A Brief Explanation of ISO 27001 Controls

ISO 27001 is a globally accepted standard for effectively managing information security systems (ISMS). It offers a structured approach for businesses to evaluate, analyse, and control their information security threats. To get ISO 27001 Certification, it is crucial to implement ISO 27001 controls which form the core of ISO 27001. Organisations must implement these controls to achieve compliance with the standard. This blog will explain what   ISO 27001 Controls are and how to implement them. 

Table of Contents  

1. What are ISO 27001 Controls?  

1. How to Implement ISO 27001 Controls  

1. Benefits of ISO 27001 Certification  

1. Conclusion  

What are ISO 27001 Controls?  

ISO 27001 controls are the specific measures that organisations must take to protect their information assets including supply nation certified controls. These controls are grouped into 14 control categories, as explained below. Under each annex, there are multiple controls that the organisation needs to implement.  

Information security policies  

The organisation must have a set of policies in place that define its information security requirements. Controls under this include:  

• A5.1: Information security policy  
• A5.2: Information security procedures  
• A5.3: Information security awareness, training, and education  

Organisation of information security  

The organisation must have a defined structure for managing its information security. This includes roles, responsibilities, and authorities.  

• A6.1: Information security organisation  
• A6.2: Roles, responsibilities, and authorities  
• A6.3: Communication and coordination  
• A6.4: Management of information security changes  

Human resources security  

The organisation must have measures in place to protect its information assets from unauthorised access, use, disclosure, modification, or destruction by its employees.  

• A7.1: Employment screening  
• A7.2: Disciplinary procedures  
• A7.3: Termination of employment  
• A7.4: Access rights management  
• A7.5: Separation of duties  

Asset management  

The organisation must have a process for identifying, classifying, and protecting its information assets.  

• A8.1: Asset classification  
• A8.2: Asset inventory  
• A8.3: Asset control  
• A8.4: Information labelling and handling  
• A8.5: Media handling and security  

Access control  

The organisation must have a process for controlling who has access to its information assets.  

• A9.1: Business requirements of access control  
• A9.2: User access management  
• A9.3: User responsibilities  
• A9.4: System and application access control  
• A9.5: Network access control  

Cryptography  

To ensure the protection of its information assets, the organisation should implement cryptography measures that guarantee confidentiality, integrity, and availability. 

• A10.1: Cryptographic controls  
• A10.2: Key management  

Physical and environmental security  

The organisation must protect its information assets from unauthorised physical access, use, disclosure, modification, or destruction.  

• A11.1: Physical security perimeter  
• A11.2: Physical access control  
• A11.3: Environmental controls  
• A11.4: Equipment security  
• A11.5: Security of systems and communications areas  

Operational security  

The organisation must implement measures to protect its information assets from unauthorised operational activities, such as data entry, processing, and transmission.  

• A12.1: Operational procedures and responsibilities  
• A12.2: Protection from malware  
• A12.3: Backup  
• A12.4: Logging and monitoring  
• A12.5: Control of operational software  
• A12.6: Technical vulnerability management  
• A12.7: Information systems audit considerations  

Communications security  

The organisation must protect its information assets during transmission over communication networks.  

• A13.1: Telecommunications security  
• A13.2: Data communications security  
• A13.3: E-mail security  

System acquisition, development, and maintenance  

The organisation must implement measures to ensure that its information systems are developed, maintained, and disposed of in a secure manner.  

• A14.1: Security requirements for system acquisition, development, and maintenance  
• A14.2: Security during development and maintenance  
• A14.3: Security of acquired systems  

Supplier relationships  

The organisation must manage its relationships with its suppliers in a way that protects its information assets.  

• A15.1: Supplier security management  
• A15.2: Supplier relationships  

Information security incident management  

It is essential for an organisation to establish a process that can detect, respond to, and recover from any information security incidents. 

• A16.1: Information security incident response  
• A16.2: Information security incident reporting  
• A16.3: Information security incident analysis and improvement  

Information security aspects of business continuity management  

The organisation must incorporate information security requirements into its business continuity management plan.  

• A17.1: Business continuity management  
• A17.2: Information security aspects of business continuity management  

Compliance  

The organisation must comply with applicable laws, regulations, and standards.  

• A18.1: Compliance with laws, regulations, and standards  
• A18.2: Compliance with internal policies and procedures  

How to Implement ISO 27001 Controls  

The specific controls that an organisation must implement will vary depending on the nature of its business and the risks it faces. However, there are some general steps that all organisations can follow to implement ISO 27001 controls:  

1. Identify the risks: The first step is to identify the information security risks that the organisation faces. This can be done through a risk assessment process.  

1. Select the controls: After identifying the risks, the organisation can choose the most effective controls to minimise them.  

1. Implement the controls: The next step is to implement the selected controls. This could entail creating fresh policies and procedures or modifying the current ones.  

1. Monitor and review the controls: Once the controls have been implemented, the organisation must monitor and review them to ensure that they are effective. This may involve conducting periodic audits.  

Who oversees implementation of the ISO 27001 controls?  

The responsibility for implementing ISO 27001 controls ultimately rests with the organisation’s management. However, the specific roles and responsibilities for implementing controls will vary depending on the size and structure of the organisation.  

In general, the following roles are typically involved in implementing ISO 27001 controls:  

1. Chief Information Security Officer (CISO): The CISO is responsible for the overall information security management of the organisation. This includes ensuring that the organisation has implemented the appropriate controls to protect its information assets.  

1. Information Security Manager (ISM): The ISM is responsible for the implementation and management of the organisation’s information security controls.  

1. Line Managers: They are responsible for ensuring that the employees in their teams are aware of the organisation’s information security policies and procedures. They are also responsible for ensuring that their employees comply with these policies and procedures.  

1. Employees: Employees have a responsibility to comply with the organisation’s information security policies and procedures. They should also be aware of the risks to the organisation’s information assets and take steps to mitigate those risks.  

In addition to these specific roles, all employees in the organisation have a responsibility to contribute to the implementation of ISO 27001 controls. This includes being aware of the risks to the organisation’s information assets, reporting security incidents, and following the organisation’s information security policies and procedures. 

Benefits of ISO 27001 Certification  

There are several benefits of getting ISO 27001 certification. These benefits include:  

1. Increased customer confidence  

1. Reduced risk of data breaches  

1. Improved compliance with laws and regulations  

1. Increased efficiency and productivity  

1. Enhanced brand reputation  

Conclusion  

ISO 27001 controls are an essential part of any organisation’s information security management system. Organisations can manage the risk of data breaches and other security incidents by implementing these controls. They can also improve their customer confidence, compliance, and efficiency.