Annex A Controls

What are Annex A Controls?

Annex A controls refer to a set of security controls outlined in Annex A of the ISO/IEC 27001 standard. This standard provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within an organization and is a critical aspect of privacy and security. 

Annex A of ISO 27001 contains a total of 14 control categories. These controls cover a wide range of areas related to information security management. They serve as a reference point for organizations to assess their security needs and implement appropriate measures to protect their information assets effectively. 

The 14 categories within the ISO 27001 Annex A controls list are as follows:

  • Information Security Policies: this category emphasizes the importance of establishing and maintaining information security policies that are aligned with the organization’s objectives and legal requirements. It covers areas such as policy development, communication, and enforcement.
  • Organizations of Information Security: this category focuses on the establishment of a clear organizational structure for information security management. It includes aspects such as roles and responsibilities, segregation of duties, and coordination of information security efforts.
  • Human Resources Security: this category addresses the security aspects related to human resources. It covers areas such as screening of personnel, awareness training, and defining security responsibilities of employees and contractors.
  • Asset Management: This category deals with the identification, classification, and management information assets. It includes controls for asset inventory, data classification, and protection of assets throughout their lifecycle. 
  • Access Control: this category focuses on controls to ensure that access to information and systems is granted only to authorized individuals. It covers areas such as user access management, password management, and secure system access.
  • Cryptography: This category covers the use of cryptographic techniques to protect the confidentiality, integrity, and authenticity of information. It includes controls for key management, encryption algorithms, and secure key storage.
  • Physical and Environmental Security: this category addresses the physical protection of information assets  and the environment in which they are stored. It includes controls for secure areas, protection against threats such as fire and natural disasters, and physical access controls.
  • Operations Security: this category focuses on controls related to the ongoing operation of information systems and the protection of information assets. It covers areas such as operational procedures, change management, and backup and recovery. 
  • Communications Security: this category addresses the security of information during its transmission. It includes controls for network security, secure communication channels, and protection against unauthorized access or interception.
  • System Acquisition, Development, and Maintenance: this category covers controls related to the development, acquisition, and maintenance of information systems. It includes controls for secure system development, change control, and system testing. 
  • Supplier Relationships: this category addresses the security aspects of relationships with external suppliers. It covers controls for supplier selection, contract management, and monitoring of supplier performance to ensure compliance with security requirements. 
  • Information Security and Incident Management: this category focuses on controls to effectively respond to and manage information security incidents. It includes controls for incident identification, reporting, response, and recovery. 
  • Information Security Aspects of Business Continuity Management: this category addresses the integration of information security requirements into business continuity management. It includes controls for business impact analysis, backup and recovery strategies,and incident response planning. 
  • Compliance: this category covers controls to ensure compliance with legal, regulatory, and contractual requirements related to information security. It includes controls for regular security reviews, audits, and addressing non-compliance issues. 


Which Controls Do Organizations Need to Implement?

Each category within the ISO 27001 Annex A controls includes a set of specific controls. Organizations can select and implement these controls based on their risk assessment and security needs; which controls selected will vary from organization to organization. These controls provide a structured approach to managing information security risks and establishing a robust ISMS. Organizations should use Annex A controls as a starting point for developing their information security policies and procedures.