The Fourteen Areas of ISO 27001 ISMS Controls
Introduction
Information Security Management Systems (ISMS) play a crucial role in ensuring the confidentiality, integrity, and availability of sensitive information. ISO/IEC 27001 provides a comprehensive framework for managing information security risks through a set of well-defined controls. This article explores the fourteen key areas of ISMS controls, their objectives, and the importance of continual monitoring and improvement in compliance with ISO 27001.
New Controls in ISO/IEC 27001
- A.6.1.5 Information security in project management
- A.9.1.2 Access to network and network services
- A.14.2.1 Secure development policy
- A.14.2.5 Secure system engineering principles
- A.14.2.6 Secure development environment
- A.14.2.8 System security testing
- A.15.1.1 Information security policy for supplier relationships
- A.15.1.3 Information and communication technology supply chain
- A.16.1.4 Assessment of and decision on information security events
- A.16.1.5 Response to information security incidents
- A.17.2.1 Availability of information processing facilities
Request A Free Quote
Control Areas and Objectives
Control Area (Domain) | Control Objective (Sub-Domain) | No. of Control Objectives | No. of Controls |
A.5 Information Security Policies | A.5.1 Management direction for information security | 2 | 2 |
A.6 Organization of Information Security | A.6.1 Internal organization | 7 | 7 |
A.7 Human Resource Security | A.7.1 Prior to employment | 3 | 6 |
A.8 Asset Management | A.8.1 Responsibility for assets | 3 | 10 |
A.9 Access Control | A.9.1 Business requirements of access control | 4 | 14 |
A.10 Cryptography | A.10.1 Cryptographic controls | 1 | 2 |
A.11 Physical and Environmental Security | A.11.1 Secure areas | 2 | 15 |
A.12 Operations Security | A.12.1 Operational procedures & responsibilities | 7 | 14 |
A.13 Communications Security | A.13.1 Network security management | 2 | 7 |
A.14 System Acquisition, Development, and Maintenance | A.14.1 Security requirements of information systems | 3 | 13 |
A.15 Supplier Relationships | A.15.1 Information security in supplier relationships | 2 | 5 |
A.16 Information Security Incident Management | A.16.1 Management of information security incidents and improvements | 1 | 7 |
A.17 Information Security Aspects of Business Continuity Management | A.17.1 Information security continuity | 2 | 4 |
A.18 Compliance | A.18.1 Compliance with legal & contractual requirements | 2 | 8 |
Total Number of Control Objectives and Controls
- Control Objectives: 35
Total Controls: 114
Key Notes:
- Control Objectives are italicized and shaded.
- In Risk Treatment, a Control Objective is selected, followed by one or more controls to meet that objective.
- Multiple Control Objectives can be selected for one Risk Treatment.
- Each control has five key components:
- Control Objective (as per ISO/IEC 27001)
- Control Reference (in Risk Register and Statement of Applicability)
- Control Description
- Guidance for review based on ISO/IEC 27006 Annex D
- Plain English Explanation (ISO/IEC 27002 Guidelines)
Audit Guidelines (ISO/IEC 27006 - Annexure D
- Organizational Controls: Verified through records, interviews, observation, and inspections.
- Technical Controls: Verified via system testing or specialized audit tools.
- System Testing: Direct review of system settings and configurations.
- Visual Inspection: Physical inspection required for effectiveness evaluation.
- Audit Review Focus:
- Metrics and Trends: Security incidents, policy updates, and risk treatment.
- Compliance Checks: Legal, regulatory, and contractual requirements.
- Management Review: Information security updates and effectiveness assessment.
Sample Audit Questions
- Who has reviewed the Information Security Policy?
- What changes were made in the last policy review?
- When was the last policy review conducted?
- Where is the approval of the Information Security Policy documented?
- How do you address changed business requirements in the policy?
- What trends in security incidents have been identified?
- How are learnings from security incidents recorded and applied?
