top of page

ISO27001:2022 Annex A controls

You always wanted a comprehensive list of ISO27001 Annex A controls, right?

 

Your wish is our command!

 

Whether you’re a cybersecurity wizard or a curious newbie, this document gives you access to everything you ever wanted to know about the ISO27001:2022 Annex A controls.

 

We created this list and the resources they link to, because the most common question we get is, “What do I need for X Annex A control?”

​

There are 93 Annex A controls in ISO27001:2022, and every one of them has at some point caused some confusion for people implementing the standard.

 

Our list provides a link to detailed information about the control, what is expected, why it’s needed, what the auditor expects to see and what you need to do to comply with the control. We’ve also included a few typical questions we get asked about the control.

Note that some ISO27001 controls should not be read in isolation as they are related to other controls and where this happens, we’ve provided links to the other controls.

 

How you get started is up to you. Jump into the control or controls that you are most confused about or start from A5.1 and finish at A8.37. The choice is yours.

 

We have linked each control to easy-to-use policies and procedures that you can purchase from our online store, so that you can get started right away.

​​

​Organisational Controls

​​

A5.1 - Policies for information security

Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties and reviewed at planned intervals and if significant changes occur.

​

A5.2 - Information security roles and responsibilities

Information security roles and responsibilities shall be defined and allocated according to the organisations needs.

​

A5.3 - Segregation of duties

Conflicting duties and conflicting areas of responsibility should be segregated.

​

A5.4 - Management responsibilities

Management shall require all personnel to apply information security in accordance with the established Information security policy, topic-specific policies and procedures of the organisation.

​

A5.5 - Contact with authorities

The organisation shall establish and maintain contact with relevant authorities.

​

A5.6 - Contact with special interest groups

The organisation shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

​

A5.7 - Threat Intelligence

Information relating to information security threats shall be collected and analysed to produce threat intelligence.

​

A5.8 - Information security in project management

Information Security shall be integrated in project management.

​

A5.9 - Inventory of information and other associated assets

An inventory of information and other associated assets, including owners, should be developed and maintained.

​

A5.10 - Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

​

A5.11 - Return of assets

Personnel and other interested parties as appropriate shall return all the organisations assets in their possession upon change or termination of their employment, contract or agreement.

​

A5.12 - Classification of information

Information shall be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements..

​

A5.13 - Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.

​

A5.14 - Information transfer

Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organisation and between the organisation and other parties..

​

A5.15 - Access control

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.

​

A5.16 - Identity management

The full life cycle of identities should be managed.

​

A5.17 - Authentication Information

Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

​

A5.18 - Access rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organisations topic-specific policy on, and rules for access control.

​

A5.19 - Information security in supplier relationships

Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of suppliers products or services.

​

A5.20 - Addressing information security within supplier agreements

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

​

A5.21 - Managing information security in the ICT supply chain

Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

​

A5.22 - Monitoring, review and change management of supplier services

The organisations shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

​

A5.23 - Information Security for use of Cloud Services

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisations information security requirements..

​

A5.24 - Information security incident management planning and preparation

The organisation shall plan and prepare for managing information security incidents by defining, establishing, and communicating information security incident management processes, roles and responsibilities.

​

A5.25 - Assessment and decision on information security events 

The organisations shall assess information security events and decide if they are to be categorised as information security incidents.

​

A5.26 - Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures

​

A5.27 - Learning from information security incidents

Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

​

A5.28 - Collection of evidence

The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

​

A5.29 - Information security during disruption

The organisation shall plan how to maintain information security at an appropriate level during disruption.

​

A5.30 - ICT Readiness for Business Continuity

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

​

A5.31 - Identification of legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements shall be identified, documented and kept up to date..

​

A5.32 - Intellectual property rights

The organisation shall implement appropriate procedures to protect intellectual property rights.

​

A5.33 - Protection of records

Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.

​

A5.34 - Privacy and protection of PII

Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

​

A5.35 - Independent review of information security

“The organisations approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.

​

A5.36 - Compliance with policies and standards for information security

Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

​

A5.37 - Documented operating procedures

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

​​

​People Controls

​

A6.1 – Screening

Background verification checks on all candidates to become personnel shall be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and this and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

​

ISO27001:2022 - A6.2 – Terms and conditions of employment

The employment contractual agreements shall state the personnel's and the organisations responsibilities for information security.

