MODULE 6- ANNEX A – CONTROL OBJECTIVES AND

CONTROLS
 SO 27001 Annex A – Reference control objectives and controls, provides a list of 114
security controls that are grouped into 14 sections. This module will explain the purpose
of these 14 sections, giving an overview of the security controls included, and
presenting best practices of how to document and implement these controls in practice.
The controls from Annex A are used in determining security controls necessary to
implement the chosen risk treatment options as explained in previous modules.

 Overview of ISO 27001:2013 Annex A

 Annex A of ISO 27001 is probably the most famous annex of all the ISO standards –
this is because it provides an essential tool for managing security: a list of security
controls (or safeguards) that are to be used to improve security of information.
How many controls are there in ISO 27001?
 There are 114 controls listed in ISO 27001 – it would be a violation of intellectual
property rights if I listed all the controls here, but let me just explain how the controls
are structured, and the purpose of each of the 14 sections from Annex A:
 A.5 Information security policies – controls on how the policies are written and
reviewed
 A.6 Organization of information security – controls on how the responsibilities are
assigned; also includes the controls for mobile devices and teleworking
 A.7 Human resources security – controls prior to employment, during, and after the
employment
 A.8 Asset management – controls related to inventory of assets and acceptable use,
also for information classification and media handling
 A.9 Access control – controls for Access control policy, user access management,
system and application access control, and user responsibilities
 A.10 Cryptography – controls related to encryption and key management
 A.11 Physical and environmental security – controls defining secure areas, entry
controls, protection against threats, equipment security, secure disposal, clear desk and
clear screen policy, etc.
 A.12 Operational security – lots of controls related to management of IT production:
change management, capacity management, malware, backup, logging, monitoring,
installation, vulnerabilities, etc.
 A.13 Communications security – controls related to network security, segregation,
network services, transfer of information, messaging, etc.
 A.14 System acquisition, development and maintenance – controls defining security
requirements and security in development and support processes
  A.15 Supplier relationships – controls on what to include in agreements, and how to
monitor the suppliers
 A.16 Information security incident management – controls for reporting events and
weaknesses, defining responsibilities, response procedures, and collection of evidence
 A.17 Information security aspects of business continuity management – controls
requiring the planning of business continuity, procedures, verification and reviewing,
and IT redundancy
 A.18 Compliance – controls requiring the identification of applicable laws and
regulations, intellectual property protection, personal data protection, and reviews of
information security

One of the biggest myths about ISO 27001 is that it is focused on IT – as you can see from the
above sections, this is not quite true: while IT is certainly important, IT alone cannot protect
information. Physical security, legal protection, human resources management, organizational
issues – all of them together are required to secure the information.

The best way to understand Annex A is to think of it as a catalogue of security controls you
can select from – out of the 114 controls that are listed in Annex A, you can choose the ones
that are applicable to your company.

Relationship to the main part of ISO 27001

So, not all of these 114 controls are mandatory – a company can choose for itself which
controls it finds applicable and then it must implement them (in most cases, at least 90% of the
controls are applicable); the rest are declared to be non-applicable. For example,
controlA.14.2.7 Outsourced development can be marked as non-applicable if a company does
not outsource the development of software. The main criterion for selecting the controls is
through risk management, which is defined in clauses 6 and 8 of the main part of ISO 27001.
Learn more here: ISO 27001 risk assessment & treatment – 6 basic steps.
Further, clause 5 of the main part of ISO 27001 requires you to define responsibilities for
managing those controls, and clause 9 requires you to measure if the controls have fulfilled
their purpose. Finally, clause 10 requires you to fix anything that is wrong with those controls,
and to make sure that you achieve information security objectives with those controls.