A.5 Information Security Policies
4.5.1 Management Direction for Information Security
Control Objective:
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
Control Reference:
A.5.1.1 Policies for Information Security
Control:
A set of policies for information security shall be defined, approved by management, published, and communicated to employees and relevant external parties.
ISO/IEC 27006 – Annexure D
(2005 reference A.5.1.1) – Organizational control
- The purpose of implementing ISMS
- Top management commitment
- Overall objectives of ISMS
- Roles and responsibilities
- Risk assessment approach
- Provision of ISMS resources
- Employee education and training
- The necessity to comply with the policy
Reference: ISO/IEC 27002
At a more detailed level, the Information Security Policy should be supported by topic-specific policies, which mandate security control implementations based on organizational needs. These include:
Examples of Topic-Specific Policies:
- Access Control Policy (See Clause 9.0)
- Information Classification & Handling (See Clause 8.2)
- Physical and Environmental Security (See Clause 11)
- Acceptable Use of Assets (See Clause 8.1.3)
- Clear Desk & Clear Screen Policy (See Clause 11.2.9)
- Information Transfer Policy (See Clause 13.2.1)
- Mobile Devices & Teleworking Policy (See Clause 6.2)
- Software Installation & Usage Restrictions (See Clause 12.6.2)
- Backup Policy (See Clause 12.3)
- Protection from Malware (See Clause 12.2)
- Management of Technical Vulnerabilities (See Clause 12.6.1)
- Cryptographic Controls (See Clause 10)
- Communications Security (See Clause 13)
- Privacy & Protection of PII (See Clause 18.1.4)
- Supplier Relationships (See Clause 15)
These policies should be effectively communicated to employees and relevant external parties through security awareness, education, and training programs (See Clause 7.2.2).
A.5.1.2 Review of Policies for Information Security
Control:
The policies for information security shall be reviewed at planned intervals or whenever significant changes occur to ensure their continued suitability, adequacy, and effectiveness.
ISO/IEC 27006 – Annexure D
(2005 reference A.5.1.2) – Organizational control
Audit Review Guideline:
Management review minutes.
“Review” does not always imply a revision or textual change. All management system policies and procedures must be reviewed at least once a year to confirm their relevance. The ISMS policy should be reviewed:
- At planned intervals (e.g., annually)
- Whenever there are significant organizational changes (e.g., mergers, acquisitions, restructuring)
Example: A company merger might require updates to ISMS policies to align with new business operations.
Sample Audit Questions
- Who has reviewed the Information Security Policy?
- What were the changes made during the last review?
- When was the last policy review conducted?
- Where is the documented approval for the Information Security Policy?
- Why does the review process not include business owners?
- How do you incorporate changing business requirements into the policy?
- Can you show the changes made in the policies based on business process updates?
Conclusion
Implementing the ISMS controls outlined in ISO/IEC 27001 is vital for organizations aiming to safeguard their information assets. By following these structured controls, businesses can effectively mitigate security risks, ensure regulatory compliance, and foster a robust security culture. Continual monitoring, risk assessment, and improvement are essential to maintaining effective ISMS that evolves with emerging threats and business needs.
Get In Touch
Get In Touch
Get In Touch
Need A Free Estimate?
Get a free consultation and Checklist to get certified for ISO , HALAL, CE Mark Certification.
FAQ
What are ISMS controls in ISO 27001?
ISMS controls are a set of security measures outlined in ISO/IEC 27001 to protect sensitive information, mitigate risks, and ensure compliance with security standards.
How many control objectives and controls are there in ISO 27001?
ISO/IEC 27001 includes 35 control objectives and 114 controls, categorized under 14 different domains covering various aspects of information security.
Why is continual improvement important in ISMS?
Continual improvement ensures that an organization’s ISMS adapts to new threats, evolving business needs, and regulatory changes, maintaining a high level of security effectiveness over time.
