ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS). The ISO 27001 framework includes a list of clauses with requirements and standards to help protect your organization from potential threats. The framework also includes a section called Annex A that can be used to help you meet the ISO 27001 requirements.
In this guide, we’ll cover what Annex A is, explain which controls are within each domain, and how to know which ones are right for your ISO 27001 implementation.
What are ISO 27001 Annex A controls?
The ISO 27001 framework serves as a guide for organizations developing their information security management system. The framework is divided into two parts: the clauses and Annex A. There are four ISO 27001 clauses that list the processes and steps you’ll need to take to build out an ISO 27001-approved ISMS. Annex A lists specific security controls you can implement to satisfy the requirements of the four clauses. Each organization seeking ISO 27001 compliance must identify which of the controls listed in Annex A are relevant for them and implement them in their ISMS.
There is also a document called ISO 27002 which is an implementation guide for ISO 27001. These documents work together in the following way:
- The ISO 27001 clauses list out the broad requirements for certification.
- Annex A serves as a detailed to-do list of controls that you can implement to meet the requirements of the clauses.
- ISO 27002 is a how-to guide for ISO 27001 implementation.
{{cta_withimage2="/cta-modules"}}
What are the 4 domains of ISO 27001 in Annex A?
Annex A of ISO 27001 contains a total of 93 controls. These controls are broken up into four themes, known as the four domains of ISO 27001 Annex A. In this section, we’ll look at the details within each domain in Annex A.
Annex A.5: Organizational controls
This comprehensive list of high-level controls serves as a blueprint for a robust information security management system (ISMS). Starting with the formulation of security policies, it moves on to clearly define roles and responsibilities, thereby ensuring a foundation of accountability. It emphasizes the importance of segregation of duties and clearly outlines management responsibilities.
Channels for communication with authorities and special interest groups, along with a focus on threat intelligence, are established to remain proactive. Project management and inventory controls provide a structure for securing assets and data. User behavior is governed by acceptable use policies, and an emphasis is placed on the return and classification of assets. The controls also delve deep into the technical aspects such as access control, identity management, and authentication information. Supply chain security, cloud service utilization, and incident management are not overlooked, ensuring an encompassing approach to contemporary challenges. Finally, the list covers compliance considerations including legal requirements, intellectual property rights, and privacy, rounding off with provisions for regular review and documentation.
This is a well-rounded framework that aims to cover every conceivable angle of information security, from policy formulation to real-world implementation and compliance.
Annex A.6: People controls
The set of high-level controls outlined here focuses on the human factor, acknowledging that technology alone cannot secure an organization. It starts with thorough screening procedures to vet potential employees, leading into terms and conditions of employment that explicitly cover security expectations. Crucially, the list calls for ongoing information security awareness, education, and training, aiming to continually educate staff.
The disciplinary process is well-defined, serving as a backstop for enforcing compliance. There is also a planned approach for transitioning employees who are either leaving the company or changing roles, with measures to secure information post-employment. Confidentiality and non-disclosure agreements serve as additional layers of contractual security. Special considerations for remote work underline its growing relevance, and an information security event reporting system ensures real-time feedback. Overall, the framework understands that while technology processes data, it's the people who are often the weakest link in information security, thus the focus on people controls.
Annex A.7: Physical controls
The list of high-level controls encompasses a comprehensive approach to physical security and asset protection within an organization. It begins with the establishment of secure perimeters and controlled entry points to regulate physical access. The controls extend to the detailed security of individual offices, rooms, and facilities, as well as monitoring mechanisms to maintain that security. There are specific measures to defend against physical and environmental threats like fire, water damage, or unauthorized access. Further, the list outlines best practices for working in secure areas, maintaining a clean workspace, and ensuring that screen data is not easily viewable by unauthorized persons.
Equipment considerations are also extensively covered, ranging from optimal siting for physical protection to the secure disposal or repurposing of old equipment. The controls also include provisions for the secure storage of media, ensuring that utilities support security needs, implementing cabling security, and maintaining equipment to prevent failures that could compromise security. Overall, the controls provide a holistic view of physical security requirements, safeguarding both the people and assets of the organization.
Annex A.8: Technological controls
This comprehensive set of controls focuses on safeguarding the technical infrastructure. Starting with user endpoint devices, the controls move to establish stringent protocols for privileged access and information access restriction, targeting the most sensitive avenues of data flow. It emphasizes the secure handling of source code and pushes for robust authentication mechanisms, essentially acting as the gatekeepers of your organization. Furthermore, it balances capacity management with protection against malware, showcasing the duel between operational efficiency and security. Addressing technical vulnerabilities and configuration management, it provides a roadmap for system integrity.
