What are the categories of controls in ISO 27001?

Notably, the revision sees a significant reduction in the ISO 27001 Annex A controls list, decreasing from 114 to 93.

Let’s explore these new ISO 27001 categories in-depth and understand how they contribute to enhancing information security practices across organizations worldwide.

ISO 27001 Controls

1. Organizational Controls (37 controls)

These ISO27001 controls focus on the organizational aspects of information security management. They encompass policies, procedures, and practices that govern the organization’s overall approach to managing information security. Examples of organizational controls include:

• Establishing and maintaining an information security policy.
• Defining roles and responsibilities for information security.
• Implementing processes for managing third-party relationships.
• Conducting regular security awareness and training programs for employees.
• Establishing incident response and business continuity plans.

2. People Controls (8 controls)

People controls address the human element of information security management. These ISO 27001 privacy controls ensure that employees, contractors, and other personnel understand their roles and responsibilities in safeguarding information assets. Examples of people controls include:

• Performing background checks on personnel.
• Providing security awareness training to employees.
• Defining access rights and permissions based on job roles.
• Establishing disciplinary procedures for security policy violations.

3. Physical Controls (14 controls)

Physical controls focus on securing the physical environment in which information assets are stored, processed, or transmitted. These controls aim to prevent unauthorized access, damage, or theft of physical assets. Examples of physical controls include:

• Implementing access controls (e.g., locks, badges) to restrict entry to secure areas.
• Installing surveillance cameras and alarm systems to monitor and detect unauthorized access.
• Implementing environmental controls (e.g., temperature, humidity) to protect equipment and data storage media.
• Establishing procedures for the secure disposal of sensitive information and electronic devices.

4. Technological Controls (34 controls)

Technological controls use technology to protect information assets and mitigate security risks. These controls include hardware, software, and technical measures implemented to secure information systems and networks. Examples of technological controls include:

• Implementing firewalls, intrusion detection systems, and antivirus software to protect against external threats.
• Encrypting data at rest and in transit to maintain confidentiality.
• Implementing access control mechanisms (e.g., authentication, authorization) to restrict access to sensitive information.
• Implementing security controls for mobile devices, cloud services, and emerging technologies.

There you have it: 4 control categories and 93 controls. 

By implementing controls from each category, organizations can establish a comprehensive information security management system to protect their valuable assets from threats and vulnerabilities.