The 14 domains of ISO 27001 provide the best practices for an information security management system (ISMS). As outlined in Annex A of the ISO standard, this approach requires companies to determine information security risks and then choose appropriate controls to handle them. At Best Practice Biz, we can help create or upgrade your ISMS regardless of your business location globally. Our goal is to inspire your ISO certification journey to the highest international standards and help discover your business’s full potential.
ISO 27001 – 14 Controls as Outlined in Annex A
Annex A.5: Information Security Policies
The main objective of this annex is to align policies with the company’s information security practices. Annex A.5 is further divided into two sub-domains;
- Annex A.5.11: Policies for Information Security
- Annex A.5.1.2: Review the Policies for Information Security
Annex A.6: Organization of Information Security
With seven controls, this annex establishes a structure to initiate and manage the implementation of a security management system. It’s also classified into two sections;
- Annex A.6.1 is responsible for the assignment of information security roles and responsibilities within the organization.
- Annex A.6.2 addresses security practices for mobile gadgets and remote working.
Annex A.7: Human Resource Security
This annex focuses on the role of human resources. It ensures employees, contractors, and the rest of the workforce understand their responsibilities.
Annex A.8: Asset Management
The objective of this annex is to pinpoint information assets and identify proper protection responsibilities. It is divided into three;
- Annex A.8.1: identification of information assets according to ISMS
- Annex A.8.2: information asset classification
- Annex A.8.3: protection of sensitive data from unauthorized access, modification, or destruction
Annex A.9: Access Control
Annex A.9 ensures restricted access to information processing facilities. It allows employees to only view information that is relevant to their individual roles.
Annex A.10: Cryptography
This annex addresses data encryption and the security of confidential information. Its two controls ensure that businesses use cryptography appropriately to facilitate data integrity, confidentiality, and protection.
Annex A.11: Physical and Environmental Security
Annex A.11 addresses the physical and environmental aspects of the organization. It is the biggest annex with 15 domains which are broadly classified into two categories.
- Annex.A.11.1: Prevents unpermitted physical access, interference, trespass, or damage to the organization’s facility.
- Annex A11.2: Protects company equipment from damage, theft, or loss.
Annex A.12: Operations Security
The objective of this Annex is to safeguard information processing facilities. It ensures that the organization has appropriate defences in place to reduce the risk of infection and prevent data loss. Annex A.12 is divided into seven different sections.
Annex A.13: Communications Security
This addresses strategies used to protect the organization’s information within networks.
Annex A.14: System Acquisition, Development, and Maintenance
This annex has thirteen controls that address information security and ensure it remains a central aspect of the company’s operations throughout the life cycle.
Annex A.15: Supplier Relations
This annex covers contractual agreements between the organization and third parties.
Annex A.16: Information Security Incident Management
This involves steps taken to report and manage security incidents. It defines which employee is responsible for specific actions.
Annex A.17: Information Security Aspects of Business Continuity
This annex addresses the management of business disruptions. It involves taking necessary measures to ensure security continuity.
Annex A.18: Compliance
This annex helps the organization establish applicable laws and regulations to help understand its legal requirements and avoid possible penalties.
Get Rigorous ISO 27001 Training at Best Practice Biz
At Best Practice Biz, we are determined to improve your business performance by providing you with top-rate training in implementing ISO management systems within your company. Please do not hesitate to get in touch with us to enrol in our online ISO Certification courses.