Control catalogue · 14 categories · 114 controls

ISO 27002 — Annex A

Annex A of ISO 27001:2013 is the control catalogue, and its text mirrors ISO/IEC 27002:2013. It holds 14 control categories and 114 controls. During an ISO 27001 audit you are assessed against the control text in 27001, but 27002 gives the extended implementation guidance for each one. This page summarises every category and its objective.

Annex A 114 controls SoA CIS mapping ISO 27001

→Why does Annex A start at A.5?

It looks odd that the controls begin at A.5 rather than A.1. The reason is that Annex A maps directly onto ISO 27002, where sections 1–4 are introductory and explanatory, so the controls themselves start at section 5. In an ISO 27001 certification audit you are audited only against the control text within 27001 — but there's real benefit in reading the extended guidance on each control in 27002.

A.5Information security policies A.6Organisation of infosec A.7Human resource security A.8Asset management A.9Access control A.10Cryptography A.11Physical & environmental A.12Operations security A.13Communications security A.14Acquisition & development A.15Supplier relationships A.16Incident management A.17Business continuity A.18Compliance

→A.5 Information security policies 2 controls

How policies are written and reviewed.

A.5.1.1 Policies for information security — a set of policies defined, approved by management, published and communicated to staff and relevant external parties. They form the backbone of security and feed into the awareness programme (links to A.7.2.2).
A.5.1.2 Review of the policies — reviewed at planned intervals, or when significant change occurs, to keep them suitable, adequate and effective.

→A.6 Organisation of information security 7 controls

Assigning responsibility for specific tasks; mobile devices and teleworking.

6.1.1 Roles & responsibilities6.1.2 Segregation of duties6.1.3 Contact with authorities6.1.4 Special interest groups6.1.5 Security in project management6.2.1 Mobile device policy6.2.2 Teleworking

Important for who-does-what and delegation. Tasks needing several pairs of eyes (e.g. paying out funds) shouldn't sit with one person — a kind of dual verification. During incidents it must be clear who the single point of contact (SPOC) is for authorities and interest groups.

→A.7 Human resource security 6 controls

Ensuring staff understand their responsibilities before, during and after employment.

A.7.1 Prior to employment

7.1.1 Screening (OSINT)7.1.2 Terms & conditions

A.7.2 During employment

7.2.1 Management responsibilities7.2.2 Awareness, education & training7.2.3 Disciplinary process

A.7.3 Termination & change

7.3.1 Termination / change of responsibilities

An auditor wants evidence that leavers returned assets and the process was closed and documented, with the asset inventory updated (A.8.1.1). A common failing is forgetting to remove or delete old data belonging to former colleagues — ISO forces this to be a described, performed task.

→A.8 Asset management 10 controls

Identifying information assets and defining appropriate protection responsibilities.

A.8.1 Responsibility for assets

8.1.1 Inventory of assets8.1.2 Ownership8.1.3 Acceptable use (AUP)8.1.4 Return of assets

A.8.2 Information classification

8.2.1 Classification8.2.2 Labelling8.2.3 Handling of assets

Classification and labelling work much like the TLP (Traffic Light Protocol) you may already know.

A.8.3 Media handling

8.3.1 Removable media8.3.2 Disposal of media8.3.3 Physical media transfer

Proper equipment disposal is often neglected because it's expensive — unless you handle hardware destruction yourself. Maps to CIS Controls 1 & 2 (inventory of enterprise assets and software).

→A.9 Access control 14 controls

Ensuring employees can only see information relevant to their role.

A.9.1 Business requirements of access control

9.1.1 Access control policy9.1.2 Access to networks & services

A.9.2 User access management

9.2.1 Registration & deregistration9.2.2 Access provisioning9.2.3 Privileged access rights9.2.4 Secret authentication info9.2.5 Review of access rights9.2.6 Removal / adjustment of rights

A.9.3 User responsibilities

9.3.1 Use of secret authentication information

Conceptual background worth knowing: the Bell–LaPadula model (confidentiality — "no read up, no write down") and the Biba model (integrity — the inverse).

→A.10 Cryptography 2 controls

Encryption and key management of sensitive information — to protect confidentiality, authenticity and/or integrity.

10.1.1 Policy on use of cryptographic controls10.1.2 Key management

→A.11 Physical and environmental security 15 controls

Securing the organisation's premises and equipment.

