The Controls, listed in Annex A of ISO 27001 fall into the four groups which are derived from and aligned with Clauses 5 to 8. They are:

  • Organisational controls
  • People controls
  • Physical controls
  • Technological controls

The following is a brief overview of controls in these groups.

5) Organisational controls

This group consists of 37 controls designed to enable effective management of information security risks. It includes controls related to risk management, incident response planning, information security policies, and the clear definition and assignment of roles and responsibilities.

Some example controls are:

  • A.5.3) Segregation of duties: Conflicting duties and conflicting areas of responsibility shall be segmented.
  • A.5.10) Acceptable use of information and other associated assets: Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
  • A.5.19) Information security in supplier relationships: Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
  • A.5.27) Learning from information security incidents: Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
  • A.5.36) Compliance with policies, rules and standards for information security: Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

6) People controls

This group consists of 8 controls which are designed to manage the human factor of information security. It includes controls related to training, awareness, and the management of human resources.

Some example controls are:

  • A.6.1) Screening: Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
  • A.6.3) Information security awareness, education and training: Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
  • A.6.5) Responsibilities after termination or change of employment: Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
  • A.6.7) Remote working: Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

7) Physical controls

This group consists of 14 controls that protect the physical environment of information systems. It includes controls related to secure areas, equipment security, and the management of physical access.

Some example controls are:

  • A.7.4) Physical security monitoring: Premises shall be continuously monitored for unauthorized physical access.
  • A.7.7) Clear desk and clear screen: Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
  • A.7.10) Storage media: Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
  • A.7.14) Secure disposal or re-use of equipment: Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

8) Technological controls

This group consists of 34 controls that protect information systems and networks. It includes controls related to access control, cryptography, and the management of technical vulnerabilities.

Some example controls are:

  • A.8.8) Management of technical vulnerabilities: Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
  • A.8.10) Information deletion: Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
  • A.8.15) Logging: Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
  • A.8.17) Clock synchronization: The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
  • A.8.23) Web filtering: Access to external websites shall be managed to reduce exposure to malicious content.
  • A.8.31) Separation of development, test and production environments: Development, testing and production environments shall be separated and secured.