Relationship to ISO 27002

The truth is that Annex A of ISO 27001 does not give too much detail about each control.
There is usually one sentence for each control, which gives you an idea on what you need to
achieve, but not how to do it. This is the purpose of ISO 27002 – it has exactly the same
structure as ISO 27001 Annex A: each control from Annex A exists in ISO 27002, together
with a more detailed explanation on how to implement it. But don’t fall into the trap of using
only ISO 27002 for managing your information security – it does not give you any clues as to
how to select which controls to implement, how to measure them, how to assign
responsibilities, etc. Learn more here: ISO 27001 vs. ISO 27002.
Usability of Annex A

There are a couple of things I like about Annex A – it gives you a perfect overview of which
controls you can apply so that you don’t forget some that would be important, and it gives you
the flexibility to choose only the ones you find applicable to your business so that you don’t
have to waste resources on the ones that are not relevant to you.
It is true that the Annex A doesn’t give you too much detail on implementation, but this is
where ISO 27002 comes in; it is also true that some companies might abuse the flexibility of
ISO 27001 and aim only for the minimum controls in order to pass the certification, but this is
a topic for a different blog post.

How to structure the documents for ISO 27001

Annex A controls
Once you’ve finished your risk assessment and treatment, it is time for you to start writing
documents that describe your security controls according to ISO 27001 Annex A. But, which
documents should you write? How do you structure them? Which one do you begin with?
Here’s what I found to be the best way to do it.

How to choose which documents to write

ISO 27001 says that you cannot simply start to select the controls and/or write the documents
that you like the most – the point is that selection of controls must be a direct consequence of
the risk assessment and risk treatment process. See also: ISO 27001 risk assessment &
treatment – 6 basic steps.

Secondly, you must know which documents are mandatory and which are not – see this list
here: List of mandatory documents required by ISO 27001 (2013 revision).

Finally, once you know which controls must be applied and which documents are mandatory,
you must decide how extensive your documentation will be:

 Smaller companies will tend to have a smaller number of documents: (1) they won’t
document each control, and (2) they will include several controls in a single document.
 Larger companies will tend to have more documents, and the documents will be more
detailed.

However, these are not the only criteria to decide which documents to write – see also 8
criteria to decide which ISO 27001 policies and procedures to write.

Which documents should cover which controls?

ince Annex A has 114 controls, the truth is that it is not very easy to decide how to group
policies and procedures to cover them (see also: Overview of ISO 27001:2013 Annex A). And
the fact that ISO 27001 does not prescribe which controls must be allocated to which policies
and/or procedures might initially seem like a problem, but once you realize that such an
approach gives you big freedom to adapt the documentation to your real company needs, you
will actually become grateful that ISO 27001 is so flexible.

Again, there are two approaches to group the documents:

Smaller companies will normally have policies and/or procedures that cover several controls
with one document only – for instance, you might use:

 Access Control Policy to cover all the 14 controls from section A.9 (without writing
detailed procedures),
 BYOD (Bring Your Own Device) Policy to cover not only A.6.2.1 (Mobile device
policy) and A.6.2.2 (Teleworking), but also A.13.2.1 (Information transfer policies and
procedures),
 with Acceptable Use Policy, you might get even more ambitious and cover controls
from various sections of Annex A, since this document could serve as a security
baseline for all employees: A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1,
A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2,
A.13.2.3, and A.18.1.2.

Bigger companies usually structure the documentation in a different way:

 each section from Annex A will be covered with a policy – e.g., Organization of
Information Security Policy (A.6), Human Resources Security Policy (A.7), Asset
Management Policy (A.8), etc.
 each policy will have detailed procedures and/or working instructions that cover single
controls – for example, Information classification procedure (for control A.8.2.1),
Information labeling procedure (control A.8.2.2), Information handling procedure
(control A.8.2.3), etc.

The sequence of writing the documents

Once you have an idea of how to structure the documents, how do you decide where to start,
and where to end?

For smaller companies, you can use a couple of criteria to decide which documents to start
with:

 Areas where you can get quick wins – this means you can select an area where you
know you will finish your document quickly, and this way you show your management,
your peers (and yourself) that you are capable of doing this job effectively.
 Areas where you have largest risks – this way you start resolving the biggest problems
first –you may not finish this quickly, but sometimes this approach is necessary if your
risk assessment has shown you have some very big gaps to fill in.
 Areas that are compatible with other running projects in your company – for example, if
your company is currently implementing help desk software, you might want to start
 writing incident management procedure, because this will regulate how that software
will be used in the context of ISO 27001.

