ISO 27001 Controls Explained: A Detailed Guide

Updated: Aug 16

Vector Representation of ISO 27001 Guide
A Detailed Guide to ISO 27001 Controls

ISO 27001 is an international standard developed to assist organizations in managing the security processes of information assets. This standard provides a concrete framework and helps implement information security management systems, widely known as ISMS. The information security management system framework helps manage an organization's essential data's confidentiality, availability, and integrity through its streamlined and secured management process.

ISO 27001 is one of the most extensively recognized information security standards. In this article, we will take a closer look at ISO 27001 controls and how these controls can assist your organization in establishing and maintaining the information security posture.

What are ISO 27001 controls?

ISO 27001 control standards are divided into two parts. The first part is mandatory and consists of 11 clauses from 0 to 10. The second part, Annex A, has guidelines for 114 controls and control objectives. In the first part, clauses 0 to 3 deal with the introduction, scope, normative references, terms, and definitions of the ISO 27001 standard.

Clauses 4 to 10 state ISO 27001 requirements that should be fulfilled by any organization looking forward to compliance with the standard. Annex A is an auxiliary part of the standard that supports these clauses and their requirements. These optional controls are selected as a part of the risk management process.

ISO 27001 Standard - ISMS: Clauses 0-10

ISO 27001 has 114 controls organized into 14 categories. To gain certification, organizations must fulfill the following clauses in addition to Annex A control requirements, which we'll be explaining in more detail later.

Your organization will determine how it meets the ISO 27001 clauses and Annex A controls. The ISO 27001 standard is constructed so that all types of organizations may satisfy the standards in their own unique method.

Let's study the clauses in detail before we go ahead to learn about Annex A controls.

Clause 0: Introduction

Clause 0 provides the foundational information to set up an effective and efficient ISMS. This Clause summarises how the implementation protects your data from unauthorized access, following several International and domestic compliance standards. It boosts the confidence of stakeholders and develops trust in the customer toward the organization.

Clause 1: Audience

It states that ISO 27001 standards should be in the context of your organization. It is beneficial as it helps you determine the organizational context of your organization to ensure that you do not overwork your system while trying to meet a requirement that you don't need. Clause 1 states the use of risk management for your information security system.

Clause 2: Standard references

This Clause exists to indicate that ISO 27000 is required for the application of ISO 27001. As a result, you must study, comprehend, and use ISO 27000 criteria while developing your ISMS.

Clause 3: Terms of service

It stresses the essential nature of ISO 27000 to ISO 27001. It requires you to read, apprehend, and apply ISO 27000 requirements while building your Information security management system. The ISO 27000 terms and conditions also apply to ISO 27001.

Clause 4: Context

This Clause requires an organization to identify all issues (Internal or external) relevant to the business and ISMS objectives.

Clause 5: Leadership hierarchy

It states that for the seamless setup of an Information Security Management System, the organization needs to clearly define the role and responsibilities of the organization leaders.

Clause 6: Action plan

This Clause covers the preventive actions as stated in the old ISO 27001: 2005. It includes clear risk requirements for risk assessment, treatment and plan, and a statement of applicability. This also covers the process of integrating risk management with the ISMS.

Clause 7: Supportive action

The next Clause specifies that the ISMS resources necessary to meet the specified objectives and demonstrate continuous improvement must be defined and made available by the company to the system implementation team. It specifies the needs for resource availability, skill sets, communication, awareness, and record and document control.

Clause 8: Operatives

The purpose of clause 8 is to ensure the proper treatment of risks and opportunities, the achievement of security objectives, and the fulfillment of information security requirements. It describes the risk assessment procedure and other processes required to meet information security goals.

Clause 9: Evaluation of performance

It defines requirements for regular monitoring, performance evaluation, and analysis of the ISMS. As a result, this Clause strives to set standards for the organization's monitoring, measurement, analysis, assessment, internal audit, and management review, so providing unambiguous measuring metrics.

Clause 10: Rectifications

It defines the requirements for nonconformity or exceptions, corrective plans, and continuous improvements.

ISO 27001 - Annex A: The 14 domains of ISO 27001

There are separate areas covered under ISO 27001, and they're termed domains. There are 14 domains listed in Annex A, each focusing on broad best practices for that aspect of information security. These are organized as A.5 to A.18 in ISO 27001.

Annex A.5 - information security policies

Annex A.5 is concerned with providing management with guidance on information security policies. The goal of this Annex is to manage information security direction and support following the organization's requirements and in accordance with applicable laws and regulations.

