CHAPTER 17: ISO27001 ANNEX A
ISO/IEC 27001:2013 Annex A has 14 major clauses or control areas numbered from A.5 to A.18, each of which identifies one or more control objectives. Each control objective is served by one or more controls. Every control is sequentially numbered.
There are, in total, 114 subclauses, each of which has an alphanumeric clause number.
Annex A is aligned with ISO27002; this means that precisely the same control objectives, controls, clause numbering and wording are used in both Annex A and in ISO27002. Note the clear statement that ‘the control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed’. The 14 control clauses of Annex A (it does not have Clauses 1–4) all start with an A and are listed below.
• A5: Information security policies
• A6: Organisation of information security
• A7: Human resource security
• A8: Asset management
• A9: Access control
• A10: Cryptography
• A11: Physical and environmental security
• A12: Operations security
• A13: Communications security
• A14: System acquisition, development and maintenance
• A15: Supplier relationships
• A16: Information security incident management
• A17: Information security aspects of business continuity management
• A18: Compliance.
Annex A control areas and controls
Each of the clauses of Annex A deals with one or more security categories, and each security category has a control objective and one or more controls that will serve to secure that objective. The clauses, security categories, control objectives and control names are set out below; the detailed control requirements are contained in the Standard, and this should be acquired and studied.
Clause A5: Information security policies
5.1 |
Management direction for information security: to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations |
5.1.1 |
Policies for information security |
5.1.2 |
Review of the policies for information security |
Clause A6: Organisation of information security
6.1 |
Internal organisation: to establish a management framework to initiate and control the implementation and operation of information security within the organisation |
6.1.1 |
Information security roles and responsibilities |
6.1.2 |
Segregation of duties |
6.1.3 |
Contact with authorities |
6.1.4 |
Contact with special interest groups |
6.1.5 |
Information security in project management |
6.2 |
Mobile devices and teleworking: to ensure the security of teleworking and use of mobile devices |
6.2.1 |
Mobile device policy |
6.2.2 |
Teleworking |
Clause A7: Human resource security
7.1 |
Prior to employment: to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered |
7.1.1 |
Screening |
7.1.2 |
Terms and conditions of employment |
7.2 |
During employment: to ensure that employees and contractors are aware of and fulfil their information security responsibilities |
7.2.1 |
Management responsibilities |
7.2.2 |
Information security awareness, education and training |
7.2.3 |
Disciplinary process |
7.3 |
Termination and change of employment: to protect the organisation’s interests as part of the process of changing or terminating employment |
7.3.1 |
Termination or change of employment responsibilities |
Clause A8: Asset management
8.1 |
Responsibility for assets: to identify organisational assets and define appropriate protection responsibilities |
8.1.1 |
Inventory of assets |
8.1.2 |
Ownership of assets |
8.1.3 |
Acceptable use of assets |
8.1.4 |
Return of assets |
8.2 |
Information classification: to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation |
8.2.1 |
Classification of information |
8.2.2 |
Labelling of information |
8.2.3 |
Handling of assets |
8.3 |
Media handling: to prevent unauthorised disclosure, modification, removal or destruction of information stored on media |
8.3.1 |
Management of removable media |
8.3.2 |
Disposal of media |
8.3.3 |
Physical media transfer |
Clause A9: Access control
9.1 |
Business requirements of access control: to limit access to information and information processing facilities |
9.1.1 |
Access control policy |
9.1.2 |
Access to networks and networking services |
9.2 |
User access management: to ensure authorised user access and to prevent unauthorised access to systems and services |
9.2.1 |
User registration and de-registration |
9.2.2 |
User access provisioning |
9.2.3 |
Management of privileged access rights |
9.2.4 |
Management of secret authentication information of users |
9.2.5 |
Review of user access rights |
9.2.6 |
Removal or adjustment of access rights |
9.3 |
User responsibilities: to make users accountable for safeguarding their authentication information |
9.3.1 |
Use of secret authentication information |
9.4 |
System and application access control: to prevent unauthorised access to systems and applications |
9.4.1 |
Information access restriction |
9.4.2 |
Secure log-on procedures |
9.4.3 |
Password management system |
9.4.4 |
Use of privileged utility programs |
9.4.5 |
Access control to program source code |
Clause A10: Cryptography
10.1 |
Cryptographic controls: to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information |
10.1.1 |
Policy on the use of cryptographic controls |
10.1.2 |
Key management |
Clause A11: Physical and environmental security
11.1 |
Secure areas: to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities |
11.1.1 |
Physical security perimeter |
11.1.2 |
Physical entry controls |
11.1.3 |
Securing offices, rooms and facilities |
11.1.4 |
Protecting against external and environmental threats |
11.1.5 |
Working in secure areas |
11.1.6 |
Delivery and loading areas |
11.2 |
Equipment: to prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations |
11.2.1 |
Equipment siting and protection |