Data considerations are also robust, encompassing everything from data deletion and masking to leakage prevention and backups. Redundancy ensures uptime, while logging and monitoring guarantee real-time surveillance of activities. Time synchronization and utility program usage further fine tune the system. On the network and software development side, it mandates secure practices ranging from network segregation to secure coding and testing. It even accounts for the nuances of outsourced development and environments for development, testing, and production, while considering the implications of change management.
Who is responsible for implementing ISO 27001 Annex A controls?
While many consider ISO 27001 and information security as being solely IT’s responsibility, the responsibility actually spans across your whole organization. The responsibility for implementing Annex A controls will depend on the control — some must be implemented by your human resources team, others by organization leadership, others by engineers, and so on.
How to decide which ISO 27001 controls to implement
You are not required to implement all of the controls listed in Annex A to be ISO 27001 compliant. Instead, you’ll need to determine which controls are relevant to your ISMS for implementation. To do this, you’ll need to analyze each of the controls and, with the knowledge of your ISMS, determine which controls make sense for your operations. ISO 27002 provides additional details about each control and how to determine if it may or may not be necessary for your organization to implement.
How to get started with ISO 27001 certification
With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like:
- Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
- Assess your risk holistically from one unified view.
- Identify areas of non-compliance with in-platform notifications.
- Get a checklist of actions to help you make the needed changes.
- Automate evidence collection and centralize all your documents in one place.
- Find a Vanta-vetted auditor within the platform.
- Complete your ISO 27001 certification in half the time.
By using Vanta, you can save your business valuable time and money during your ISO 27001 implementation process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_simple2="/cta-modules"}}
ISO 27001 requirements
Your guide to the ISO 27001 Annex A controls
ISO 27001 requirements
Your guide to the ISO 27001 Annex A controls
Download the checklist
ISO 27001 requirements
ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS). The ISO 27001 framework includes a list of clauses with requirements and standards to help protect your organization from potential threats. The framework also includes a section called Annex A that can be used to help you meet the ISO 27001 requirements.
In this guide, we’ll cover what Annex A is, explain which controls are within each domain, and how to know which ones are right for your ISO 27001 implementation.
What are ISO 27001 Annex A controls?
The ISO 27001 framework serves as a guide for organizations developing their information security management system. The framework is divided into two parts: the clauses and Annex A. There are four ISO 27001 clauses that list the processes and steps you’ll need to take to build out an ISO 27001-approved ISMS. Annex A lists specific security controls you can implement to satisfy the requirements of the four clauses. Each organization seeking ISO 27001 compliance must identify which of the controls listed in Annex A are relevant for them and implement them in their ISMS.
There is also a document called ISO 27002 which is an implementation guide for ISO 27001. These documents work together in the following way:
- The ISO 27001 clauses list out the broad requirements for certification.
- Annex A serves as a detailed to-do list of controls that you can implement to meet the requirements of the clauses.
- ISO 27002 is a how-to guide for ISO 27001 implementation.
{{cta_withimage2="/cta-modules"}}
What are the 4 domains of ISO 27001 in Annex A?
Annex A of ISO 27001 contains a total of 93 controls. These controls are broken up into four themes, known as the four domains of ISO 27001 Annex A. In this section, we’ll look at the details within each domain in Annex A.
Annex A.5: Organizational controls
This comprehensive list of high-level controls serves as a blueprint for a robust information security management system (ISMS). Starting with the formulation of security policies, it moves on to clearly define roles and responsibilities, thereby ensuring a foundation of accountability. It emphasizes the importance of segregation of duties and clearly outlines management responsibilities.
Channels for communication with authorities and special interest groups, along with a focus on threat intelligence, are established to remain proactive. Project management and inventory controls provide a structure for securing assets and data. User behavior is governed by acceptable use policies, and an emphasis is placed on the return and classification of assets. The controls also delve deep into the technical aspects such as access control, identity management, and authentication information. Supply chain security, cloud service utilization, and incident management are not overlooked, ensuring an encompassing approach to contemporary challenges. Finally, the list covers compliance considerations including legal requirements, intellectual property rights, and privacy, rounding off with provisions for regular review and documentation.
This is a well-rounded framework that aims to cover every conceivable angle of information security, from policy formulation to real-world implementation and compliance.
Annex A.6: People controls
The set of high-level controls outlined here focuses on the human factor, acknowledging that technology alone cannot secure an organization. It starts with thorough screening procedures to vet potential employees, leading into terms and conditions of employment that explicitly cover security expectations. Crucially, the list calls for ongoing information security awareness, education, and training, aiming to continually educate staff.
