ISO 27001 Controls - An Informative Guide


The ISO 27001 controls refer to a set of measures and standards defined by the International Organization for Standardization (ISO) to ensure the safety and confidentiality of information within an organization. These controls help organizations establish, implement, maintain, and continually improve an Information Security Management System (ISMS).

Control Categories

The ISO 27001 controls are grouped into the following categories:

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. Systems Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Aspects of Business Continuity Management
  14. Compliance

Summary of Control Items

Here is a summary of the control items within ISO 27001:

Control CategoryNo. of Controls
Information Security Policies7
Organization of Information Security6
Human Resource Security6
Asset Management14
Access Control14
Physical and Environmental Security15
Operations Security14
Communications Security7
Systems Acquisition, Development, and Maintenance13
Supplier Relationships5
Information Security Incident Management7
Information Security Aspects of Business Continuity Management4

Description of Controls

Each control within the ISO 27001 standard is essential for maintaining information security. Here are some of the key controls within each category:

Information Security Policies

  • Control 1: Information Security Policies and Procedures
  • Control 2: Mobile Devices and Teleworking
  • Control 3: Access Control Policy
  • Control 4: Cryptographic Policy
  • Control 5: Physical Security
  • Control 6: Incident Management
  • Control 7: Business Continuity Planning

Organization of Information Security

  • Control 8: Management Commitment to Information Security
  • Control 9: Coordination of Organization-Wide Security
  • Control 10: Allocation of Resources
  • Control 11: Confidentiality Agreements
  • Control 12: Independent Review of Information Security
  • Control 13: Contact with Authorities

Creating a Control Checklist

To effectively manage ISO 27001 controls, it is vital to create a comprehensive checklist. Here are the steps to create an efficient control checklist:

  1. Identify the control items relevant to your organization.
  2. Map the controls to respective control categories.
  3. Evaluate the current status and maturity of each control.
  4. Create a plan to implement missing controls or enhance existing controls.
  5. Define responsible individuals or teams for each control.
  6. Establish monitoring and reporting mechanisms.
  7. Regularly review and update the control checklist based on changes or incidents.

ISO 27001 Controls List in Excel

To streamline the management of ISO 27001 controls, organizations often use Excel spreadsheets. These spreadsheets help in organizing, tracking, and analyzing the controls efficiently. Here is an example of how an ISO 27001 controls list in Excel can be structured:

Control IDControl NameControl CategoryStatus
1.1Information Security Policies and ProceduresInformation Security PoliciesImplemented
1.2Mobile Devices and TeleworkingInformation Security PoliciesIn Progress

For a complete list of ISO 27001 controls and their detailed descriptions, please consult the official ISO documentation or purchase a copy of CyberRiskAI's ISO 27001 workbook which comes with an assessment report.

Unlock Your Path to CyberSec Compliance

Start on your cybersecurity audit journey now, work towards NIST 800-171 or ISO 27001 certification with our workbooks and report.


Free cybersecurity risk assessment template & tool.

It takes just 2 minutes to sign up and get access to our risk template & tool in Excel, Word and PDF format.