ISO 27001 Controls - An Informative Guide
Definition
The ISO 27001 controls refer to a set of measures and standards defined by the International Organization for Standardization (ISO) to ensure the safety and confidentiality of information within an organization. These controls help organizations establish, implement, maintain, and continually improve an Information Security Management System (ISMS).
Control Categories
The ISO 27001 controls are grouped into the following categories:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operations Security
- Communications Security
- Systems Acquisition, Development, and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Compliance
Summary of Control Items
Here is a summary of the control items within ISO 27001:
| Control Category | No. of Controls |
|---|---|
| Information Security Policies | 7 |
| Organization of Information Security | 6 |
| Human Resource Security | 6 |
| Asset Management | 14 |
| Access Control | 14 |
| Cryptography | 7 |
| Physical and Environmental Security | 15 |
| Operations Security | 14 |
| Communications Security | 7 |
| Systems Acquisition, Development, and Maintenance | 13 |
| Supplier Relationships | 5 |
| Information Security Incident Management | 7 |
| Information Security Aspects of Business Continuity Management | 4 |
| Compliance | 8 |
Description of Controls
Each control within the ISO 27001 standard is essential for maintaining information security. Here are some of the key controls within each category:
Information Security Policies
- Control 1: Information Security Policies and Procedures
- Control 2: Mobile Devices and Teleworking
- Control 3: Access Control Policy
- Control 4: Cryptographic Policy
- Control 5: Physical Security
- Control 6: Incident Management
- Control 7: Business Continuity Planning
Organization of Information Security
- Control 8: Management Commitment to Information Security
- Control 9: Coordination of Organization-Wide Security
- Control 10: Allocation of Resources
- Control 11: Confidentiality Agreements
- Control 12: Independent Review of Information Security
- Control 13: Contact with Authorities
Creating a Control Checklist
To effectively manage ISO 27001 controls, it is vital to create a comprehensive checklist. Here are the steps to create an efficient control checklist:
- Identify the control items relevant to your organization.
- Map the controls to respective control categories.
- Evaluate the current status and maturity of each control.
- Create a plan to implement missing controls or enhance existing controls.
- Define responsible individuals or teams for each control.
- Establish monitoring and reporting mechanisms.
- Regularly review and update the control checklist based on changes or incidents.
ISO 27001 Controls List in Excel
To streamline the management of ISO 27001 controls, organizations often use Excel spreadsheets. These spreadsheets help in organizing, tracking, and analyzing the controls efficiently. Here is an example of how an ISO 27001 controls list in Excel can be structured:
| Control ID | Control Name | Control Category | Status |
|---|---|---|---|
| 1.1 | Information Security Policies and Procedures | Information Security Policies | Implemented |
| 1.2 | Mobile Devices and Teleworking | Information Security Policies | In Progress |
For a complete list of ISO 27001 controls and their detailed descriptions, please consult the official ISO documentation or purchase a copy of CyberRiskAI's ISO 27001 workbook which comes with an assessment report.
