ISO/IEC 27001: 2017 Annex A detail
ISO/IEC 27001:2022 is the updated version of the international standard for information security management systems (ISMS). Annex A of ISO/IEC 27001:2022 provides a set of reference control objectives and controls that organizations can implement to manage information security risks effectively. The controls in Annex A are designed to ensure the selection of adequate and proportionate security controls that protect information assets.
ISO/IEC 27001:2022 Annex A Overview
Annex A consists of 4 main sections, each containing multiple categories and controls that cover various aspects of information security.
A.5: Organizational Controls
A.5.1 Policies for information security: Establish information security policies that provide management direction and support.
A.5.2 Information security roles and responsibilities: Define and communicate information security roles and responsibilities.
A.5.3 Segregation of duties: Implement segregation of duties to reduce the risk of misuse of assets.
A.5.4 Management responsibilities: Ensure that management provides clear direction and demonstrates commitment to information security.
A.5.5 Contact with authorities: Establish and maintain contact with relevant authorities.
A.5.6 Contact with special interest groups: Establish and maintain contact with special interest groups or other specialist security forums and professional associations.
A.5.7 Threat intelligence: Collect and analyze threat intelligence to inform the risk management process.
A.5.8 Information security in project management: Ensure that information security is addressed in project management.
A.6: People Controls
A.6.1 Screening: Ensure that employees, contractors, and third-party users are subject to appropriate security screening.
A.6.2 Terms and conditions of employment: Ensure that employees, contractors, and third-party users understand their responsibilities.
A.6.3 Information security awareness, education, and training: Provide appropriate awareness, education, and training programs.
A.6.4 Disciplinary process: Ensure that there is a formal disciplinary process for employees who have committed security breaches.
A.6.5 Responsibilities after termination or change of employment: Ensure that responsibilities for information security remain clear and are carried out after termination or change of employment.
A.7: Physical Controls
A.7.1 Secure areas: Implement security perimeters and entry controls to protect areas containing information and information processing facilities.
A.7.2 Equipment security: Protect equipment from physical and environmental threats.
A.8: Technological Controls
A.8.1 Access control: Ensure authorized user access and prevent unauthorized access to systems and services.
A.8.2 User access management: Implement user access management controls, including registration, deregistration, and privileged access.
A.8.3 User responsibilities: Make users accountable for safeguarding their authentication information.
A.8.4 System and application access control: Implement access control for systems and applications.
A.8.5 Cryptography: Use cryptographic controls to protect the confidentiality, integrity, and availability of information.
A.8.6 Physical and environmental security: Protect information processing facilities from physical and environmental threats.
A.8.7 Operations security: Ensure correct and secure operations of information processing facilities.
A.8.8 Protection from malware: Implement controls to detect, prevent, and recover from malware.
A.8.9 Backup: Ensure that information and software are backed up and protected.
A.8.10 Logging and monitoring: Record events and generate evidence for monitoring and review.
A.8.11 Control of operational software: Ensure the integrity of operational software.
A.8.12 Technical vulnerability management: Identify, assess, and manage technical vulnerabilities.
A.8.13 Information systems audit considerations: Minimize the impact of audit activities on operational systems.
A.8.14 Network security management: Ensure the protection of information in networks.
A.8.15 Security requirements of information systems: Ensure security is built into information systems.
A.8.16 Security in development and support processes: Ensure information security is designed and implemented in development processes.
A.8.17 Test data: Protect data used for testing.
