Unlike other management system standards, ISO 27001 for Information Security, provides a lengthy annex of 114 controls and control objectives.
It is mandatory to address the controls within Annex A of the standard, and while you aren’t required to implement EVERY control, you do need to justify their inclusion or exclusion from your management system.
Usually justification for inclusion falls within one of several categories including:
- to treat a risk
- it is a legal requirement
- it is a contractual requirement
- it’s best practice
While justifying the exclusion of controls must be for a valid reason, for example excluding the control for ‘Outsourced Software Development’ because you do not outsource your software development.
What Are the Controls?
The controls fall into 14 categories. We won’t address every control here but the broad headings are:
A5 Information Security Policies
A6 Organisation of Information Security
A7 Human Resources Security
A8 Asset Management
A9 Access Control
A11 Physical & Environmental Security
A12 Operational Security
A13 Communications Security
A14 System Acquisition, Development & Maintenance
A15 Supplier Relationships
A16 Incident Management
A17 Information Security in Business Continuity Management
As you can see, the controls cover wide ranging aspects of the organisation and should not ordinarily be the sole responsibility of the I.T department.
Why do the ISO 27001 Controls Start at A5?
It may seem odd that the controls in Annex A start at A5 rather than A1. This is because the controls of Annex A correspond directly to those in another standard from the ISO 27000 Family, ISO 27002.
In ISO 27002 there are some introductory and explanatory sections 1-4, so the controls begin at section 5.
During an ISO 27001 Certification audit, you will be audited against the control text within ISO 27001 only. However, there are many benefits to reading the extended guidance on each control within ISO 27002.
What is a Statement of Applicability (SOA)?
As described above, it is a mandatory requirement to justify either the reason for including a control in your management system, or the reason for excluding it.
This justification should go into a document called the Statement of Applicability (SOA), which tells interested parties which controls you have applied.
The SOA should be kept under review, as things change and you may find you need to bring different controls in/out of scope.
The SOA Version number is also printed on your ISO Certificate as evidence of the scope that has been audited. If you change your SOA version you may require additional audits or at least a new certificate.
Is a Policy Needed for Every Control?
It is tempting to produce a document for every control in the standard, and in some very complex organisations that may be appropriate.
However, there are drawbacks to this approach including:
- Too much documentation will not be read or understood by stakeholders.
- Over time, there may be contradictions between policies as your management system evolves.
- It can be difficult to keep documents up-to-date.
- Reviewing large amounts of documents can be time consuming.
- Raising awareness of large amounts of documentation can be difficult.
There are some controls where there is an obvious mandate for a policy, for example the Access Control Policy.
However, you should take a control-by-control approach to Annex A ensuring you can evidence each control.
What if a control is not Applicable to us?
You may exclude a control if it can be justified that the control does not apply to you.
You should write the reason for the exclusion in your SOA document.
However, the vast majority of the controls will apply, with the number of exclusions usually in single figures.
I don’t really understand what the control means.
This is perfectly understandable. The standard has been produced over time, last updated in 2013, and includes contributions from national standards bodies across the world.
The text in ISO 27001 only includes one or two lines of explanation per control.
If you are stuck on the meaning or intention of a particular control, refer to that control within ISO 27002. Here you will find a much longer explanation of the requirement with some examples.
Get Started with ISO 27001.
This blog is part of a series exploring ISO 27001 implementation and certification.
Assent Risk Management are experienced ISO 27001 Consultants who can support you in a variety of ways including:
We also have a Gap, App & Wrap scheme utilising our online project management system.
Contact us to discuss how we can support your organisation’s journey towards ISO 27001 Certification.