The disciplinary process is well-defined, serving as a backstop for enforcing compliance. There is also a planned approach for transitioning employees who are either leaving the company or changing roles, with measures to secure information post-employment. Confidentiality and non-disclosure agreements serve as additional layers of contractual security. Special considerations for remote work underline its growing relevance, and an information security event reporting system ensures real-time feedback. Overall, the framework understands that while technology processes data, it's the people who are often the weakest link in information security, thus the focus on people controls.
Annex A.7: Physical controls
The list of high-level controls encompasses a comprehensive approach to physical security and asset protection within an organization. It begins with the establishment of secure perimeters and controlled entry points to regulate physical access. The controls extend to the detailed security of individual offices, rooms, and facilities, as well as monitoring mechanisms to maintain that security. There are specific measures to defend against physical and environmental threats like fire, water damage, or unauthorized access. Further, the list outlines best practices for working in secure areas, maintaining a clean workspace, and ensuring that screen data is not easily viewable by unauthorized persons.
Equipment considerations are also extensively covered, ranging from optimal siting for physical protection to the secure disposal or repurposing of old equipment. The controls also include provisions for the secure storage of media, ensuring that utilities support security needs, implementing cabling security, and maintaining equipment to prevent failures that could compromise security. Overall, the controls provide a holistic view of physical security requirements, safeguarding both the people and assets of the organization.
Annex A.8: Technological controls
This comprehensive set of controls focuses on safeguarding the technical infrastructure. Starting with user endpoint devices, the controls move to establish stringent protocols for privileged access and information access restriction, targeting the most sensitive avenues of data flow. It emphasizes the secure handling of source code and pushes for robust authentication mechanisms, essentially acting as the gatekeepers of your organization. Furthermore, it balances capacity management with protection against malware, showcasing the duel between operational efficiency and security. Addressing technical vulnerabilities and configuration management, it provides a roadmap for system integrity.
Data considerations are also robust, encompassing everything from data deletion and masking to leakage prevention and backups. Redundancy ensures uptime, while logging and monitoring guarantee real-time surveillance of activities. Time synchronization and utility program usage further fine tune the system. On the network and software development side, it mandates secure practices ranging from network segregation to secure coding and testing. It even accounts for the nuances of outsourced development and environments for development, testing, and production, while considering the implications of change management.
Who is responsible for implementing ISO 27001 Annex A controls?
While many consider ISO 27001 and information security as being solely IT’s responsibility, the responsibility actually spans across your whole organization. The responsibility for implementing Annex A controls will depend on the control — some must be implemented by your human resources team, others by organization leadership, others by engineers, and so on.
How to decide which ISO 27001 controls to implement
You are not required to implement all of the controls listed in Annex A to be ISO 27001 compliant. Instead, you’ll need to determine which controls are relevant to your ISMS for implementation. To do this, you’ll need to analyze each of the controls and, with the knowledge of your ISMS, determine which controls make sense for your operations. ISO 27002 provides additional details about each control and how to determine if it may or may not be necessary for your organization to implement.
How to get started with ISO 27001 certification
With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like:
- Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
- Assess your risk holistically from one unified view.
- Identify areas of non-compliance with in-platform notifications.
- Get a checklist of actions to help you make the needed changes.
- Automate evidence collection and centralize all your documents in one place.
- Find a Vanta-vetted auditor within the platform.
- Complete your ISO 27001 certification in half the time.
By using Vanta, you can save your business valuable time and money during your ISO 27001 implementation process. Learn how you can get your ISO 27001 certification faster by requesting a demo.
{{cta_simple2="/cta-modules"}}
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
See how our ISO 27001 automation works
Request a demo to learn how Vanta can automate up to 80% of the work it takes to get ISO 27001 certified
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
See how our ISO 27001 automation works
Request a demo to learn how Vanta can automate up to 80% of the work it takes to get ISO 27001 certified
Your checklist to ISO 27001 certification
Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.
See how our ISO 27001 automation works
Request a demo to learn how Vanta can automate up to 80% of the work it takes to get ISO 27001 certified
Explore more ISO 27001 articles
Introduction to ISO 27001
ISO 27001 requirements
Preparing for an ISO 27001 audit
Streamlining ISO 27001 compliance
Understanding ISO differences
Get started with ISO 27001
Start your ISO 27001 journey with these related resources.
The ISO 27001 Compliance Checklist
ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.
ISO 27001 Compliance for SaaS
On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.
ISO 27001 vs. SOC 2: Which standard is right for my business?
Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.