas of responsibility should be segregated.
5.4Management responsibilitiesManagement should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
5.5Contact with authoritiesThe organization should establish and maintain contact with relevant authorities
5.6Contact with special interest groupsThe organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations
5.7Threat intelligenceInformation relating to information security threats should be collected and analysed to produce threat intelligence.
5.8Information security in project managementInformation security should be integrated into project management
5.9Inventory of information and other associated assetsAn inventory of information and other associated assets, including owners, should be developed and maintained.
5.10Acceptable use of information and other associated assetsRules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented
5.11Return of assetsPersonnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement
5.12Classification of informationInformation should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements
5.13Labelling of informationAn appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization
5.14Information transferInformation transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties
5.15Access controlRules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements
5.16Identity managementThe full life cycle of identities should be managed.
5.17Authentication informationAllocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information
5.18Access rightsAccess rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control
5.19Information security in supplier relationshipsProcesses and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services
5.20Addressing information security within supplier agreementsRelevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.
5.21Managing information security in the ICT supply chainProcesses and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain
5.22Monitoring, review and change management of supplier servicesThe organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
5.23Information security for use of cloud servicesProcesses for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.
5.24Information security incident management planning and preparationThe organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
5.25Assessment and decision on information security eventsThe organization should assess information security events and decide if they are to be categorized as information security incidents.
5.26Response to information security incidentsInformation security incidents should be responded to in accordance with the documented procedures.
5.27Learning from information security incidentsKnowledge gained from information security incidents should be used to strengthen and improve the information security controls
5.28Collection of evidenceThe organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
5.29Information security during disruptionThe organization should plan how to maintain information security at an appropriate level during disruption.
5.30ICT readiness for business continuityICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements
5.31Legal, statutory, regulatory and contractual requirementsLegal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.
5.32Intellectual property rightsThe organization should implement appropriate procedures to protect intellectual property rights
5.33Protection of recordsRecords should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
5.34Privacy and protection of PIIThe organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements
5.35Independent review of information securityThe organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.
5.36Compliance with policies, rules and standards for information securityCompliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.
5.37Documented operating proceduresOperating procedures for information processing facilities should be documented and made available to personnel who need them.

2.   PEOPLE CONTROL (8 CONTROLS)

Annex’sCONTROLSDESCRIPTION
6.1ScreeningBackground verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
6.2Terms and conditions of employmentThe employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security
6.3Information security awareness, education and trainingPersonnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function
6.4Disciplinary processA disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
6.5Responsibilities after termination or change of employmentInformation security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties
6.6Confidentiality or non-disclosure agreementsConfidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
6.7Remote workingSecurity measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises
6.8Information security event reportingThe organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

3.    PHYSICAL CONTROLS

Annex’sCONTROLSDESCRIPTION
7.1Physical security perimetersSecurity perimeters should be defined and used to protect areas that contain information and other associated assets
7.2Physical entrySecure areas should be protected by appropriate entry controls and access points
7.3Securing offices, rooms and facilitiesPhysical security for offices, rooms and facilities should be designed and implemented.
7.4Physical security monitoringPremises should be continuously monitored for unauthorized physical access.
7.5Protecting against physical and environmental threatsProtection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented
7.6Working in secure areasSecurity measures for working in secure areas should be designed and implemented.
7.7Clear desk and clear screenClear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced
7.8Equipment siting and protectionEquipment should be sited securely and protected
7.9Security of assets off-premisesOff-site assets should be protected.
7.10Storage mediaStorage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
7.11Supporting utilitiesInformation processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities
7.12Cabling securityCables carrying power, data or supporting information services should be protected from interception, interference or damage.
7.13Equipment maintenanceEquipment should be maintained correctly to ensure availability, integrity and confidentiality of information
7.14Secure disposal or re-use of equipmentItems of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

4. Technological controls

Annex’sCONTROLSDESCRIPTION
8.1User endpoint devicesInformation stored on, processed by or accessible via user endpoint devices should be protected.
8.2Privileged access rightsThe allocation and use of privileged access rights should be restricted and managed.
8.3Information access restrictionAccess to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.
8.4Access to source codeRead and write access to source code, development tools and software libraries should be appropriately managed.
8.5Secure authenticationSecure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.
8.6Capacity managementThe use of resources should be monitored and adjusted in line with current and expected capacity requirements.
8.7Protection against malwareProtection against malware should be implemented and supported by appropriate user awareness.
8.8Management of technical vulnerabilitiesInformation about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.
8.9Configuration managementConfigurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
8.10Information deletionInformation stored in information systems, devices or in any other storage media should be deleted when no longer required
8.11Data maskingData masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
8.12Data leakage preventionData leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information
8.13Information BackupBackup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
8.14Redundancy of information processing facilitiesInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
8.15LoggingLogs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analyzed.
8.16Monitoring activitiesNetworks, systems and applications shall be monitors for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.
8.17Clock synchronizationThe clocks of information processing systems used by the organization should be synchronized to approved time sources.
8.18Use of privileged utility programsThe use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.
8.19Installation of software on operational systemsProcedures and measures should be implemented to securely manage software installation on operational systems.
8.20Networks securityNetworks and network devices should be secured, managed and controlled to protect information in systems and applications
8.21Security of network servicesSecurity mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.
8.22Segregation of networksGroups of information services, users and information systems should be segregated in the organization’s networks
8.23Web filteringAccess to external websites should be managed to reduce exposure to malicious content
8.24Use of cryptographyRules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.
8.25Secure development life cycleRules for the secure development of software and systems should be established and applied.
8.26Application security requirementsInformation security requirements should be identified, specified and approved when developing or acquiring applications.
8.27Secure system architecture and engineering principlesPrinciples for engineering secure systems should be established, documented, maintained and applied to any information system development activities
8.28Secure codingSecure coding principles should be applied to software development.
8.29Security testing in development and acceptanceSecurity testing processes should be defined and implemented in the development life cycle
8.30Outsourced developmentThe organization should direct, monitor and review the activities related to outsourced system development
8.31Separation of development, test and production environmentsDevelopment, testing and production environments should be separated and secured.
8.32Change managementChanges to information processing facilities and information systems should be subject to change management procedures.
8.33Test informationTest information should be appropriately selected, protected and managed
8.34Protection of information systems during audit testingAudit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management

How to select controls from Annex A?

Although they serve as a foundation for an efficient ISMS, the restrictions in Annex A should not be taken literally.

Your risk assessment informs the information security controls you choose. After that, you check them against Annex A to make sure all of your risks are handled.

Annex A controls that are not relevant to your company might be left out. Nonetheless, any exclusions in your SoA (Statement of Applicability) must be justified.

What is the Statement of Applicability?

An important document that describes the information security controls chosen by an organization to manage risks found in its Information Security Management System (ISMS) is the Statement of Applicability (SoA) in ISO/IEC 27001.

It outlines the ISMS’s scope, lists the controls selected from Annex A of the standard, explains why those controls were chosen, and links those controls to certain information security threats.

The statement of assurance (SoA) functions as a thorough guide for interested parties, showcasing the company’s dedication to efficient information security management and guaranteeing adherence to ISO/IEC 27001 regulations.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top