ISO 27001 Controls: More cybersecurity with Annex A measures

ISO 27001 helps compliance officers to establish a robust Information Security Management System (ISMS) that three information security objectives aims to achieve: An ISMS should ensure the confidentiality, integrity, and availability of information. A central component of the international standard are the ISO 27001 Controls in Annex A.  

What are the ISO 27001 Controls?

ISO 27001 Controls comprise a total of 93 specific security controls, with which companies risks in the area of information security can effectively manage and minimize. This comprehensive catalog of measures offers a structured framework for the protection of sensitive information and forms the backbone of an ISMS.  

All 93 security controls are described in detail in Appendix A or Annex A of ISO 27001 and cover various areas of a company.  

Annex A and the Four Control Groups at a Glance

Annex A of the ISO standard helps your company select and implement the right security controls for your individual risks and needs. They cover all aspects of information security to prevent any security-related gaps from arising.

For better clarity, Annex A is divided into clauses A 5 to A 8 and into four control categories :

• Organizational Controls
• People Controls
• Physical Controls
• Technological Controls

Organizational Controls for Continuous Information Security

The Organizational Controls comprise 37 measures that organizational structures and processes concern. They are particularly important to ensure that a systematic and controlled approach to information security is in place.

Examples of ISO 27001 Controls from Annex A 5:

• A 5.1 Information Security Policy: Establishing a clear security policy within the company
• A 5.2 Roles and Responsibilities: Assigning clear responsibilities for information security

These measures create a solid foundation for the ISMS and ensure that the information security strategy is embedded throughout the organization.

People Controls to protect your team

The 8 People Controls relate to protection. They ensure that the workforce behaves in a security-conscious manner and is able to contribute to minimizing potential risks.

Examples of ISO 27001 Controls from Annex A 6:

• A 6.1 Security Screening: Conducting background checks for new employees
• A 6.2 Awareness and Training: Regular training to raise awareness of information security risks

The awareness of employees is a critical factor in information security, as human error often represents the biggest vulnerability.

Physical Controls

The 14 Physical Controls relate to the protection of physical locations, devices, and facilities from unauthorized access.

Examples of ISO 27001 Controls from Annex A 7:

• A 7.1 Securing Facilities: Access controls for buildings and server rooms
• A 7.2 Protection from Environmental Threats: Measures to protect against fire, water, or other environmental risks

Through physical security measures, companies can ensure that sensitive data and systems are protected from theft or physical damage.

Technological Controls

The Technological Controls are 34 measures that technological systems and networks secure, to ensure that IT systems are protected from cyberattacks.

Examples of ISO 27001 Controls from Annex A 8:

• A 8.1 Access Controls: Implementation of access rights for IT systems
• A 8.2 Encryption: Encryption of sensitive data, both at rest and in transit

Technological measures such as encryption and access management are crucial for protecting sensitive data from unauthorized access or loss.

ISO 27001:2022: Changes in Annex A since 2013

ISO 27001 was updated in 2022 to better address the evolving requirements and threats of the digital world. These are the three most important changes:  

• New Structure: The number of controls was reduced from 114 to 93 and divided into four groups: Organisational, People, Physical, and Technological Controls. This clear structure is intended to help companies implement the measures.
• New Measures: New controls were added to address current threats such as the use of cloud services to respond.
• Removal of Outdated Controls: Some measures that were hardly relevant in practice anymore were removed.

Which ISO 27001 Controls were added in 2022?

The changes to ISO 27001 reflect the growing need for specific measures to address modern IT challenges such as cloud security and protection against cyberattacks. Therefore, new additions to Annex A of ISO 27001:2022 include the following controls:

• A 5.7 Threat intelligence: Regular analysis and communication of current threats
• A 8.28 Data storage procedures: Management and protection of data stored in the cloud
• A 11.3 Protection of working environment: Measures for the protection of workplaces and office areas

What is the difference between ISO 27001 and ISO 27002?

