ISO 27001 standard defines the best practices for an information security management system (ISMS). It applies a risk-based technique to information security. This approach requires businesses to recognise information security risks and choose relevant controls to address them.
ISO 27001 has 114 controls classified into 14 domains as defined in Annex A of the standard. Here is a brief explanation.
Annex A.5: Information Security Policies
This annex aims to ensure policies are written, reviewed, and aligned with the organisation’s information security practices. It features two controls:
- Annex A.5.1.1 – Information Security Policies
- Annex A.5.1.2 – Review of Information Security Policies
Annex A.6: Organisation of Information Security
Annex A.6 provides a framework to initiate and control the deployment of a security management system.
It is subdivided into two categories:
- Annex A.6.1 – Information Security Roles and Responsibilities
- Annex A.6.2 – Security Practices for remote working
Annex A.7: Human Resource Security
The purpose of this annex is to establish the role of human resources. It requires employees, leaders, contractors, and other team members to understand their accountabilities.
Annex A.8: Asset Management
This annex outlines information assets and implements appropriate protection measures. It is subdivided into three categories:
- Annex A.8.1: Recognition of information assets
- Annex A.8.2: Classification of information assets
- Annex A.8.3: Management of information systems
Annex A.9: Access Control
The objective of this annex is to limit access to data and information processing facilities. It develops a policy that allows team members to view only information concerning their individual roles.
Annex A.10: Cryptography
Primarily, this annex protects the confidentiality, integrity, and authenticity of information by promoting the effective use of cryptography.
Annex A.11: Physical & Environmental Security
This annex focuses on the physical and environmental factors that influence the organisation. Its 15 controls are divided into two broad groups.
- Annex A.11.1: Restricts unauthorised access, trespass, damage, or interference to the company’s premises
- Annex A.11.2: Protection of company equipment
Annex A.12: Operations Security
AnnexA.12 is used to ensure information processing centres are protected. It calls for organisations to implement the proper defence systems to mitigate the risks of infection and data.
Annex A.13: Communications Security
This annex covers the protection of network security management and information transfer within the organisation.
Annex A.14: System Acquisition, Development, and Maintenance
This annex aims to maintain healthy information security practices for improved company operations.
Annex A.15: Supplier Relations
This annex has 15 controls that address contractual agreements between suppliers and organisations.
Annex A.16: Information Security Incident Management
This annex tackles security vulnerabilities and incidents that arise in the company in relation to important information.
Annex A.17: Information Security Aspects of Business Continuity Management
It deals with business disruptions by establishing the information security requirements necessary for business continuity.
Annex A.18: Compliance
It ensures the information security system is deployed and operated according to applicable laws and regulations to ensure compliance.
Get Comprehensive ISO 27001 Consulting with Next Practice
Next Practice has the best coaching programs you can leverage to enhance your information security and improve business performance. Contact us today to get tailored business coaching and consultation solutions.