What are the ISO 27001 Controls?

PLEASE NOTE:  ISO 27001:2013 was revised in 2022.  The new standard has 93 controls, 11 of which are new.

Read more about the new ISO 27001:2022 Standard:


Unlike other management system standards, ISO 27001 for Information Security, provides a lengthy annex of 114 controls and control objectives.

It is mandatory to address the controls within Annex A of the standard, and while you aren’t required to implement EVERY control, you do need to justify their inclusion or exclusion from your management system.  

Usually justification for inclusion falls within one of several categories including:

  • to treat a risk
  • it is a legal requirement
  • it is a contractual requirement
  • it’s best practice

While justifying the exclusion of controls must be for a valid reason, for example excluding the control for ‘Outsourced Software Development’ because you do not outsource your software development.

What Are the Controls?

The controls fall into 14 categories.  We won’t address every control here but the broad headings are:

A5 Information Security Policies

A6 Organisation of Information Security

A7 Human Resources Security

A8 Asset Management

A9 Access Control

A10 Cryptography

A11 Physical & Environmental Security

A12 Operational Security

A13 Communications Security

A14 System Acquisition, Development & Maintenance

A15 Supplier Relationships

A16 Incident Management

A17 Information Security in Business Continuity Management

A18 Compliance

As you can see, the controls cover wide ranging aspects of the organisation and should not ordinarily be the sole responsibility of the I.T department.

Why do the ISO 27001 Controls Start at A5?

It may seem odd that the controls in Annex A start at A5 rather than A1. This is because the controls of Annex A correspond directly to those in another standard from the ISO 27000 Family, ISO 27002.

In ISO 27002 there are some introductory and explanatory sections 1-4, so the controls begin at section 5.  

During an ISO 27001 Certification audit, you will be audited against the control text within ISO 27001 only.  However, there are many benefits to reading the extended guidance on each control within ISO 27002.

What is a Statement of Applicability (SOA)?

As described above, it is a mandatory requirement to justify either the reason for including a control in your management system, or the reason for excluding it.

This justification should go into a document called the Statement of Applicability (SOA), which tells interested parties which controls you have applied.

The SOA should be kept under review, as things change and you may find you need to bring different controls in/out of scope.

The SOA Version number is also printed on your ISO Certificate as evidence of the scope that has been audited.  If you change your SOA version you may require additional audits or at least a new certificate.

Is a Policy Needed for Every Control?

NO.

It is tempting to produce a document for every control in the standard, and in some very complex organisations that may be appropriate.  

However, there are drawbacks to this approach including:

  • Too much documentation will not be read or understood by stakeholders.
  • Over time, there may be contradictions between policies as your management system evolves.
  • It can be difficult to keep documents up-to-date.
  • Reviewing large amounts of documents can be time consuming.
  • Raising awareness of large amounts of documentation can be difficult.

There are some controls where there is an obvious mandate for a policy, for example the Access Control Policy.

However, you should take a control-by-control approach to Annex A ensuring you can evidence each control.

What if a control is not Applicable to us?

You may exclude a control if it can be justified that the control does not apply to you.  

You should write the reason for the exclusion in your SOA document.

However, the vast majority of the controls will apply, with the number of exclusions usually in single figures.

I don’t really understand what the control means.

This is perfectly understandable. The standard has been produced over time, last updated in 2013, and includes contributions from national standards bodies across the world.

The text in ISO 27001 only includes one or two lines of explanation per control.

If you are stuck on the meaning or intention of a particular control, refer to that control within ISO 27002.  Here you will find a much longer explanation of the requirement with some examples.

ISO 27002 can be downloaded here.

Get Started with ISO 27001.

This blog is part of a series exploring ISO 27001 implementation and certification.

Assent Risk Management are experienced ISO 27001 Consultants who can support you in a variety of ways including:

ISO 27001 Gap Analysis,

ISO 27001 Implementation Project,

ISO 27001 Internal Audits

We also have a Gap, App & Wrap scheme utilising our online project management system.

Contact us to discuss how we can support your organisation’s journey towards ISO 27001 Certification.

Robert Clements
Robert Clements
Articles: 299