For documents that are to be written at the end, my personal preference is documents that
cover larger number of controls (for example, the Acceptable Use Policy). This way you will
know which controls you covered with other documents, and those that haven’t been
described in other policies and procedures can be described in an all-inclusive document at the
very end.

Again, bigger companies will have a different approach – they will write the policies first,
and related procedures/working instructions second, while for the decision on which policies
to start first they can use the same criteria as described above.

So, to conclude, make sure you use this flexibility that ISO 27001 offers you to adapt the
documentation to your specific needs – because the idea is that the documentation serves you,
not the other way around.

ISO 27001 Annex A has listed 114 security controls that are:

1. Mandatory – Incorrect! The controls listed in Annex A are not mandatory; a company can choose for
itself which controls it finds applicable, and then it must implement them.

2. Optional – Correct!

ISO 27001 Annex A has 18 sections of controls.

1. True – Incorrect! ISO 27001 Annex A has 14 sections of controls marked from A5 – A18.

2. False – Correct!

The Information Security Policy defined in the standard and the policies for information
security defined in Annex A section A5 refer to the same requirement.

1. True – Incorrect! The Information Security Policy required by the standard (clause 5.2) is a high-level
policy that sets the basic approach of the company for information security, while the policies for information
security described in Annex A of the standard refer to lower-level, topic-specific policies.

2. False – Correct!

Information security should be addressed in every project, regardless of its type.

1. True – Correct!

2. False – Incorrect! Information security should be part of every phase of each project, internal and external.

The purpose of the A7 Human resource security section of Annex A is:

1. To punish people who don’t follow the rules – Incorrect! The disciplinary process is just one of the
possible controls from this section; it is not the purpose.

2. To help the company to employ high-quality people – Incorrect! Only some of the controls refer to
activities done prior to employment.
3. To ensure that people working under the company understand and fulfill their information security
responsibilities – Correct!

According to ISO 27001, Annex A information should be classified:

1. As Public, Internal, Confidential, Top secret – Incorrect! The standard doesn’t prescribe specific levels
of classification.

2. Taking into consideration legal requirements and value and sensitivity of the information – Correct!

3. Doesn’t matter how, as long as a classification exists – Incorrect! Classification should take into account
requirements and value and sensitivity of the information.

Only the employees should have access to the network and the network services.

1. True – Incorrect! Only authorized users should have access to the network and the network services, and
the company should define such authorized users. There might be cases where employees are not authorized,
and people who are not employed in the company will be authorized to access the network.

2. False – Correct!

All confidential information should be encrypted using cryptographic controls.

1. True – Incorrect! The company should decide which information should be protected by cryptographic
controls. These decisions should be made taking into consideration various aspects such as risk assessment
results, criticality of information processes by the organization, and what needs to be protected:
confidentiality, integrity, authentication, etc.

2. False – Correct!

Which of the following information security controls represent physical and

environmental security controls?

1. Public and private encryption keys – Incorrect! These are cryptographic controls.

2. Secure disposal of equipment by destroying the storage media or using deleting and overwriting
techniques – Correct!

3. Securing equipment against theft when used outside offices – Correct!

4. Defining guidelines for classification of information – Incorrect! These are asset management controls.

5. The equipment should be repaired only by authorized personnel – Correct!

Section A12 from ISO 27001 Annex A is cantered on controls essential for ensuring
secure operations of the IT infrastructure of the company.

1. True – Correct!

2. False – Incorrect! Section A12 from ISO 27001 Annex A covers operational security controls crucial for
ensuring secure IT operations such as protection of malware, backup, logging, control of operational software,
etc.
Segregation in networks is a particularly useful control for companies with a small and
simple network.

1. True – Incorrect! Segregation is one of the methods to manage the security of larger and complex
networks by dividing the network into smaller, separate networks that are easier to manage and protect.

