ISO 27001 Controls and Related Standards

ISO 27001

ISO 27001 is the internationally recognised standard published jointly by ISO and IEC in 2005. ISO 27001 was further revised in 2013 to tackle security risks. A new European version of ISO/IEC 27001 was updated and published in 2017 after making two revisions in Clause 6.1.3 and Annex A control 8.1. In 2020, a large-scale study was conducted to address the effectiveness of ISO/IEC 27001 certification. 

The purpose of establishing ISO 27001 is to deal with how to manage information security in specific situations. ISO 27001 covers all types of domains of an organisation, technology, and people through a list of security controls that are carefully selected. 

Table of Contents

1) What is ISO 27001 Annex A ? 

2) How many ISO 27001 Controls are Present? 

3) List the 14 Categories of ISO 27001 Controls  

4) Related Standards of ISO/IEC 27001 Information Security Management 

5) Is it Necessary to Adopt ISO 27001 in an Organisation? 

6) Conclusion 

ISO 27001 Training

What is ISO 27001 Annex A? 

ISO 27001 is one of the best International Information Security Standards set for ISMS (Information Security Management Systems) and their requirements. The controls enlisted in the Annex are used to ensure asset information security. The standard controls of ISO 27001 are defined/outlined in ISO 27001 Annex A. 

Based on the scope of your organisation, you are at leverage to select from 114 measures specified in ISO 27001 Annex A – a portfolio for information security controls. 

People who intend to lead audits in ISMS can join the ISO 27001 Lead Auditor Training now. 

How many ISO 27001 Controls are Present? 

The ISO 27001 Annex A controls are divided into 14 categories. For effective risk management, these 14 categories have 114 ISO 27001 controls outlined as tools. The controls can be applied based on the results of the risk assessment of your organisation. 

The objective of this framework is to safeguard the integrity, confidentiality, and availability of information.  

To understand which areas of organisation the control sets are related to, check the following list of Annex A controls breakdown. 

Focus Area 

Total controls 

Category list for Annex A control  

Organisational Issues 






Human Resource 









Information Technology (IT) 









Physical Security 



Legal issues 



ISO 27001 Controls


List the 14 Categories of ISO 27001 Controls  

The 14 Control Categories of ISO 27001 Annex A are as follows: 

1) Information Security Policies 

2) Organisation of Information Security 

3) Human Resources Security 

4)  Asset Management 

5) Access Control 

6) Cryptography 

7) Physical and Environmental Security 

8) Operational Security 

9) Communications Security 

10) Systems Acquisition, Development and Maintenance 

11) Supplier Relationships 

12) Information Security Incident Management 

13)  Information Security aspects of Business Continuity Management 

14) Compliance

Each of the 14 categories of Annex A controls have specific objectives and security areas to improve information security. A total of 114 controls are grouped under the 14 categories of ISO 27001 Annex A.  

Below is the Comprehensive list of the 14 Control Categories:

1) Annex A.5 - Information Security Policies (2 controls) 


To keep control over the policies related to information security and ensure they are written and reviewed according to the organisational requirements. 

2) Annex A.6 - Organisation of Information Security (7 controls) 


To manage the framework and assign the roles and responsibilities to be implemented in information security. 

To establish security guidelines on employees' access, information storage, and processing. 

3) Annex A.7 - Human Resource Security (6 controls) 


To brief the allied parties of the organisation to understand the terms and conditions, responsibilities, and other requirements necessary during the employment tenure. 

This category also involves conducting background verification, executing formal disciplinary processes, and adhering to information security policies to protect the interests of the organisation. 

4) Annex A.8 - Asset Management (10 controls) 


To classify, identify, manage, and prevent information of assets from being exposed. 

It also helps implement classification schemes, define what can be used, and outline procedures to implement and safely dispose of information and media. 

5) Annex A.9 - Access Control (14 controls) 


Preventing unauthorised access to protect critical information (like PINs and Passwords).  

To limit and implement access control policy and rights and regulate programs with override capabilities. 

