What are the 14 ISO 27001 Domains & Controls

ISO 27001 standard defines the best practices for an information security management system (ISMS). It applies a risk-based technique to information security. This approach requires businesses to recognise information security risks and choose relevant controls to address them.

ISO 27001 has 114 controls classified into 14 domains as defined in Annex A of the standard. Here is a brief explanation.

Annex A.5: Information Security Policies

This annex aims to ensure policies are written, reviewed, and aligned with the organisation’s information security practices. It features two controls:

  • Annex A.5.1.1 – Information Security Policies
  • Annex A.5.1.2 – Review of Information Security Policies

Annex A.6: Organisation of Information Security

Annex A.6 provides a framework to initiate and control the deployment of a security management system.

It is subdivided into two categories:

  • Annex A.6.1 – Information Security Roles and Responsibilities
  • Annex A.6.2 – Security Practices for remote working

Annex A.7: Human Resource Security

The purpose of this annex is to establish the role of human resources. It requires employees, leaders, contractors, and other team members to understand their accountabilities.

Annex A.8: Asset Management

This annex outlines information assets and implements appropriate protection measures. It is subdivided into three categories:

  • Annex A.8.1: Recognition of information assets
  • Annex A.8.2: Classification of information assets
  • Annex A.8.3: Management of information systems

Annex A.9: Access Control

The objective of this annex is to limit access to data and information processing facilities. It develops a policy that allows team members to view only information concerning their individual roles.

Annex A.10: Cryptography

Primarily, this annex protects the confidentiality, integrity, and authenticity of information by promoting the effective use of cryptography.

Annex A.11: Physical & Environmental Security

This annex focuses on the physical and environmental factors that influence the organisation. Its 15 controls are divided into two broad groups.

  • Annex A.11.1: Restricts unauthorised access, trespass, damage, or interference to the company’s premises
  • Annex A.11.2: Protection of company equipment

Annex A.12: Operations Security

AnnexA.12 is used to ensure information processing centres are protected. It calls for organisations to implement the proper defence systems to mitigate the risks of infection and data.

Annex A.13: Communications Security

This annex covers the protection of network security management and information transfer within the organisation.

Annex A.14: System Acquisition, Development, and Maintenance

This annex aims to maintain healthy information security practices for improved company operations.

Annex A.15: Supplier Relations

This annex has 15 controls that address contractual agreements between suppliers and organisations.

Annex A.16: Information Security Incident Management

This annex tackles security vulnerabilities and incidents that arise in the company in relation to important information.

Annex A.17: Information Security Aspects of Business Continuity Management

It deals with business disruptions by establishing the information security requirements necessary for business continuity.

Annex A.18: Compliance

It ensures the information security system is deployed and operated according to applicable laws and regulations to ensure compliance.

Get Comprehensive ISO 27001 Consulting with Next Practice

Next Practice has the best coaching programs you can leverage to enhance your information security and improve business performance. Contact us today to get tailored business coaching and consultation solutions.