​

ISO27001:2022 - A6.3 – Information security awareness, education and training

Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.

​

ISO27001:2022 - A6.4 – Disciplinary process

A disciplinary process shall be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

​

ISO27001:2022 - A6.5 – Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

​

ISO27001:2022 - A6.6 – Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organisations needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

​

ISO27001:2022 - A6.7 – Remote Working

Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organisation's premises...

​

ISO27001:2022 - A6.8 – Information security event reporting

The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

​​

​Physical Controls

​

​ISO27001:2022 - A7.1 – Physical security perimeter 

Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

​

ISO27001:2022 - A7.2 – Physical entry controls

Secure areas shall be protected by appropriate entry controls and access points.

​

ISO27001:2022 - A7.3 – Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and Implemented.

​

ISO27001:2022 - A7.4 – Physical Security Monitoring

Premises shall be continuously monitored for unauthorised physical access.

​

ISO27001:2022 - A7.5 – Protecting against physical and environmental threats 

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

​

ISO27001:2022 - A7.6 – Working in secure areas

Security measures for working in secure areas shall be designed and implemented.

​

ISO27001:2022 - A7.7 – Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

​

ISO27001:2022 - A7.8 – Equipment siting and protection 

Equipment shall be sited securely and protected.

​

ISO27001:2022 - A7.9 – Security of assets off-premises

Off-site assets shall be protected..

​

ISO27001:2022 - A7.10 – Storage media

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.

​

ISO27001:2022 - A7.11 – Supporting utilities

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

​

ISO27001:2022 - A7.12 – Cabling Security

Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

​

ISO27001:2022 - A7.13 – Equipment maintenance

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

​

ISO27001:2022 - A7.14 – Secure disposal or re-use of equipment

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

​

​Technical Controls

​

ISO27001:2022 A8.1 – User endpoint devices

Information stored on, processed by or accessible via user endpoint devices shall be protected.

​

ISO27001:2022 A8.2 – Privileged access rights

The allocation and use of privileged access rights shall be restricted and managed.

​

ISO27001:2022 A8.3 – Information access restriction

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

​

ISO27001:2022 A8.4 – Access to source code

Read and write access to source code, development tools and software libraries shall be appropriately managed..

​

ISO27001:2022 A8.5 – Secure Authentication

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control

​

ISO27001:2022 A8.6 – Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

​

ISO27001:2002 A8.7 – Protection against malware

Protection against malware shall be implemented and supported by appropriate user awareness.

​

ISO27001:2002 A8.8 – Management of technical vulnerabilities

Information about technical vulnerabilities of information systems in use shall be obtained, the organisations exposure to such vulnerability shall be evaluated and appropriate measures shall be taken.

​

ISO27001:2022 A8.9 – Configuration Management Deletion

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed..

​

ISO27001:2022 A8.10 – Information Deletion

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

​

ISO27001:2022 - A8.11 – Data Masking

Data masking shall be used in accordance with the organisations topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

​

ISO27001:2022 – A8.12 – Data Leakage Prevention

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information..

​

ISO27001:2022 – A8.13 – Information backup

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

​

ISO27001:2022 – A8.14 – Redundancy of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

​

ISO27001:2022 – A8.15 – Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

​

ISO27001:2022 – A8.16 – Monitoring Activities

Networks, systems and applications shall be monitored for anomalous behaviours and appropriate actions taken to evaluate potential information security incidents.

​

ISO27001:2022 – A8.17 – Clock synchronization

The clocks of information processing systems used by the organisation shall be synchronised to approved Time sources.

​

ISO27001:2022 – A8.18 – Use of privileged utility programs

The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

​

ISO27001:2022 – A8.19 – Installation of software on operational systems

Procedures and measures shall be implemented to securely manage software installation on operational systems.

​

ISO27001:2022 – A8.20 – Network Controls

​Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

​

Need some help impementing these controls?

​

We'd love to help you get your ISO27001 controls under control - drop us a line and we'll be in touch. 

What Our Clients Say

Name, Title

"I'm a testimonial. Click to edit me and add text that says something nice about you and your services. Let your customers review you and tell their friends how great you are."
bottom of page