It is one of the most important domains as the information security policy strength directly influences every other category. The lack of clear Central leadership results in inconsistent security of the information security management system. Auditors ask for:

  • Information security policy's high-level documentation

  • Regular review and update of these policies

  • An explanation of the synchronization of these policies with other business needs

Annex A.6 - organization of information security

This Annex aims to build a management structure that initiates and manages information security installation and operation. It has seven controls. In addition, it states that there should be defined roles and responsibilities along with plans to fit vendors or remote workers into the environment.

Annex A.7 - human resources security

While A.5 can be considered a set of security controls required for policy leadership and A.6 can be explained as the controls for middle management of an organization, Annex A.7 is the controls for individual contributors. The focus is to ensure that employees understand their tasks and are adequately trained. This Annex also discusses what occurs when employees quit or change jobs. It has six controls.

Annex A.8 - Asset Management

Annex A.8 addresses asset accountability. The purpose of this Annex is to identify and characterize information assets that are relevant to the management system. They must also be allocated appropriate protective duties. The Annex has ten controls. You should also be familiar with these certain points for the controls in this domain:

  • How to handle an information asset properly

  • Authorization diversity in receiving and sharing of assets

  • Tracking of asset location

  • Disposal of the asset, if required

Controls of A.8 also cover the safe storage of assets in removable media.

Annex A.9 - Control of Access

This domain controls employees' access and denies them access to irrelevant information. This access control looks after login credential privileges as corporate information access to a large number of employees create Infosys liabilities.

Annex A.10 Cryptography

Cryptography is a tool in the security arsenal, and ISO 270001 provides it with this domain. These controls emphasize that your organization should have document policies to manage encryption according to your business requirement. It also requires your special attention to managing these cryptographic keys, including a plan B for the situation if a key becomes compromised.

Annex A.11 Physical and environmental security

This domain deals with physical and environmental security, which is one of the largest domains in Annex A and has 15 controls for information protection from real-world attacks. Your organization needs to protect the physical location of data storage. This domain deals with securing access to sensitive information and includes controls for employees with remote access. Some controls in this domain also cover the risk of natural disasters.

Annex A.12 - Operational Procedures and Responsibilities

This Annex aims to guarantee that information processing facilities operate correctly and securely. It consists of 14 controls. Operating procedures must be recorded and made available to all users who require them under this Annex. Operating procedures that have been recorded in this manner guarantee that systems operate consistently even when additional personnel or resources are added, and they are often crucial for disaster recovery, business continuity, and when staff availability is compromised.

Annex A.13 - Communications

This domain is split into two sections. The first section prevents unauthorized users from accessing information sensitive to the organization. The second section deals with information transfer. It controls the mode of information exchange, email protection, and the use of non-disclosure agreements.

Annex A.14 - Security Requirements of Information Systems

This domain is related to the evolution of your information security management system over time. Information security is the priority whenever a new information security system is introduced. This domain rejects all the changes that do not meet the specifications. This Annex aims to guarantee that information security is developed and implemented throughout the information system development lifecycle.

Annex A.15 - Requirements for suppliers

Most organizations are in an outside partnership with vendors or third-party operators. It's tough to implement controls as they are third-party vendors, and it is not in your control to look after their operation; however, you can present the auditor with proof that you are holding all third-party vendors to a strict standard.

Annex A.16 - Management of Information Security Incidents

There is always a chance of a security threat regardless of your preparations. This domain covers your company's response to security incidents. It accounts for your post-crisis actions and strategies that you have developed after learning from the breach.

Annex A.17 - Information Security Continuity

It states that information security also gets affected with significant disruption of business. It helps your organization in protecting sensitive data during the operational upheaval. There are four controls in Annex A.17. The company must evaluate its specific information security requirements and consider the continuity of information security management under bad scenarios, such as during a crisis or disaster.

Annex A.18 - Legal Compliance and Contractual Requirements

This section reveals details for the successful compliance of your organization with information security laws. The goal is to avoid violations of any legal, legislative, regulatory, or contractual duties linked to information security. There are eight controls in this Annex.


All the information stated above can be a lot to process, but it is nonetheless important if your organization is planning to apply for ISO 27001 certification. As mentioned, organizations don't need to implement all 14 controls of ISO 270001. An experienced security firm or infosec automation organization like Scrut can help you establish a seamless process to help the organization identify and mitigate potential risks.

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.