ISO 27001 Requirements and Controls

ISO/IEC 27001 Requirements are comprised of eight major sections of guidance that must be implemented by an organization, as well as an Annex, which describes controls and control objectives that must be considered by every organization:

Section Number Expectations
1-3 ISO Scope, References, Terms
  • General introduction notes to the standard
4 Context of the Organization
  • Determining the scope of an organization’s Information Security Management System (ISMS)
  • Understanding of strategy, interested parties, needs and expectations
5 Leadership
  • Leadership Commitment
  • Information Security PolicyRoles and Responsibilities
6 Planning
  • Risk Assessment Process and Plan
  • Risk Treatment PlanningSecurity objectives, metrics, and plans
7 Support
  • Resource Management
  • Competency and TrainingSecurity AwarenessCommunicationDocument Management
8 Operation
  • Operational Planning and control
  • Risk assessmentImplementation of risk treatment
9 Performance Evaluation
  • Monitor and measure
  • Analysis of PerformanceInternal AuditManagement review
10 Improvement
  • Corrective Action
  • Continual Improvement

Within ISO 27001, the sections outlined above constitute the management system elements or mandatory ISO 27001 requirements, which are designed to set expectations and provide guidance on how to implement an information security management system that provides predictable results.

Based on operations, services and the risk levels associated with an organization and sector, each company will select controls from ISO 27001 Annex A; the controls are intended to help to reduce the likelihood of a harmful information security incident.

ISO 27001 Annex A Objective Controls

The Annex A controls and control objectives are applied to organizationally defined risks to help provide mitigation of risks to assets with the intent to provide a system that defines how information security is managed, what steps are taken, and the results that are intended to be achieved.

In many cases, organizations may have already invested time and resources to control specific requirements. For example, a company that has invested in firewalls to protect networks, implemented background checks for new employees, and/or created access profiles on existing systems to segregate access to information to those that “need to know”.

Since many organizations have started the implementation process to meet customers’ demands, the most pragmatic way to approach ISO/IEC 27001 requirements is to evaluate the current system against each of the mandatory processes and Annex A controls. The Annex A controls are grouped as follows:

A.5 – Information Security Policies

A.6 – Organization of information security

A.7 – Human resources security

A.8 – Asset management

A.9 – Access control

A.10 – Cryptography

A.11 – Physical and environmental security

A.12 – Operations Security

A.13 – Communications Security

A.14 – System acquisition, development and maintenance

A.15 – Supplier Relationships

A.16 – Information Security Incident Management

A.17 – Business Continuity

A.18 – Compliance

After implementing the ISO 27001 requirements for an information security management system, ISO 27001 certification or ISO 27001 registration is a method in which a company can prove that they have successfully implemented the requirements.

After documenting processes and performing reviews, a company may hire an independent auditing company to review their processes and ensure that the company is adhering to the developed processes. At the end of the audit, the company is presented with a certificate that they can then provide to existing and potential customers as proof of their commitment to information security.

An organization ultimately needs to understand the ISO 27001 requirements and controls and how to get ISO 27001 certified.

Looking for methods to address information security?

Learn more about how we can accelerate your ISO 27001 implementation. We will contact you the moment we receive your information to discuss and our certified ISO 27001 Consultants will show you how to successfully prepare for and achieve an ISO 27001 implementation, and strategically support your information security goals and objectives.