A.11.1 Secure areas

11.1.1 Security perimeter11.1.2 Entry controls11.1.3 Securing offices & rooms11.1.4 External & environmental threats11.1.5 Working in secure areas11.1.6 Delivery & loading areas

A.11.2 Equipment

11.2.1 Siting & protection11.2.2 Supporting utilities11.2.3 Cabling security11.2.4 Maintenance11.2.5 Removal of assets11.2.6 Off-premises security11.2.7 Secure disposal / re-use11.2.8 Unattended equipment11.2.9 Clear desk & screen

→A.12 Operations security 14 controls

Ensuring information processing facilities are secure.

A.12.1 Operational procedures & responsibilities

12.1.1 Documented procedures12.1.2 Change management12.1.3 Capacity management12.1.4 Separation of dev/test/ops

A.12.2 Protection from malware

12.2.1 Controls against malware

A.12.3 Backup

12.3.1 Information backup

A.12.4 Logging & monitoring

12.4.1 Event logging12.4.2 Protection of logs12.4.3 Admin & operator logs12.4.4 Clock synchronisation

A.12.5 Control of operational software

12.5.1 Installation on operational systems

A.12.6 Technical vulnerability management

12.6.1 Management of technical vulnerabilities12.6.2 Restrictions on software installation

A.12.7 Information systems audit considerations

12.7.1 Audit controls

→A.13 Communications security 7 controls

Protecting information in networks and in transit.

A.13.1 Network security management

13.1.1 Network controls13.1.2 Security of network services13.1.3 Segregation in networks

A.13.2 Information transfer

13.2.1 Transfer policies & procedures13.2.2 Transfer agreements13.2.3 Electronic messaging13.2.4 Confidentiality / NDA

→A.14 System acquisition, development & maintenance 13 controls

Making information security a central part of systems across the whole lifecycle.

A.14.1 Security requirements of information systems

14.1.1 Requirements analysis & spec14.1.2 Securing app services on public networks14.1.3 Protecting app service transactions

A.14.2 Security in development & support

14.2.1 Secure development policy14.2.2 Change control procedures14.2.3 Technical review after platform change14.2.4 Restrictions on package changes14.2.5 Secure engineering principles14.2.6 Secure development environment14.2.7 Outsourced development14.2.8 System security testing14.2.9 System acceptance testing

A.14.3 Test data

14.3.1 Protection of test data

→A.15 Supplier relationships 5 controls

What to put in third-party contracts, and how to check the agreements are kept.

A.15.1 Information security in supplier relationships

15.1.1 Security policy for suppliers15.1.2 Security within supplier agreements15.1.3 ICT supply chain

A.15.2 Supplier service delivery management

15.2.1 Monitoring & review of supplier services15.2.2 Managing changes to supplier services

In a GDPR context this is where the data processing agreement (databehandleraftale) lives — a written contract governing how a processor handles personal data on your behalf.

→A.16 Information security incident management 7 controls

How to report disruptions and breaches, and who owns which activity.

16.1.1 Responsibilities & procedures16.1.2 Reporting events16.1.3 Reporting weaknesses16.1.4 Assessment & decision16.1.5 Response to incidents16.1.6 Learning from incidents16.1.7 Collection of evidence

The objective is a consistent, effective approach across the whole lifecycle of incidents, events and weaknesses. This is the bridge to emergency/contingency management and IR playbooks — see the Defencia IR phases and emergency management pages.

→A.17 Business continuity 4 controls

Information security aspects of business continuity management — addressing business disruption.

A.17.1 Information security continuity

17.1.1 Planning continuity17.1.2 Implementing continuity17.1.3 Verify, review & evaluate

A.17.2 Redundancies

17.2.1 Availability of processing facilities

A.17.1.2 is the home of the Business Continuity Plan (BCP) and Business Impact Analysis (BIA). The dedicated standard is ISO 22301.

→A.18 Compliance 8 controls

Identifying the laws and regulations that apply, and reviewing that security is implemented as intended.

A.18.1 Compliance with legal & contractual requirements

18.1.1 Applicable legislation & contracts18.1.2 Intellectual property rights18.1.3 Protection of records18.1.4 Privacy & PII protection18.1.5 Regulation of cryptographic controls

A.18.2 Information security reviews

18.2.1 Independent review18.2.2 Compliance with policies & standards18.2.3 Technical compliance review

→Related

This catalogue is selected and justified in the Statement of Applicability under ISO 27001. Risk drives that selection — see ISO 27005. The CIS Controls map across to Annex A as a more technical, prioritised companion.