ISO 27001: The 14 control sets of Annex A explained

NovelVista

Last updated 20/07/2021

---

       

Addition A of ISO 27001 is probably the most well-known extension of all the ISO norms – this is because it gives a basic tool to managing data security chances: a rundown of security controls (or protects) that are to be utilized to improve the security of data resources. 

This article will furnish you with a knowledge of how Annex A is organized, just as its relationship with the principle part of ISO 27001, and with ISO 27002. 

How many domains are there in ISO 27001? 

The ISO 27001 controls rundown can be found in Annex A, and it is sorted out into 14 sections. Despite what one may think, these are not all IT arranged – under you can discover a categorization of what specific segments are centered around: 

• Sections identified with organizational issues: A.5, A.6., A.8, A.15 
• Section identified with HR: A.7 
• IT-related areas: A.9, A.10, A.12, A.13. A.14, A.16, A.17 
• Section identified with physical security: A.11 
• Section identified with legal issues: A.18 

Here's a short description of every one of the 14 sections: 

• A.5 Information security strategies – controls on how the approaches are composed and evaluated 
• A.6 Organization of data security – controls on how the duties are allocated; likewise incorporates the controls for cell phones and teleworking 
• A.7 Human assets security – controls preceding business, during, and after the work 
• A.8 Asset the executives – controls identified with the stock of advantages and adequate use; likewise for data characterization and media taking care of 
• A.9 Access control – controls for the administration of access privileges of clients, frameworks and applications, and the administration of client obligations 
• A.10 Cryptography – controls identified with encryption and key administration 
• A.11 Physical and ecological security – controls characterizing secure zones, passage controls, insurance against dangers, hardware security, secure removal, Clear Desk and Clear Screen Policy, and so on. 
• A.12 Operational security – heaps of controls identified with the administration of IT creation: change the executives, limit the board, malware, reinforcement, logging, observing, establishment, weaknesses, and so on. 
• A.13 Communications security – controls identified with organize security, isolation, arrange administrations, move of data, informing, and so on. 
• A.14 System obtaining, advancement and upkeep – controls characterizing security prerequisites, and security being developed and uphold measures 
• A.15 Supplier connections – controls on what to remember for understandings, and how to screen the providers 
• A.16 Information security occurrence the executives – controls for announcing occasions and shortcomings, characterizing duties, reaction systems, and an assortment of proof 
• A.17 Information security parts of business progression the executives – controls requiring the arranging of business congruity, systems, check and inspecting, and IT excess 
• A.18 Compliance – controls requiring the distinguishing proof of appropriate laws and guidelines, licensed innovation insurance, individual information assurance, and audits of data security 

What many of controls does ISO 27001 have? 

There are 114 ISO 27001 data security controls recorded in its Annex An in the current 2013 correction of the norm (contrasted with 133 from the past 2005 amendment of the norm). Here is a breakdown of what sort of controls are incorporated: 

• Controls identified with authoritative issues: 24 
• Controls identified with HR: 6 
• IT-related controls: 61 
• Controls identified with physical security: 15 
• Controls identified with legitimate issues: 8 

The most ideal approach to comprehend Annex A is to consider it a list of data security controls you can choose from – out of the 114 controls that are recorded in Annex A, you can pick the ones that are material to your organization's degree. Another methodology is to utilize Annex A as an ISO 27001 controls agenda, for an underlying assessment of your association's availability for data security the board cycle. 

Relationship with ISO 27001 fundamental conditions 

Not these ISO 27001:2013 controls are compulsory – associations can decide for themselves which controls they discover relevant, and afterward, it must execute them (as a rule, in any event, 90% of the controls are pertinent); the rest are announced to be non-material. For instance, control A.14.2.7 Outsourced improvement can be set apart as non-material if an organization doesn't redistribute the advancement of programming. The principal standard for choosing the controls is through hazard the board, which is characterized in statements 6 and 8 of the fundamental piece of ISO 27001. Learn more here: ISO 27001 hazard evaluation and treatment – 6 fundamental advances. 

Further, proviso 5 of the fundamental piece of ISO IEC 27001 expects you to characterize duties regarding dealing with those controls, and condition 9 expects you to quantify if the controls have satisfied their motivation. At long last, statement 10 expects you to fix whatever isn't right with those controls, and to ensure that you accomplish data security targets with those controls. 

What is the distinction between ISO 27001 and ISO 27002? 

Truly Annex An of ISO27001 doesn't give a lot of insight concerning each control. There is typically one sentence for each control, which gives you a thought of what you have to accomplish, yet not how to do it. 

This is the reason ISO 27002 was distributed – it has the very same structure as ISO 27001 Annex An: each control from Annex An exists in ISO 27002, however it has significantly more nitty-gritty clarification on the most proficient method to actualize it. Be that as it may, don't fall into the snare of utilizing just ISO 27002 for dealing with your data security dangers – it doesn't give you any signs regarding how to choose which controls to actualize, how to gauge them, how to allocate obligations, and so forth. Learn more here: ISO 27001 versus ISO 27002. 

Ease of use of Annex A 

There are several things I like about Annex A – it gives you an ideal review of which controls you can apply so you remember some that would be significant, and it gives you the adaptability to pick just the ones you discover appropriate to your business so you don't need to squander assets on the ones that are not pertinent to you.

Topic Related Post

Is The Adoption Of ISO 27001 Doing Good To Business and Customers

AI, ML & Future of Six Sigma

How Can You Pass Your Lean Six Sigma Certification Exam In The First Attempt?