ISO 27001 - Defining Controls

Annex A of ISO 27001 is one of the most widely known lists of requirements of all the ISO standards. It provides companies with a structured checklist to define controls for their information security management system (ISMS) and to mitigate their cyber-related risks. Review the changes to ISO 27001:2022 controls here.

In the previous article, we covered the necessary steps of identifying, evaluating, and treating risks around an organization's information assets. The risk management process addresses uncertainties and opportunities around your valuable assets to ensure the desired security outcomes are achieved, and threats are appropriately mitigated.

In Part 6 of our Guide to ISO 27001, we review the core requirements of the Annex; explaining how to correctly define your controls, how they improve the security of your system and safeguard your assets.

Information Security Domains

The ISO 27001 Information Security domains consist of the list of controls found in Annex A. This list is organized into 14 sections or domains, which can be divided into five dimensions:

Summary

To achieve ISO 27001 certification, you will need to understand the many requirements described in Annex A to define appropriate and effective controls. Your Information Security Management System is structured based on the deployment of technical, administrative, and security controls prescribed in the Annex A domains. To implement a successful ISMS, you will need to develop and formalize processes and policies, manage people and create awareness all of which can be done with the help of a cloud-based management solution.

In Part 7 of our Guide to ISO 27001 Compliance, we'll be discussing how you can equip your compliance team with effective training to properly deploy controls, ensure compliance and develop security competence and awareness.

How Can StandardFusion Help?

StandardFusion is an inter-connected GRC platform that accelerates ISO 27001 implementation and streamlines the management of Annex A requirements. You can develop your ISO 27001 compliant controls, schedule recurring tasks, delegate compliance duties, control historical revision of your policies and procedures, and use those records to satisfy your ISMS requirements. StandardFusion has extensive reporting capabilities and can generate a complete Statement of Applicability for optimized visibility of your security framework at the press of a button. See how you can define your controls and implement an ISO 27001 compliant ISMS when you connect with our team!

Guide to ISO 27001

Part 1: Implementation & Leadership Support
Part 2: Establishing Scope and Creating the Statement of Applicability
Part 3: Mandatory Clauses
Part 4: Understanding & Communicating with Stakeholders
Part 5: Risk Management
Part 6: Defining Controls
Part 7: Competence, Training and Awareness
Part 8: Monitoring Efficacy & Continuous Improvement