11.2.2 |
Supporting utilities |
11.2.3 |
Cabling security |
11.2.4 |
Equipment maintenance |
11.2.5 |
Removal of assets |
11.2.6 |
Security of equipment and assets off-premises |
11.2.7 |
Secure disposal or re-use of equipment |
11.2.8 |
Unattended user equipment |
11.2.9 |
Clear desk and clear screen policy |
Clause A12: Operations security
12.1 |
Operational procedures and responsibilities: to ensure correct and secure operations of information processing facilities |
12.1.1 |
Documented operating procedures |
12.1.2 |
Change management |
12.1.3 |
Capacity management |
12.1.4 |
Separation of development, testing and operational environments |
12.2 |
Protection from malware: to ensure that information and information processing facilities are protected against malware |
12.2.1 |
Controls against malware |
12.3 |
Backup: to protect against loss of data |
12.3.1 |
Information backup |
12.4 |
Logging and monitoring: to record events and generate evidence |
12.4.1 |
Event logging |
12.4.2 |
Protection of log information |
12.4.3 |
Administrator and operator logs |
12.4.4 |
Clock synchronisation |
12.5 |
Control of operational software: to ensure the integrity of operational software |
12.5.1 |
Installation of software on operational systems |
12.6 |
Technical vulnerability management: to prevent exploitation of technical vulnerabilities |
12.6.1 |
Management of technical vulnerabilities |
12.6.2 |
Restrictions on software installation |
12.7 |
Information systems audit considerations: to minimise the impact of audit activities on operational systems |
12.7.1 |
Information systems audit controls |
Clause A13: Communications security
13.1 |
Network security management: to ensure the protection of information in networks and its supporting information processing facilities |
13.1.1 |
Network controls |
13.1.2 |
Security of network services |
13.1.3 |
Segregation in networks |
13.2 |
Information transfer: to maintain the security of information transferred within an organisation and with any external entity |
13.2.1 |
Information transfer policies and procedures |
13.2.2 |
Agreements on information transfer |
13.2.3 |
Electronic messaging |
13.2.4 |
Confidentiality or non-disclosure agreements |
Clause A14: System acquisition, development and maintenance
14.1 |
Security requirements of information systems: to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks |
14.1.1 |
Information security requirements analysis and specification |
14.1.2 |
Securing application services on public networks |
14.1.3 |
Protecting application services transactions |
14.2 |
Security in development and support processes: to ensure that information security is designed and implemented within the development lifecycle of information systems |
14.2.1 |
Secure development policy |
14.2.2 |
System change control procedures |
14.2.3 |
Technical review of applications after operating platform changes |
14.2.4 |
Restrictions on changes to software packages |
14.2.5 |
Secure system engineering principles |
14.2.6 |
Secure development environment |
14.2.7 |
Outsourced development |
14.2.8 |
System security testing |
14.2.9 |
System acceptance testing |
14.3 |
Test data: to ensure the protection of data used for testing |
14.3.1 |
Protection of test data |
Clause A15: Supplier relationships
15.1 |
Information security in supplier relationships: to ensure protection of the organisation’s assets that is accessible by suppliers |
15.1.1 |
Information security policy for supplier relationships |
15.1.2 |
Addressing security within supplier agreements |
15.1.3 |
Information and communication technology supply chain |
15.2 |
Supplier service delivery management: to maintain an agreed level of information security and service delivery in line with supplier agreements |
15.2.1 |
Monitoring and review of supplier services |
15.2.2 |
Managing changes to supplier services |
Clause A16: Information security incident management
16.1 |
Management of information security incidents and improvements: to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses |
16.1.1 |
Responsibilities and procedures |
16.1.2 |
Reporting information security events |
16.1.3 |
Reporting information security weaknesses |
16.1.4 |
Assessment of and decision on information security events |
16.1.5 |
Response to information security incidents |
16.1.6 |
Learning from information security incidents |
16.1.7 |
Collection of evidence |
Clause A17: Information security aspects of business continuity management
17.1 |
Information security continuity: information security continuity shall be embedded in the organisation’s business continuity management systems |
17.1.1 |
Planning information security continuity |
17.1.2 |
Implementing information security continuity |
17.1.3 |
Verify, review and evaluate information security continuity |
17.2 |
Redundancies: to ensure availability of information processing facilities |
17.2.1 |
Availability of information processing facilities |
Clause A18: Compliance
18.1 |
Compliance with legal and contractual requirements: to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements |
18.1.1 |
Identification of applicable legislation and contractual requirements |
18.1.2 |
Intellectual property rights |
18.1.3 |
Protection of records |
18.1.4 |
Privacy and protection of personally identifiable information |
18.1.5 |
Regulation of cryptographic controls |
18.2 |
Information security reviews: to ensure that information security is implemented and operated in accordance with the organisational policies and procedures |
18.2.1 |
Independent review of information security |
18.2.2 |
Compliance with security policies and standards |
18.2.3 |
Technical compliance review |