Controls Guide for ISO 27001 - Part 2

What are the ISO 27001's 14 domains?

In sections A.5 to A.18 of Annex A of ISO 27001, 14 "domains" are listed. The following is covered in the sections:

Annex A.5. Information Security Policies:  Giving management guidance for information security policies is the goal of Annex A.5. The goal of this Annex is to manage information security guidance and support in accordance with the needs of the organisation and in compliance with applicable laws and regulations. Two controls are present in the Annex:

  • A.5.1.1 Policies for Information Security  – According to Annex A.5.1.1, a set of information security policies must be established, approved by management, published, and distributed to staff members and pertinent outside parties.
  • A.5.1.2 Review of the Policies for Information Security  – The information security policies must be evaluated on a regular basis or if significant changes take place, according to Annex A.5.1.2, to ensure that they continue to function in a stable, adequate, and efficient manner.

Annex A.6. Organization of Information Security: 

  • Annex A.6.1 is about the internal organization of information security. Establishing a management framework that starts and manages the application and operation of information security is the goal of this Annex.
  • Annex A.6.1.1 Information Security Roles & Responsibilities  specifies that each and every responsibility for information security must be identified and assigned. Responsibilities for information security might be generic (like protecting information) or specific (e.g. the responsibility for granting a particular permission).

Annex A.7. Human Resource Security:

  • Annex A.7.1 is about employment and is concerned directly with human resources. Making sure that staff members are knowledgeable about their roles, well-trained, and qualified for them is the goal here. What transpires when people depart or switch responsibilities is also covered in this Annex. There are 6 controls in the Annex.

All job candidates are subjected to background checks and competence assessments. The obligations the employee and the organisation will both bear for adequate information security hygiene must be specifically stated in the contractual agreement signed by workers and contractors. The goal is to guarantee that workers and contractors understand and fulfil their information security obligations while on the job.

Annex A.8. Asset management:

Asset accountability is covered in Annex A.8.1. This Annex's goal is to define and identify the information assets that are under the management system's purview. They must also be given the proper protective obligations. There are 10 controls in the Annex. This Annex mandates the identification and management of all assets related to information processing facilities. Assets should be listed in a detailed inventory that outlines how they are handled and regulated.

Annex A.9. Access Control: 

  • Annex A.9.1 is about the business requirements of access control.  This Annex control's goal is to restrict access to information and information processing infrastructure. There are 14 controls in this Annex. This Annex requires that an access control policy be created, documented, and periodically evaluated while keeping the business needs for the assets in mind. Only the networks and network services that users actually need for their jobs should be granted access to users. All user types must have access rights to all systems and services, and a procedure must be put in place to grant or withdraw those rights.

Annex A.10. Cryptography:

  • Annex A.10.1 is about Cryptographic controls. Here, protecting the confidentiality, authenticity, and/or integrity of information through the right and efficient use of cryptography is the goal. There are two controls in this Annex. A policy for the usage and security of cryptographic keys should be established in accordance with the criteria of this Annex. All stages of the keys' life should be covered by this policy. Additionally, a procedure should be in place for the generation, transfer, modification, backup, and storage of cryptographic key material all the way up until its demise.

Annex A.11. Physical and environmental Security: 

  • Annex A.11.1 is about ensuring secure physical and environmental areas. Preventing illegal physical access, property damage, and interference with the organization's information and information processing facilities is the goal of this Annex. There are 15 internal controls in total. For places that house either sensitive or crucial information, this Annex should include a thorough explanation of the security perimeters and bounds. This comprises locations with tools for information processing, such as computers, laptops, etc. To ensure that only authorized  people are granted access, secure locations need to be safeguarded with the proper entry restrictions. Additionally covered by this Annex are operations interruptions and asset loss, damage, theft, or compromise.

Annex A.12. Operations security:

  • Annex A.12.1 is about Operational Procedures and Responsibilities. This Annex's goal is to guarantee the reliable and secure functioning of information processing facilities. There are 14 controls in all. Operating procedures shall be documented and made available to all users upon request in accordance with this Annex. Operating procedures that have been properly documented ensure that systems will function consistently even when additional personnel or resources are added. They are frequently essential for disaster recovery, business continuity, and when staff availability is jeopardized. Malware Defence  is also covered in this Annex. The goal is to secure data centers  and other information-processing infrastructure from malware intrusion.

Annex A.13. Communications security: 

  • Annex A.13.1 is about Network Security Management. This Annex's goal is to guarantee the security of data in networks and the information processing facilities that enable them. There are 7 controls in this Annex. To safeguard the information included in systems and applications, networks must be monitored and under strict supervision. This means that the company needs to have procedures that guarantee the security of the data included in its systems and applications.
  • Annex A.13.2  is about information transfer. This Annex's goal is to protect the confidentiality of information shared within the company and with any outside party, such as a client, a supplier, or other interested parties.

Annex A.14. System Acquisition, Development and Maintenance:

  • Annex A.14.1 is about security requirements of information systems. The goal is to make sure that throughout the lifecycle of information systems, sound information security procedures are maintained as a core component. This covers the specifications for information systems that offer services across open networks. There are 13 controls in this Annex. Any specifications for brand-new information systems or improvements to the current information systems must include information security-related requirements.
  • Annex A.14.2 is about process security throughout development and support. This Annex's goal is to make sure that information security is planned for and implemented throughout the information system development lifecycle.

Annex A.15. Supplier Relationships:

  • Annex A.15.1  is about supplier relationships and information security. The goal is to safeguard the company's priceless assets from suppliers who may have access to or influence them. This should also encompass other important relationships, such those with business partners. There are 5 controls in this Annex.
  • Annex A.15.2  is about managing Supplier Service Development. This Annex's goal is to make sure that, in accordance with supplier agreements, a certain degree of information security and service delivery is maintained.

Annex A.16. Information Security Incident Management:

  • Annex A.16.1  is concerned with managing information security events, incidents, and weaknesses. The goal is to make sure that incidents, occurrences, and weaknesses are handled consistently and effectively throughout their lifecycle. There are 7 controls in this Annex. These controls outline how management must set up roles and processes to guarantee a prompt, efficient, and systematic response to flaws, events, and security incidents.

Annex A.17. Information Security Aspects of Business Continuity Management:

  • Annex A.17.1 Continuity of Information Security is the topic. The goal is to integrate business continuity management systems for the firm with information security continuity. There are 4 controls in this Annex. The company must ascertain its particular needs for information security and consider how information security management will continue in difficult circumstances, such as during a crisis or tragedy.

Annex A.18. Compliance: Annex

  • A.18.1  is about adhering to statutory and contractual obligations. The goal is to prevent violations of any security standards as well as of any legal, statutory, regulatory, or contractual duties linked to information security. There are 8 controls in this Annex.
  • Annex A.18.2  is about evaluations of information security. The goal is to make sure information security is run in compliance with organizational  rules and procedures.

When information like this seems overwhelming, knowledgeable cyber security companies like QRC may step in and help streamline the process. Organizations are not obligated to use all 114 of ISO 27001's controls, as we previously discussed.  It is merely a list of things that must be done in accordance with the risk assessment made by your firm. For you and your management team, the standard serves as a roadmap for establishing, putting into place, maintaining, and continuously enhancing an effective information security management system. With all of the aforementioned basic controls in place, you'll have a smooth procedure that will assist your company in identifying and promptly mitigating possible hazards.

Contact our knowledgeable auditors and consultants for additional information and support on the ISO 27001 Standard. Learn about the ISO27001 Standard's certification procedure and relevant industry insights.   

LinkedIn Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.