How many iso 27001 controls

Typically what people would look at is the Annex-A of the whole list of controls, at the very high level there are thirteen controls in Annex-A. However, each of those thirteen controls has sub controls, so in reality, there's a total of controls in Annex-A of the ISO standard. It's important to note that depending on your organization's requirements, not all controls are mandatory to implement. However, what you have to do is justify the including or excluding of control. It's very comprehensive because it's catered for all types of industries and organization, not just IT.

You can pick it up and say yes, a whole set of these controls is applicable to my manufacturing process, it's applicable to my pharmaceutical company, it's applicable to the hospital or to other industries.

That's why it's all-encompassing and why you have the opportunity to say well these controls are applicable and these controls are not. You may not be managing your own data center, you may have an external provider and in which case you can further evaluate whether the controls, in terms of the data center, is applicable to you or not.

I have summarised them in the table of contents for ease of navigation. If you want to download a copy of the controls then you can find them listed in either the Audit Worksheets or the Statement of Applicability. Before we look at the current control set it is worth mentioning that in the control set is changing.

If you want to see what the new controls are, what the changes are and what the differences are then you can read more in the Ultimate Guide to the ISO Changes for The following is the ISO Controls checklist. The controls in summary. Lets break them down. Helpfully the controls start at number 5. ISO Policies are your foundation. They say what you do. Not necessarily how you do it. There are 2 controls in Annex A.

A management frame work for the implementation and operation of information security makes sense. We work out who is doing what and allocate roles. We seek to remove those conflicts of interest and segregate out those duties. Contact with authorities, that usually means local regulators and law enforcement is established as is contact with special interest groups. Special interest groups could be forums, trade or regulatory associations.

As we likely have project management we ensure that information security is included in the lifecycle. Weirdly this annex shoe horns in both remote working and mobile devices for which it expects policies. Ah, where would we be without HR? Here we have 6 controls relating to Human Resources. Taking care of pre employment, screening and background checking, terms and conditions of employment, what happens during employment and information security training.

Management responsibilities are included as are the disciplinary process to tie it to security breaches, termination of employment and of responsibilities. The last one we summarise as the starter, leaver, mover process. You cannot protect what you do not know so a whopping 10 controls that cover asset management. Nothing earth shattering of new here. We are in the territory of physical asset registers and data asset registers. The asset management policy looks at ownership of assets, acceptable use, return of assets.

There are controls on information classification and labelling of information but nothing strenuous. Handling assets and media is covered, the likes of removable media, getting rid or disposing of it properly and physical media transfer it that is still something you do.

Still with me? Good good. Access control as you would expect is included. Another large control section but not to be intimated. Its two controls ensure that organisations use cryptography effectively to protect data confidentiality, integrity and availability. This annex ensures that information processing facilities are secure and is comprised of seven sections. Finally, Annex A. Its 13 controls address the security requirements for internal systems and those that provide services over public networks.

This annex is about how to manage and report security incidents. This process involves identifying which employees should take responsibility for specific actions, thus ensuring a consistent and effective approach to the lifecycle of incidents and responses. This annex ensures that organisations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.

Instead, the Standard addresses each of the three pillars of information security: people, processes and technology. The IT department will play a role in risk treatment. Most obviously in technology and developing the processes and policies that ensure those technologies are used properly.

Most controls will require the expertise of people from across your organisation.