If you have been keeping up with our recent blogs, you can see that the ISO 27001 certification is a hot topic. The certificate serves as an international standard for superior information security management system (ISMS) compliance. While the process of earning this certification is a lengthy one, it is well worth it. In the process of becoming certified, your company will undergo an internal security audit in which there are many steps. One of these steps is the risk treatment plan, in which you list mitigation options for each identified risk present in your organization. Essentially, this will serve as an “action plan” for how to plan to address each risk.
To complete this step, you must ascertain the controls outlined in Annex A of the ISO 27001 regulations. While your organization is not required to implement every control offered by ISO 27001, many are beneficial. These processes essentially help organizations identify the risks they face, and the controls will guide you to mitigating them. We will walk through the best controls for you to implement and what they entail.
Controls To Implement
ISO 27001 outlines 114 Annex controls. While you should be thorough in determining controls, we recognize that that is a lot to handle. For this reason, the Annex A controls have been divided into 14 categories to provide you control information in a more manageable serving. These 14 control sets will guide you to developing an in-depth risk treatment plan so that you can adequately identify and mitigate risks.
Annex A.5: Information Security Policies
This annex serves to ensure that policies are written and reviewed in line with the overarching direction of an organization’s information security practices.
Annex A.6: Organization of Information Security
Focusing on the assignment of responsibilities for specific tasks, this annex is divided into two sections. The first section makes sure that the organization has established a framework that can adequately implement and maintain information security practices. The second section focuses on mobile devices and remote working. This is designed to ensure that any team members working from home or out of the office follow the appropriate security measure.
Annex A.7: Human Resource Security
This annex ensures that team members and contractors understand their responsibilities regarding risk mitigation and control. Divided into three sections, the first addresses individuals' responsibilities prior to employment. The second section covers responsibilities during employment, and the third is responsibilities when a person no longer holds that role, whether they have left the organization or changed positions.
Annex A.8: Asset Management
Asset management concerns the way that organizations identify information assets and define appropriate protection responsibilities. In three sections, this annex first covers organizations identifying information assets within the scope of the ISMS. Second, it focuses on information classification, ensuring that information assets are subject to an appropriate level of security. The third section is on media handling, ensuring that sensitive data is not subject to unauthorized disclosure, modification, removal, or destruction.
Annex A.9: Access Control
The aim of this annex is to ensure that team members can only view information relevant to their role. Divided into four sections, this addresses the business requirements of access controls, user access management, user responsibilities, and system and application access controls.
Annex A.10: Cryptography
The cryptography annex is about data encryption and the management of sensitive information. It was designed to ensure that organizations are properly and effectively using cryptography to protect the confidentiality, availability, and integrity of data.
Annex A.11: Physical and Environmental Security
This annex is a large one, encompassing 15 controls. It addresses the organization's physical and environmental security. Split into two sections, it essentially serves to prevent unauthorized physical access, damage, or interference to an organization's premises or the sensitive data held within. It also deals with an organization's equipment. It is designed to prevent the loss, damage, or theft of information asset containers, whether hardware, software, or physical files.
Annex A.12: Operations Security
Another large annex, this ensures that information processing facilities are secure. Split into seven sections; this addresses operation procedures and responsibilities, malware, backup systems, logging and monitoring, software integrity, technical vulnerability management, and information systems and audit considerations.
Annex A.13: Communications Security
Communication security is regarding the ways an organization protects information in networks. This concerns network security management, ensuring the confidentiality, integrity, and availability of information in networks remains intact. Additionally, it deals with the security of information in transit, whether it's moving within the organization or to an outside party.
Annex A.14: System Acquisition, Development, and Maintenance
The objective of this annex is to ensure that information security remains a central part of the organization's process throughout the entire lifecycle. This addresses security concerns for internal systems in addition to those that provide services over public networks.
Annex A.15: Supplier Relationships
This annex concerns the contractual agreements between an organization and a third party. The first section addresses the protection of an organization’s assets that are accessible to or affected by suppliers. The second section is designed to ensure that both parties maintain the agreed-upon level of service delivery and information security.
Annex A.16: Information Security Incident Management
Focusing on incident management, this annex is about how to manage and report security incidents. This involves identifying which team members are to take responsibility for specific actions, ensuring a consistent and effective approach to the cycle of incidents and response.
Annex A.17: Information Security Aspects of Business Continuity Management
This annex is aimed to create an effective system of managing business disruptions. In addition to addressing information security continuity, this also looks at redundancies to ensure the availability of information processing facilities.
Annex A.18: Compliance
The final annex ensures that organizations can identify relevant laws and regulations. This is to help them understand legal and contractual requirements, thus mitigating the risk of non-compliance and associated penalties.
Importance of Controls
Now that you have had a run-through of the ISO 27001 Annex A controls, you will have a better idea of what risks you need to mitigate and how to go about it. Through implementing these controls, you will develop a more thorough ISMS and manage it efficiently. With clear security standards and defined responsibilities, your entire organization will understand each risk you face and how to maintain mitigation. The control objectives you implement will serve as essential tools in managing information security. With a thorough and robust list of controls, you will significantly enhance the security of your information assets. This will take you one step closer to achieving your ISO 27001 certification, a signal to all that you prioritize information security and have taken the measures to protect sensitive information.