Apr 02 2025

ISO 27001:2022 Annex A Controls Explained

Category: ISO 27kdisc7 @ 9:19 am

​ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a framework for organizations to identify and address information security risks. While clauses 4–10 outline the broader ISMS requirements, Annex A offers a detailed list of 93 security controls categorized into four themes: Organizational, People, Physical, and Technological. This structure differs from the 2013 version, which contained 114 controls across 14 domains.​

The Organizational category comprises 37 controls focusing on policies, procedures, and responsibilities essential for effective information security. These include establishing an information security policy, defining management responsibilities, maintaining contact with authorities, gathering threat intelligence, classifying information, managing identity and access, and overseeing asset management.​

The People category encompasses 8 controls addressing the human element of information security. Key aspects involve conducting pre-employment screening, providing staff awareness training, implementing contracts and non-disclosure agreements (NDAs), managing remote working arrangements, and establishing procedures for reporting security events.​

The Physical category contains 14 controls that pertain to securing the physical environment of the ISMS. These controls cover areas such as defining security perimeters and secure areas, enforcing clear desk and screen policies, ensuring the reliability of supporting utilities, securing cabling infrastructure, and maintaining equipment properly.​

The Technological category includes 34 controls related to the digital aspects of information security. This encompasses implementing malware protection, establishing backup procedures, conducting logging and monitoring activities, ensuring network security and segregation, and adhering to secure development and coding practices.​

Selecting appropriate Annex A controls should be based on an organization’s specific risk assessment. After identifying relevant controls, organizations compare them against Annex A to ensure comprehensive risk coverage. Any exclusions of Annex A controls must be justified and documented in the Statement of Applicability (SoA).​

The SoA is a critical document within the ISMS, listing all Annex A controls along with justifications for their inclusion or exclusion and their implementation status. It should also incorporate any additional controls from other frameworks or those developed internally. Maintaining the SoA with version control and regular reviews is essential, as it plays a significant role during certification and surveillance audits conducted by certification bodies.​

Understanding the distinctions between ISO 27001’s Annex A and ISO 27002 is important. While Annex A provides a concise list of controls, ISO 27002 offers detailed implementation guidance for these controls, assisting organizations in effectively applying them within their ISMS.

Reach out to us for a free high-level assessment of your organization against ISO 27002 controls.

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

ISO 27001 Risk Assessment Process – Summary

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

Managing Artificial Intelligence Threats with ISO 27001

Implementing and auditing 93 controls to reduce information security risks

The Real Reasons Companies Get ISO 27001 Certified 

Compliance per Category ISO 27002 2022

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice

CIS Controls in Practice: A Comprehensive Implementation Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, ISO 27001:2022, iso 27002

May 03 2023

What Is ISO 27001 And How To Go About It The Right Way

Category: ISO 27kDISC @ 11:10 pm

What Is ISO 27001 And How To Go About It The Right Way

What is ISO 27001?

ISO 27001 is a globally recognized standard on information and cyber security. By being compliant with this standard, you are operating in accordance with globally identified best practices. By being ISO 27001 certified, you’re not only operating in accordance with it, but you will also receive a clear stamp as evidence to your customers and other stakeholders that you are working aligned with security best practices.

Common Trap When Pursuing ISO 27001

Often companies who want to pursue ISO 27001 will quickly drop the idea when they start looking into the standard – this is because, often companies fall into the trap of starting with the controls as specified in ISO 270002 . When you only focus on the controls and implementation guidance, it can feel overwhelming and be frustrating as you will notice a lot of the implementation guidance will not make sense to your company and you can be under the impression that you are required to follow all the implementation guidance in order to become compliant or go for the certification.

This is false!

Falling into this trap, you are missing out on the core purpose of the standard. It is not about implementing all the controls and all the guidance you get from the standard – it is about building a functional management system that is aligned with your company context – it is about understanding the issues and risks you as a company are facing, and taking the appropriate measures to protect your assets and information.

How To Go About It The Right Way!

You should always start by focusing on the standard clauses in ISO 27001 that provide clear guidance on how to build a functional management system, when this is done correctly the controls will fall into place in the correct order at the right time in accordance with your company context and the risks that you as a company need to manage.

When people say that small companies should not pursue iso because it is too complex and has too many requirements – the above is the reason why it does not have to be.

All companies should prioritize and have a functional management system on how they secure their own company and the company assets. Protecting your values is a crucial element to stay in business!

Make sure you understand your company, your needs, and please avoid looking at other companies and the measures they have taken to protect themself and think that you have to do the same. Make your management system your own, build it so that it isdesigned to protect your assets. This way, you will have greater success and security will not be something that is forced on your company, it will be a tool to help you work more efficiently and securely.

Summary

To sum it up, ISO 27001 is a great standard to pursue both for small and large organizations.

Make sure you understand the purpose of the standard, and as a result implement a management system that is a perfect fit for your organization for long term success. ISO 27001 done right will result in a more secure and effective company that will again support the main goal of business continuity.