6) Annex A.10 - Cryptography (2 controls) 


Maintain the authenticity and confidentiality of vital information to ensure key management and encryption. 

Also, it outlines cryptographic policies, keys, usability, and validity period. 

7) Annex A.11 - Physical and Environmental Security (15 controls) 


To prevent and have control over interruptions caused during operations due to unauthorised access. Also, to prevent theft, loss, or damage of assets. 

While also securing transport bays, regular equipment services and maintenance, defining and implementing a physical security perimeter against potential threats. 

8) Annex A.12 - Operational Security (14 controls) 


To protect facilities from malware, maintain consistency across activity logs, avoid loss of data, reduce disruptions, and mitigate technical risks ensuring the integrity of information processing facilities. 

This involves creating awareness among users, installing anti-malware software, following backup policies, evaluating risks regularly, documenting the procedures, and monitoring software installations. 

9) Annex A.13 - Communications Security (7 controls) 


To monitor internal and external information transfer. 

Implement network security and information transfer policies across the organisations’ communication facilities. 

10) Annex A.14 - System Acquisition, Development and Maintenance (13 controls) 


When installing new systems or updating existing systems ensure those information security requirements are met across the information system. 

Ensure that only authorised personnel have the access to the data used for testing. 

Regulate testing security facilities, establish secure development areas, and avoid misrouting through public networks, and unauthorised disclosures. 

11) Annex A.15 - Supplier Relationships (5 controls) 


Maintain an agreed level of information security with your suppliers and ensure that access to valuable information and assets is protected. 

This involves formal agreements established to mitigate the potential risks which need regulatory approvals, auditing, and monitoring activities. 

12) Annex A.16 - Information Security Incident Management (7 controls) 


Includes effective and consistent management of information security incidents. 

Involves rapid incident response in line with established procedures through appropriate management channels. 

13) Annex A.17 - Information Security Aspects of Business Continuity Management (4 controls) 


To ensure that the information processing facilities are available to confirm the organisations’ continuity plans of information security. 

14) Annex A.18 - Compliance (8 controls) 


Ensure the organisational requirements are met to carry out information security to avoid security risks/breaches of a statutory, legal, and contractual nature.  

This involves safeguarding against any implications such as loss or theft to ensure the protection of sensitive information, review and identify the compliance requirements of the information system. 

Professional who are involved in internal audits in ISMS can benefit from ISO 27001 Internal Auditor Training now. 

Related Standards of ISO/IEC 27001 Information Security Management 

ISO/IEC 27000: 2018 

This is related to Information Technology and applies to all types and sizes of the organisation. 

ISO/IEC 27001: 2022 

Information security, cybersecurity, and privacy protection - Information security management system 

This document specifies the need for establishing, maintaining, implementing, and improving regularly over information security management systems.  

ISO/IEC 27002: 2022 

Information security, cybersecurity, and privacy protection - Information security controls 

This provides a reference to implementation guidelines and sets information security controls.  

ISO 27001 Foundation

Is it Necessary to Adopt ISO 27001 in an Organisation? 

Here are a few benefits provided by ISO 27001 mentioned, from which your organisation can gain an advantage: 

1) All forms of information security that includes cloud-based, paper-based, and digital data 

2) Centrally managed framework provided to secure all types of information in one place 

3) Quick response against security threats 

4) High resilience to cyber-attacks 

5) Cost mitigation to tackle ineffective defence technology 

6) Protection of sensitive and confidential information to maintain the integrity 

7) Protection against technology-based risks and other threats to ensure the complete safety of the organisation 


This blog covers multiple areas of ISO 27001, comprising controls, standards, benefits, and more. The ISO standards can help businesses deal with risks and problems and convert them into opportunities. The ISO 270001 controls protect your organisation and keep you focussed; to effectively achieve productivity and customer satisfaction and improve efficiency. 

If you want to start or upgrade your professional career in Information Security Management, apply to ISO 27001 Training now. 


Back to top