The ISO/IEC 27001:2013 Certification is an international standard for Information Security Management System. It defines Security controls that aim to address the risks related to cyber security and implement an effective information security system. Annex A Controls of ISO 27001 consists of 114 security controls.
Annex A Controls
Annex A of ISO 27001 contains 114 security controls grouped into 14 control categories, and not all controls are mandatory. The selection of controls depends on the organization’s risk assessment. ISO 27001 Certification follows a risk-based approach and focuses on identifying the risk to its information security and selecting the appropriate controls to eliminate them.
ISO/IEC 27001:2013 Certification outlines ISO 27001 Annex A controls, also known as ISO 27002.
What is the difference between ISO 27001 and ISO 27002 Certification?
Annex A controls of ISO 27001 Certification is one of the most well-known annex of ISO standards. It is a list of controls that aim to protect and strengthen the information security assets of the organization. ISO 27001 gives a general idea about these controls in one sentence.
The International organization for standardization published ISO 27002 certification to provide an extensive description on implementing these controls. It works on the same lines as SO 27001 but has more details on controls.
List of ISO 27001 Annex A controls
Annex controls of ISO 27001 are grouped into 14 domains. These are:
- Information Security Policies
- Organization of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operational Security
- Communications Security
- System Acquisitions, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Compliance
A Guide to ISO 27001 Annex A controls
The Security controls allow an organization to manage its information security assets and prepare against cyber threats. It enables an organization to avoid regulatory fines due to cyber-attacks, such as data breaches and malware. These controls cover specific topics and the purpose of these 14 controls is:
- Information Security Policies (2 controls) – It aims to provide direction and support to the management to implement information security. It helps organizations to formulate their information security policy based on the needs and requirements of the organization.
- Organization of Information Security (7 Controls) – This annex has seven controls divided into two sections which are Internal Organization and Mobile Device and Teleworking.
- Internal organization: It assigns roles and responsibilities to initiate and control the implementation of the Security management system. It aims to establish an efficient management framework to implement and maintain Information security practices.
- Mobile Device and Teleworking: It addresses the issues associated with remote working and the risk related to the use of mobile devices. It provides training and complies with regulations to access, process and store information remotely.
- Human Resources Security (6 controls) – These controls are divided into three sections. These are:
- Pre-employment requirements– A contractor needs to do appropriate background verification and state responsibilities in the employment contract to ensure information safety.
- Responsibilities during employment– It requires an organization to provide training to implement a disciplinary process to protect information security. Candidates need to be aware of their job responsibilities and update themselves.
- Termination and change of employment– It ensures to protect organization’s interest when candidates change or leave the organization.
Comments
Post a Comment