ISO 27001 Risk Assessment and Gap Assessment

Cybersecurity Management Solution Pack:


What is BS ISO/IEC 27001:2022 – Expert Commentary about?
BS ISO/IEC 27001:2022 is the third edition of this standard. It technically revises, cancels, and replaces the Second Edition – ISO/IEC 27001:2013 (also published as BS EN ISO/IEC 27001:2017). BS ISO/IEC 27001:2022 presents the requirements for an information security management system (ISMS). An ISMS assists an organization to preserve the confidentiality, integrity, and availability of information, in the face of an ever-changing threat landscape, no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.

The standard requires an organization to adopt a risk management framework to determine the necessary information security controls best suited to their business needs and risk appetite. To help organizations ensure that they have not inadvertently omitted any necessary control, the framework uses a reference set of controls (BS ISO/IEC 27001, Annex A), which also facilitates reliable comparisons to be drawn between organizations. The level of change incorporated into the revised version of the standard is medium.

The main changes compared to the previous edition are:
a fully revised reference information security control set (Annex A), which now aligns with ISO/IEC 27002:2022 and
alignment with the revised harmonized structure (HS) for management system standards.

Download ISO27000 family of information security standards today!

InfoSec booksΒ |Β InfoSec toolsΒ |Β InfoSec services

Tags: ISO 27001:2022, ISO 27002 2022

Nov 14 2022

ISO 27001:2022 Has Been Released – What Does It Mean for Your Organization?

Category: Information Security,ISO 27kDISC @ 12:39 am
ISO 27001:2022 Has Been Released – What Does It Mean for Your Organisation?

A new version of ISO 27001 was published this week, introducing several significant changes in the way organisations are expected to manage information security.

The Standard was last revised almost a decade ago (although a new iteration of the supplementary standardΒ ISO 27002Β was published in February 2022), meaning that the release ofΒ ISO 27001:2022Β has been much needed and highly anticipated.

What’s changing?

The good news for organisations is that ISO 27001:2022 doesn’t drastically overhaul their compliance requirements. There are new requirements on planned changes and how your organisation should deal with them, as well as a greater focus on how you must deal with the needs and expectations of interested parties.

Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives.

It also aligns its terminology with that used across other ISO management system standards.

Another notable aspect of its terminology is that ISO 27002:2022 no longer refers to itself as a β€œcode of practice”. This better reflects its purpose as a reference set of information security controls.

However, the most significant changes with the 2022 version of ISO 27002 are in its structure. It is no longer divided into 14 control categories, and is instead split into four β€˜themes’: organisational, people, physical and technological.

Meanwhile, although the 2022 version of ISO 27002 is significantly longer than its predecessor, the total number of controls has decreased from 114 to 93.

This is because many of its controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirements have been added. These are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The new and amended controls are also categorised according to five types of β€˜attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.

This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.

How will this affect organisations implementing ISO 27001?

The introduction of ISO 27001:2022 won’t have an immediate effect on organisations that are currently certified to ISO 27001:2013 or are in the process of achieving certification.

For the time being, organisations should continue to follow the 2013 version of the Standard. This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, while the 2022 version of the Standard should be used only as a reference.

Indeed, the reason that the updated version is being published now is to give organisations time to familiarise themselves with the new controls before embarking on an implementation project.

The controls listed in ISO 27002:2022 can be considered an alternative control set that you will have to compare with the existing Annex A – just as you would with any other alternative control set.

ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.

What next?

There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.

However, it’s never wise to put off the planning process until the last minute. Implementation will take several months, and it’s worth knowing what’s expected of you as soon as possible.

You can begin by reading the Standard for yourself. You can purchase a digital copy ofΒ ISO 27001:2022Β from our website, and we recommend comparing the updated version to the 2013 edition and your current compliance practices to determine what adjustments you’ll have to make.

If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.

Speak to one of our experts for more information on how we can support you.

Tags: ISO 27001:2022

Oct 18 2022

Detailed explanation of 11 new security controls in ISO 27001:2022

Category: Information Security,ISO 27kDISC @ 9:00 am

If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.

In this article, I’ll focus on 11 new controls that are set to be introduced in ISO 27001. For general information about the changes, see this article: Most important facts about changes in ISO 27001/ISO 27002.

What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.

As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

So, let’s review the 11 controls in more detail…

https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/?

Tags: ISO 270012022, ISO 27001:2022, ISO27k

Jun 20 2022

Get ISO 27001:2022 and 2013 toolkits for the price of one

Category: ISO 27kDISC @ 11:22 am

If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.

Buy the ISO 27001:2022 toolkit now, and receive the 2013 revision toolkit for free! Then you’ll have time to go over your implementation plans and decide if you should start with the project right now, or postpone it until later. With this bundle, you are covered for whatever option you choose.

Step-by-step guidance with LIVE EXPERT SUPPORT

  • 45 document templates β€“ unlimited access to all documents required for  ISO 27001 certification, plus commonly used non-mandatory documents 
  • Access to video tutorials 
  • Email support 
  • Expert review of a document 
  • One hour of live one-on-one online consultations
    with an ISO 27001 expert 
  • Receive ISO 27001:2022 and ISO 27001:2013 toolkit documents. 

Information security, cybersecurity and privacy protection. Information security controls ISO/IEC 27002:2022

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: iso 27001, ISO 27001:2022, ISO/IEC 27002:2022, ISO27001:2013