If you are about to start a project for implementing the ISO 27001 security framework you want to know which controls you need to cover. This is one of the first questions you always get as a consultant. And it is one of the most important because you want to know about the size and therefor the time and budget you need to successfully implement this security standard. Here I want to give a quick overview about the controls for ISO 27001 Annex A you need to introduce for a successful certification.
The list of the topics, measures or reuiqrements you need to cover for implementing the ISO 27001 framework is based on ISO/IEC 27001:2013 which is still the current standard. There might be some country specific updates to the norm. So in Germany the standard is called ISO 27001:2017 but it is still based on the 2013 core and they did not do any changes to it (just some country specific comments). In ISO 27001, the Annex A describes what controls have to be introduced, whereas ISO 27002 further explains how to implement them.
If you want to find out more you can visit the official ISO page for more information.
So here is the list for each topic, area or domain you need to cover and implement. Also you find a short description about the requirements you have to fulfil:
List of the ISO 27001 Controls
Here you can find a comprehensive list of all controls according to the Annex A of the ISO 27001 (and ISO 27002) framework. Only the main controls are listed but not the sub controls (because of copyright reasons).
A.5 Informationsecurity Policies
This is one of the key points of ISO 27001 and especially for building your ISMS. You need to have security policies in place that cover all topics, business requirements and all relevant laws and regulations. This policies have to be approved and signed by the upper management. They have to be published and must be made available in your organization and for relevant external partners. Also they have to be checked and maybe updated on a regular basis.
A.6. Organisation of Information Security
The goal here is to describe the organisation and implementation of your security framework. You have to define the roles and responsibilities for all of your employees in your organisation that have to deal with informationsecurity. You also need to maintain a list of contacts to pertinent groups that can advise you like authorities, associations, experts or consultants. Another big part is the integration of security in project management. Not only for IT relevant topcis but also for projects in your whole organisation. What is a little bit odd is the fact that you need to describe your measures you have implemented for remote work and for using mobile devices here. In my opinion that would fit better into other sections.
A.7 Human Resource Security
This section covers how you have to handle human resource security regarding to contractual requirements and employee lifecycle. This initially includes the security check of new employees before hiring. Furthermore it must be ensured that the employment contract includes clauses that enforces the employee to comply with security policies and if not disciplinary measures. It should also be mentioned what obligations the employee has after his employment.
A.8. Asset Management
This is one of the most important section. Here you define how you identify your assets that needs to be protected, how you do it and who is responsible for the asset. You have to describe the lifecycle process of your assets and how you classify them. Another part here is that you have to show how you deal with data carriers or removable media.
A.9 Access Control
Another major part is about managing access to your assets. Especially usermanagement, your user lifecycle process and your authorization concept. But also how you restrict, secure and monitor the access. In other words everything that has to do with authentication, authorization and accounting.
Here you have to describe how you have implemented cryptography mechanisms to protect the confidentiality, integrity and authenticity of your information. In particular how you are allowed to use cryptography, for what and also about your key lifecycle process and protection measures.
A.11 Physical and Environmental Security
This area is focused on how to protect your physical building(s), campus(es) or offices against unauthorized access to prevent devices or resources against loss, damage, theft or unavailability. You should define security perimeters and how to control physical access. Not only that but also how you protect your environment against environmental threats like natural disasters, malicious attacks or accidents.
A.12. Operations Security
This includes all measures concerning IT-Security and IT Operations/Production. You have to document all IT processes, especially for your change-/ and capacity management. and how you have segregated your test-/, development-/ and production environment. You also have to deliver procedures on how you have implemented security measures for: malware protection, backup and recovery, logging, vulnerability management, software deployment and how do you audit your IT systems.
A.13 Communication Security
This is the network security part. You have to prove the suitable segmentation of your network and the segregation of your network services. You also have to make sure that the transfer of data and information is secure according to your policies. Not only inside but also outside of your organization.
A.14 System Acquisition, Development & Maintenance
In other words, software-/ or hardware development lifecycle. This topic is described very confusingly because it mixes up a lot of things. Firstly you have to make sure that all security requirements are met for newly acquired systems or software as well as for existing ones. You also have to check that all information that is processed by publicly available systems is securly transfered and protected from disclosure and change.
Secondly you have to asure you have a process covering secure development for information systems and demonstrate how you check the quality of the system for security.
A.15 Supplier Relationships
More or less you have to define contractual clauses on what your supplier has to fulfil in terms of informationsecurity. This also includes contracts with providers or contractors.
A.16 Information Security Incident Management
You have to explain the process of how to deal with security events and incidents. Mainly the definition of procedures on how to identify and detect events and how to contain, eradicate and recover from incidents. Also you have to describe who is responsible for the tasks and who to inform for an escalation and reporting chain.
A.17 Information Security Aspects of Business Continuity Management
In case of a buisness crisis you need to make sure that all aspects of informationsecurity can be maintained. This is mainly focused on the redundancy and availability of IT systems.
You have to prove that you comply with regulations, laws, self-imposed and contractual obligations. This includes the protection of personal data. But you also have to implement a control plan to validate and audit the compliance with your security guidlines and procedures.
So there are 14 major domains with a total of 35 sub-categories and 114 controls you need to implement. In comparison the NIST Cybersecurity Framework has over 23 categories with 108 sub-categories [ source: Wikipedia ]