ISO 27001 – Annex A Controls

What they are and how we can help you with them

Download your free guide

platform 77pc 700x420

Introducing Annex A Controls

There are 114 Annex A Controls, divided into 14 categories. How you respond to the requirements against them as you build your ISMS depends on the specifics of your organisation.

A useful way to understand Annex A is to think of it as a catalogue of security controls. Based on your risk assessments, you’ll select the ones that are applicable to your organisation, informed by your particular risks.

Achieve your first ISO 27001

Download our free guide to fast and sustainable certification

What Are The Annex A Controls?

The Annex A Controls in ISO 27001 are divided into 14 categories. That may sound overwhelming but help is at hand. The ISMS.online platform is built in the exact same way as the ISO 27001 standard making it easy for you to follow and understand what you need to do. Plus we give you the Assured Results Method which is your clear path to getting ISO 27001 certified first time (everyone that has followed this path has achieved first time certification and you can too). Let’s take a look through the Annex A Controls in more detail.

Annex A.5 – Information Security Policies

Annex A.5.1 is about management direction for information security. The objective of this Annex is to manage direction and support for information security in line with the organisation’s requirements.

Annex A.6 – Organisation of Information Security

Annex A.6.1 is about internal organisation. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organisation.

Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices.

Annex A.7 – Human Resource Security

Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

Annex A.7.2 – the objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.

Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment.

Annex A.8 – Asset Management

Annex A.8.1 is about responsibility of assets. The objective in the Annex is to identity information assets in scope for the management system and define appropriate protection responsibilities.

Annex A.8.2 is about information classification. The objective in this Annex is to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (and interested parties such as customers).

Annex A.8.3 is about media handling. The objective in this Annex is to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Annex A.9 – Access Control

Annex A.9.1 is about the business requirements of access control. The objective in this Annex is to limit access to information and information processing facilities.

Annex A.9.2 is about user access management. The objective in this Annex A control is to ensure users are authorised to access systems and services as well as prevent unauthorised access.

Annex A.9.3 is about user responsibilities. The objective of this Annex A control is to make users accountable for safeguarding their authentication information.

Annex A.9.4 is about system and application access control. The objective in this Annex is to prevent unauthorised access to systems and applications.

ISMS.online is a
one-stop solution that radically speeded up our implementation.

Evan Harris
Founder & COO, Peppy

Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Annex A.10  – Cryptography

Annex A.10.1 is about Cryptographic controls. The objective of this Annex is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

Annex A.11 – Physical & Environmental Security

Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.

Annex A.11.2 is about equipment. The objective in this Annex control is to prevent loss, damage and theft or compromise of assets and interruption to the organisation’s operations.

Annex A.12 – Operations Security

Annex A.12.1 is about operational procedures and responsibilities. The objective of this Annex A area is to ensure correct and secure operations of information processing facilities.

Annex A.12.2 is about protection from malware. The objective here is to ensure that information and information processing facilities are protected against malware.

Annex A.12.3 is about backup. The objective here is to protect against loss of data.

Annex A.12.4 is about logging and monitoring. The objective in this Annex A area is to record events and generate evidence.

Annex A.12.5 is about control of operational software. The objective in this Annex A area is to ensure the integrity of operational systems.

Annex A.12.6 is about technical vulnerability management. The objective in this Annex A control is to prevent exploitation of technical vulnerabilities.

Annex A.12.7 is about information systems and audit considerations. The objective in this Annex A area is to minimise the impact of audit activities on operational systems.

Annex A.13 – Communications Security

Annex A.13.1 is about network security management. The objective in this Annex is to ensure the protection of information in networks and its supporting information processing facilities.

Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the security of information transferred within the organisation and with any external entity, e.g. a customer, supplier or other interested party.

Annex A.14 – System Acquisition, Development & Maintenance

Annex A.14.1 is about security requirements of information systems. The objective in this Annex area is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

Annex A.15 – Supplier Relationships

Annex A.15.1 is about information security in supplier relationships. The objective here is protection of the organisation’s valuable assets that are accessible to or affected by suppliers.

Annex A.15.2 is about supplier service development management. The objective in this Annex A control is to ensure that an agreed level of information security and service delivery is maintained in line with supplier agreements.

Annex A.16 – Information Security Incident Management

Annex A.16.1 is about management of information security incidents, events and weaknesses. The objective in this Annex area is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses.

Annex A.17 – Information Security Aspects of Business Continuity Management

Annex A.17.1 is about information security continuity. The objective in this Annex A control is that information security continuity shall be embedded in the organisation’s business continuity management systems.

Annex A.17.2 is about redundancies. The objective in this Annex A control is to ensure availability of information processing facilities.

Annex A.18 – Compliance

Annex A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification



Whatever your level, we’re here to help you

New to it all

New to it all

We have everything you need to for easy compliance with a wide range of standard and regulations.
Find out more

Improving your systems

Improving your systems

Join hundreds of customers and migrate seamlessly to ISMS.online. You’ll save yourself time, admin and cost.
Find out more

Focus your expertise

Focus your expertise

Our platform puts you in control. Supercharge your compliance with our powerful management system.
Find out more

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!
Policies

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more
Risk-Management

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more
Reporting

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more
Audits

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more
Linking

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more
Assets

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more
Seamless-Integration

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more
Standards-Regulations

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more
Compliance

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more
Supply-Chain

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more
Interested-Parties

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more
Privacy

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more
 
See the ISMS.online platform in action