2. False – Correct!

To ensure information security is integrated into the new information systems,

companies should conduct the following activities:

1. Test the security features of the new systems – Correct!

2. Identify information security requirements for the new information systems after buying them and
implement them in the IT infrastructure – Incorrect! The information security requirements should be
identified as early as possible in the process of acquiring new systems.

3. Make sure that the information involved in application services transactions is appropriately
protected in order to prevent unauthorized modification, incomplete transaction, misuse, etc. – Correct!

4. Identifying information security requirements is the job of the company that produces the
information system, not the company that buys it – Incorrect! The information security requirements of
different companies are different; that is why the company that buys a new system needs to identify the
unique set of information security features required for that particular company.

5. Identify information security requirements for the new information systems early in the stage of
acquiring new systems – Correct!

Security requirements can be agreed upon verbally with the suppliers.

1. True – Incorrect! Supplier agreements should be documented to make sure there is no misunderstanding
between the company and the supplier regarding their information security obligations.

2. False – Correct!

Management of information security incidents includes learning from the incidents.

1. True – Correct!

2. False – Incorrect! Knowledge gained from analyzing and resolving incidents should be used for learning
from the incidents and reducing the chance of them reoccurring.

Information security continuity and business continuity management should be two

separated systems.

1. True – Incorrect! Information security continuity should be an integral part of the firm’s business
continuity management systems.

2. False - Correct!
The controls from A18 Compliance are focused on avoiding breaches of contractual
obligations connected to intellectual property rights.

1. True – Incorrect! Intellectual property is just one small aspect of compliance; the purpose of A18 is to
ensure the information security is implemented as prescribed with the existing ISMS documentation of the
company and to help companies avoid breaches of contractual and legal obligations connected to information
security.

2. False – Correct!

The section A.5 Information security policies requires documenting a set of policies for
defining information security rules. These policies are:

1. High-level policies that set the basic approach of the company for information security – Incorrect!
Annex A refers to low-level, topic-specific policies such as access control policy, backup policy, policy for
classification of information, clear desk and clear screen policy, etc.

2. Mandatory – Incorrect! The number of policies depends on the type of the organization (size, complexity,
industry, etc.)

3. Low-level and topic-specific policies – Correct!

4. Being regularly updated, especially after significant changes in the organization – Correct!

The Physical and environmental security section, A11, consists of two sub-sections:
controls for securing the area, and controls for securing the equipment.

1. True – Correct!

2. False – Incorrect! The sub-section for securing areas focuses on preventing unauthorized physical access
and damage to the information, and the sub-section for securing the equipment focuses on preventing loss,
damage, or compromise of assets.

Section A.12 Operational security specifically requires documenting operational

procedures that will be available to everyone in the organization who needs them.

1. True – Correct!

2. False – Incorrect! According to A.12, companies should document procedures related to operational
security, covering elements such as capacity management, controls against malware, backup, logging and
monitoring, etc.

Identifying information security requirements analysis and specification is a control

from section A.14 System acquisition, development and maintenance. This control
requires that for all new systems, appropriate analysis should be conducted regarding
the purpose of that system, types of information that will be processed, the
responsibilities of the users, etc.

1. True – Correct!
2. False – Incorrect! According to Annex A the information security related-requirements shall be included
in the requirements for new information systems.

Section A.15 defines controls related to monitoring and review of the supplier services.
The purpose of the monitoring and review is:

1. To ensure that suppliers pay the penalties in full in case they don’t abide by the agreements –
Incorrect! The main purpose is to check if suppliers fulfill the agreed levels of performance; in case they
don’t, different actions can be taken.

2. To ensure that suppliers fulfill the agreed levels of performance – Correct!

3. To ensure that suppliers comply with the information security requirements defined in the
agreements – Correct!

4. To force supplier to pay out the damages that have happened as a consequence of incidents –
Incorrect! The main purpose is to check if suppliers fulfill the agreed levels of performance; in case they
don’t, different actions can be taken.