Last updated 20/07/2021
Addition A of ISO 27001 is probably the most well-known extension of all the ISO norms – this is because it gives a basic tool to managing data security chances: a rundown of security controls (or protects) that are to be utilized to improve the security of data resources.
This article will furnish you with a knowledge of how Annex A is organized, just as its relationship with the principle part of ISO 27001, and with ISO 27002.
The ISO 27001 controls rundown can be found in Annex A, and it is sorted out into 14 sections. Despite what one may think, these are not all IT arranged – under you can discover a categorization of what specific segments are centered around:
There are 114 ISO 27001 data security controls recorded in its Annex An in the current 2013 correction of the norm (contrasted with 133 from the past 2005 amendment of the norm). Here is a breakdown of what sort of controls are incorporated:
The most ideal approach to comprehend Annex A is to consider it a list of data security controls you can choose from – out of the 114 controls that are recorded in Annex A, you can pick the ones that are material to your organization's degree. Another methodology is to utilize Annex A as an ISO 27001 controls agenda, for an underlying assessment of your association's availability for data security the board cycle.
Not these ISO 27001:2013 controls are compulsory – associations can decide for themselves which controls they discover relevant, and afterward, it must execute them (as a rule, in any event, 90% of the controls are pertinent); the rest are announced to be non-material. For instance, control A.14.2.7 Outsourced improvement can be set apart as non-material if an organization doesn't redistribute the advancement of programming. The principal standard for choosing the controls is through hazard the board, which is characterized in statements 6 and 8 of the fundamental piece of ISO 27001. Learn more here: ISO 27001 hazard evaluation and treatment – 6 fundamental advances.
Further, proviso 5 of the fundamental piece of ISO IEC 27001 expects you to characterize duties regarding dealing with those controls, and condition 9 expects you to quantify if the controls have satisfied their motivation. At long last, statement 10 expects you to fix whatever isn't right with those controls, and to ensure that you accomplish data security targets with those controls.
Truly Annex An of ISO27001 doesn't give a lot of insight concerning each control. There is typically one sentence for each control, which gives you a thought of what you have to accomplish, yet not how to do it.
This is the reason ISO 27002 was distributed – it has the very same structure as ISO 27001 Annex An: each control from Annex An exists in ISO 27002, however it has significantly more nitty-gritty clarification on the most proficient method to actualize it. Be that as it may, don't fall into the snare of utilizing just ISO 27002 for dealing with your data security dangers – it doesn't give you any signs regarding how to choose which controls to actualize, how to gauge them, how to allocate obligations, and so forth. Learn more here: ISO 27001 versus ISO 27002.
There are several things I like about Annex A – it gives you an ideal review of which controls you can apply so you remember some that would be significant, and it gives you the adaptability to pick just the ones you discover appropriate to your business so you don't need to squander assets on the ones that are not pertinent to you.
NovelVista Learning Solutions is a professionally managed training organization with specialization in certification courses. The core management team consists of highly qualified professionals with vast industry experience. NovelVista is an Accredited Training Organization (ATO) to conduct all levels of ITIL Courses. We also conduct training on DevOps, AWS Solution Architect associate, Prince2, MSP, CSM, Cloud Computing, Apache Hadoop, Six Sigma, ISO 20000/27000 & Agile Methodologies.
* Your personal details are for internal use only and will remain confidential.
![]() |
ITILEvery Weekend |
---|---|
![]() |
AWSEvery Weekend |
![]() |
DevOpsEvery Weekend |
![]() |
PRINCE2Every Weekend |