What are the 14 Domains of ISO 27001

The 14 domains of ISO 27001 provide the best practices for an information security management system (ISMS). As outlined in Annex A of the ISO standard, this approach requires companies to determine information security risks and then choose appropriate controls to handle them. At Best Practice Biz, we can help create or upgrade your ISMS regardless of your business location globally. Our goal is to inspire your ISO certification journey to the highest international standards and help discover your business’s full potential.

iso 27001 certification by best practice

ISO 27001 – 14 Controls as Outlined in Annex A

Annex A.5: Information Security Policies 

The main objective of this annex is to align policies with the company’s information security practices. Annex A.5 is further divided into two sub-domains;

  • Annex A.5.11: Policies for Information Security
  • Annex A.5.1.2: Review the Policies for Information Security

Annex A.6: Organization of Information Security 

With seven controls, this annex establishes a structure to initiate and manage the implementation of a security management system. It’s also classified into two sections;

  • Annex A.6.1 is responsible for the assignment of information security roles and responsibilities within the organization.
  • Annex A.6.2 addresses security practices for mobile gadgets and remote working. 

Annex A.7: Human Resource Security 

This annex focuses on the role of human resources. It ensures employees, contractors, and the rest of the workforce understand their responsibilities.

Annex A.8: Asset Management 

The objective of this annex is to pinpoint information assets and identify proper protection responsibilities. It is divided into three;

  • Annex A.8.1: identification of information assets according to ISMS
  • Annex A.8.2: information asset classification
  • Annex A.8.3: protection of sensitive data from unauthorized access, modification, or destruction

Annex A.9: Access Control 

Annex A.9 ensures restricted access to information processing facilities. It allows employees to only view information that is relevant to their individual roles. 

Annex A.10: Cryptography 

This annex addresses data encryption and the security of confidential information. Its two controls ensure that businesses use cryptography appropriately to facilitate data integrity, confidentiality, and protection. 

Annex A.11: Physical and Environmental Security 

Annex A.11 addresses the physical and environmental aspects of the organization. It is the biggest annex with 15 domains which are broadly classified into two categories. 

  • Annex.A.11.1: Prevents unpermitted physical access, interference, trespass, or damage to the organization’s facility. 
  • Annex A11.2: Protects company equipment from damage, theft, or loss. 

Annex A.12: Operations Security 

The objective of this Annex is to safeguard information processing facilities. It ensures that the organization has appropriate defences in place to reduce the risk of infection and prevent data loss. Annex A.12 is divided into seven different sections. 

Annex A.13: Communications Security

This addresses strategies used to protect the organization’s information within networks. 

Annex A.14: System Acquisition, Development, and Maintenance

This annex has thirteen controls that address information security and ensure it remains a central aspect of the company’s operations throughout the life cycle. 

Annex A.15: Supplier Relations

This annex covers contractual agreements between the organization and third parties. 

Annex A.16: Information Security Incident Management

This involves steps taken to report and manage security incidents. It defines which employee is responsible for specific actions. 

Annex A.17: Information Security Aspects of Business Continuity 

This annex addresses the management of business disruptions. It involves taking necessary measures to ensure security continuity.

Annex A.18: Compliance

This annex helps the organization establish applicable laws and regulations to help understand its legal requirements and avoid possible penalties.

Get Rigorous ISO 27001 Training at Best Practice Biz

At Best Practice Biz, we are determined to improve your business performance by providing you with top-rate training in implementing ISO management systems within your company. Please do not hesitate to get in touch with us to enrol in our online ISO Certification courses.

ISO Certification from Best Practice

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover