Please enable JavaScript.
Coggle requires JavaScript to display documents.
ISO 27001 - Coggle Diagram
ISO 27001
The 14 domains of ISO 27001 are
Information security policies
Human resource security
Access control
Physical and environmental security
System acquisition, development and maintenance
Information security incident management
Information security aspects of business continuity management
Organisation of information security
Asset management
Cryptography
Operations security
Operations security
Supplier relationships
Compliance
the 14 control sets of Annex A
Annex A.5 – Information security policies (2 controls)
This annex is designed to make sure that policies are written and reviewed in line with the overall direction of the organisation’s information security practices.
Annex A.6 – Organisation of information security (7 controls)
This annex covers the assignment of responsibilities for specific tasks. It’s divided into two sections, with Annex A.6.1 ensuring that the organisation has established a framework that can adequately implement and maintain information security practices.
Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed to ensure that anyone who works from home or on the go – either part-time or full-time – follows appropriate practices.
Annex A.7 – Human resource security (6 controls)
The objective of Annex A.7 is to make sure that employees and contractors understand their responsibilities.
It’s divided into three sections:
Annex A.7.1 addresses individuals’ responsibilities before employment.
Annex A.7.2 covers their responsibilities during employment.
Annex A.7.3 addresses their responsibilities when they no longer hold that role because they’ve left the organisation or changed positions.
Annex A.8 – Asset management (10 controls)
This annex concerns the way organisations identify information assets and define appropriate protection responsibilities.
It contains three sections. Annex A.8.1 is primarily about organisations identifying information assets within the scope of the ISMS.
Annex A.8.2 is about information classification. This process ensures that information assets are subject to an appropriate level of defence.
Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to unauthorised disclosure, modification, removal or destruction.
Annex A.9 – Access control (14 controls)
The aim of Annex A.9 is to ensure that employees can only view information that’s relevant to their job.
It’s divided into four sections, addressing the business requirements of access controls, user access management, user responsibilities and system and application access controls, respectively.
Annex A.10 – Cryptography (2 controls)
This annex is about data encryption and the management of sensitive information. Its two controls ensure that organisations use cryptography effectively to protect data confidentiality, integrity and availability.
Annex A.11 – Physical and environmental security (15 controls)
This annex addresses the organisation’s physical and environmental security. It’s the most extensive annex in the Standard, containing 15 controls separated into two sections.
The objective of Annex A.11.1 is to prevent unauthorised physical access, damage or interference to the organisation’s premises or the sensitive data held therein.
Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to prevent the loss, damage or theft of an organisation’s information asset containers – whether that’s, for example, hardware, software or physical files.
Annex A.12 – Operations security (14 controls)
ISO 27001 Annex A controls explained Luke Irwin 27th July 2020
ISO 27001 is the international standard that describes best practices for an ISMS (information security management system).
The Standard takes a risk-based approach to information security. This requires organisations to identify information security risks and select appropriate controls to tackle them.
Those controls are outlined in Annex A of the Standard. There are 114 ISO 27001 Annex A controls, divided into 14 categories.
Contents
ISO 27001 controls list: the 14 control sets of Annex A
Who is responsible for implementing Annex A controls?
Using the 14 domains of ISO 27001
Identify the controls you should implement
ISO 27001 controls list: the 14 control sets of Annex A
Annex A.5 – Information security policies (2 controls)
This annex is designed to make sure that policies are written and reviewed in line with the overall direction of the organisation’s information security practices.
Annex A.6 – Organisation of information security (7 controls)
This annex covers the assignment of responsibilities for specific tasks. It’s divided into two sections, with Annex A.6.1 ensuring that the organisation has established a framework that can adequately implement and maintain information security practices.
Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed to ensure that anyone who works from home or on the go – either part-time or full-time – follows appropriate practices.
Annex A.7 – Human resource security (6 controls)
The objective of Annex A.7 is to make sure that employees and contractors understand their responsibilities.
It’s divided into three sections:
Annex A.7.1 addresses individuals’ responsibilities before employment.
Annex A.7.2 covers their responsibilities during employment.
Annex A.7.3 addresses their responsibilities when they no longer hold that role because they’ve left the organisation or changed positions.
Annex A.8 – Asset management (10 controls)
This annex concerns the way organisations identify information assets and define appropriate protection responsibilities.
It contains three sections. Annex A.8.1 is primarily about organisations identifying information assets within the scope of the ISMS.
Annex A.8.2 is about information classification. This process ensures that information assets are subject to an appropriate level of defence.
Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to unauthorised disclosure, modification, removal or destruction.
Annex A.9 – Access control (14 controls)
The aim of Annex A.9 is to ensure that employees can only view information that’s relevant to their job.
It’s divided into four sections, addressing the business requirements of access controls, user access management, user responsibilities and system and application access controls, respectively.
Annex A.10 – Cryptography (2 controls)
This annex is about data encryption and the management of sensitive information. Its two controls ensure that organisations use cryptography effectively to protect data confidentiality, integrity and availability.
Annex A.11 – Physical and environmental security (15 controls)
This annex addresses the organisation’s physical and environmental security. It’s the most extensive annex in the Standard, containing 15 controls separated into two sections.
The objective of Annex A.11.1 is to prevent unauthorised physical access, damage or interference to the organisation’s premises or the sensitive data held therein.
Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to prevent the loss, damage or theft of an organisation’s information asset containers – whether that’s, for example, hardware, software or physical files.
ISO 27001 Controls: A guide to implementing and auditing -- buy now
Annex A.12 – Operations security (14 controls)
Annex A.13 – Communications security (7 controls)
This annex concerns the way organisations protect the information in networks.
It’s divided into two sections. Annex A.13.1 concerns network security management, ensuring that the confidentiality, integrity and availability of information in those networks remain intact.
Meanwhile, Annex A.13.2 deals with information security in transit, whether it’s going to a different part of the organisation, a third party, a customer or another interested party.
Annex A.14 – System acquisition, development and maintenance (13 controls)
The objective of Annex A.14 is to ensure that information security remains a central part of the organisation’s processes across the entire lifecycle.
Its 13 controls address the security requirements for internal systems and those that provide services over public networks.
Annex A.15 – Supplier relationships (5 controls)
This annex concerns the contractual agreements organisations have with third parties.
It’s divided into two sections. Annex A.15.1 addresses the protection of an organisation’s valuable assets that are accessible to or affected by suppliers.
Meanwhile, Annex A.15.2 is designed to ensure that both parties maintain the agreed level of information security and service delivery.
Annex A.16 – Information security incident management (7 controls)
This annex is about how to manage and report security incidents. This process involves identifying which employees should take responsibility for specific actions, thus ensuring a consistent and effective approach to the lifecycle of incidents and responses.
Annex A.17 – Information security aspects of business continuity management (4 controls)
The aim of Annex A.17 is to create an effective system to manage business disruptions.
It’s divided into two sections. Annex A.17.1 addresses information security continuity – outlining the measures that can be taken to ensure that information security continuity is embedded in the organisation’s business continuity management system.
Annex A.17.2 looks at redundancies, ensuring the availability of information processing facilities.
Annex A.18 – Compliance (8 controls)
This annex ensures that organisations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.
Who is responsible for implementi
Six security areas
01 – Company security policy
02 – Asset management
03 – Physical and environmental security
04 – Access control
05 – Incident management
06 – Regulatory compliance