People may actually believe the seven clauses of ISO 27001 are in themselves, controls. Typically what people would look at is the Annex-A of the whole list of controls, at the very high level there are thirteen controls in Annex-A.
However, each of those thirteen controls has sub controls, so in reality, there’s a total of 114 controls in Annex-A of the ISO 27001 standard. It’s important to note that depending on your organization’s requirements, not all controls are mandatory to implement.
However, what you have to do is justify the including or excluding of control. It’s very comprehensive because it’s catered for all types of industries and organizations, not just IT.
You can pick it up and say yes, a whole set of these controls is applicable to my manufacturing process, it’s applicable to my pharmaceutical company, it’s applicable to the hospital or to other industries. That’s why it’s all-encompassing and why you have the opportunity to say well these controls are applicable and these controls are not.
You may not be managing your own data center, you may have an external provider and in which case you can further evaluate whether the controls, in terms of the data center, is applicable to you or not.
