Annex A Controls

Annex A is a part of the ISO 27001 security standard. It consists of a list of security controls that organizations can utilize according to their needs to improve the security of their information assets. The 114 controls under ISO 27001 are divided into 14 sections. These sections are concentrated on information technology and other areas that can affect the security of an organization’s information environment. 

The 14 domains under ISO consist of organizational issues, IT, physical security, human resources, and legal issues. Implementing the entire list of controls mentioned in ISO 27001 is not required by organizations. Rather, it is suggested that the list be used only after considering the required needs.  

Based on the 114 controls that are listed in Annex A, an entity can select those relevant to its requirements and the needs of its clients. The 14 domains are:

  • Information security policies (Annex 5)
  • Organization of information security and assignment of responsibility (Annex 6)
  • Human resources security (Annex 7)
  • Asset management (Annex 8)
  • User access control (Annex 9)
  • Encryption and management of sensitive information (Annex 10)
  • Physical and environmental security (Annex 11)
  • Operational security (Annex 12)
  • Communications security (Annex 13)
  • System acquisition, development, and maintenance (Annex 14)
  • Supplier relationships (Annex 15)
  • Information security incident management (Annex 16)
  • Information security aspects for the management of business continuity (Annex 17)
  • Compliance (Annex 18)

See Scrut in action!