Controls (Annex A)
A.5: Information Security Policies – Controlling how policies are written and revised
A.6: Information Security Organization – Controls on how responsibilities are assigned; also includes controls for mobile devices
A.7: Human Resources Security – Pre-employment, during and after employment controls
A.8: Asset management – Asset inventory and acceptable use controls; also for information classification and media management
A.9: Access control – Access control policy, user access management, system and application access control
A.10: Cryptography – Encryption and Key Management Controls
A.11: Physical and environmental security – Controls defining secure areas, entry controls, protection against threats, security of the equipment, secure removal, clear desk and clear screen policy, etc.
A.12: Operational security – Procedures and responsibilities, malware, backup, logging, monitoring, installation, vulnerability etc.
A.13: Communications Security – Network security, information transfer, e-mail security checks etc.
A.14: Acquisition, development and maintenance of the system – Controls defining security requirements and security in the development and support processes
A.15: Vendor Relations – Controls on what to include in agreements and how to monitor suppliers
A.16: Information Security Incident Management – Controls to signal events and weaknesses, define responsibilities, assessment of events, response and learn from incidents and collection of evidences.
A.17: Aspects of information security in the management of continuity of operations – Controlling the planning, implementation and review of the continuity of information security operations.
A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information
One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves various aspects as mentioned above in Annexure.
Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an organization can decide the applicability of the controls with valid rationale.