How many controls are there in ISO 27001?

Typically what people would look at is the Annex-A of the whole list of controls, at the very high level there are thirteen controls in Annex-A. You can read each control in depth here.

However, each of those thirteen controls has sub controls, so in reality, there’s a total of 114 controls in Annex-A of the ISO 27001 standard. It’s important to note that depending on your organisation’s requirements, not all controls are mandatory to implement.

However, what you have to do is justify the including or excluding of control. It’s very comprehensive because it’s catered for all types of industries and organisations, not just IT.

You can pick it up and say yes, a whole set of these controls is applicable to my manufacturing process, it’s applicable to my pharmaceutical company, it’s applicable to the hospital or to other industries. That’s why it’s all-encompassing and why you have the opportunity to say well these controls are applicable and these controls are not.

You may not be managing your own data centre, you may have an external provider and in which case you can further evaluate whether the controls, in terms of the data centre, is applicable to you or not.