In addition to ISO 27001, there is ISO 27002. These are the differences:

• ISO 27001 describes the Framework and requirements for an ISMS. It defines which security goals must be achieved in order to effectively protect the system.
• ISO 27002 provides specific guidelines and best practices for implementing the security goals described in ISO 27001.

The ISO 27001 So define the goals that provides information security and ISO 27002 specific informationhow these goals can be achieved. Through this combination of goals (ISO 27001) and their implementation (ISO 27002), companies have a clear instructionshow they can plan, implement, and monitor their information security measures

Why are the ISO 27001 controls from Annex A so important for companies?

With an ISMS, you protect your data and IT systems and improve your organization's resilience for better Protection against cyber attacks, which can mean financial and image damage for those affected.

When implementing ISMS, you can make use of ISO 27001 controls and a Package of measures tailor to the individual security needs of your organization and thus the ISO 27001 certification attain.

With ISO controls, you can:

• Minimize risks: Organizations face a wide range of risks, from cyber attacks to data loss. ISO 27001 Controls help to identify these risks and take appropriate measures to minimize them.
• Comply with legal regulations more easily: By implementing ISO 27001 Controls, companies can ensure that they comply with regulatory requirements, such as the GDPR or the IT Security Act.
• Maintain trust and reputation: Customers and partners are more likely to trust companies that are ISO 27001 certified, as this means that information security is a high priority.

Which controls from Appendix A should my company implement?

Not all 93 controls need to be implemented in every company. Instead, you should be based on a IT risk analysis in accordance with ISO 27001 Decide which controls are relevant. Factors such as Company size, industry and existing risks play a role in this. However, it is important to at least check all categories. This ensures that you don't overlook any critical security gaps.

Consulting on ISO 27001 Controls

The path to ISO 27001 certification is shorter when you walk it together with experts. Whether for the gap analysis, project planning, or as long-term companions: the compliance specialists at Proliance stand by your side – personally and as equals.

More about ISO 27001 consulting

‍Practical example of implementing ISO 27001 controls

A medium-sized company that stores and processes customer data using cloud services is aiming for ISO 27001 certification. One of the biggest risks for SMEs is unauthorised access to this data due to cyber attacks or internal vulnerabilities.

Those responsible can implement various technological controls from Annex A of ISO 27001 to set up an ISMS:

• With access controls From Annex A 8.1, for example, the company can ensure that only authorized employees have access to sensitive data.
• By introducing a Multi-factor authentication (MFA) and role-based access rights, the company can better control and secure access to the cloud database.

What role does SoA ISO 27001 play for controls?

If you want to implement an ISMS correctly, you must take the measures taken for this purpose for information security document cleanly. The Statement of Applicability (SoA for short) helps with this.

In the SoA, as part of ISO 27001 certification, companies can list all measures from Annex A that have already been implemented or are still to be implemented and why certain measures are not being taken.

Read now: In the magazine, you can find out everything about Meaning and content of the SoA.

Tips for choosing and implementing controls

• Preface risk assessment: Conduct a thorough risk assessment to identify relevant security risks and choose the right ISO 27001 controls.

• Set priorities: Prioritize measures based on specific risks, your company size and the technologies used. In small companies without their own server rooms, physical controls such as securing data centers are less relevant than in companies with multiple locations.

• Continuous review:  Security threats are constantly changing. Therefore, check the implemented controls regularly and make adjustments to counteract new threats such as ransomware attacks or vulnerabilities in cloud systems.

Added value of ISO 27001 controls for companies

The implementation of ISO 27001 Controls provides companies with clear added value. Not only do they help to mitigate risks and meet regulatory requirements, but they also strengthen the trust of customers, partners, and regulators in the organization's ability to securely manage data.

ISO 27001 Controls not only provide a flexible framework, but also clear instructions for gradually improving information security and adapting the ISMS to changing risks. If you want to use ISO Controls efficiently and correctly right from the start, we would be happy to assist you with this.