What are the 14 domains of ISO 27001?

The 14 domains of ISO 27001 provide the best practices for an Information Security Management System (ISMS). As outlined in Annex A of the ISO 27001 standard, this approach requires companies to determine information security risks and then choose appropriate controls to handle them. At Citation Certification, our goal is to inspire your ISO certification journey to the highest international standards and help discover your business’s full potential.

ISO 27001 – 14 Information security controls as outlined in Annex A

Annex A.5: Information security policies

The main objective of this annex is to align policies with the company’s information security practices. Annex A.5 is further divided into two sub-domains;

• Annex A.5.11: Policies for Information Security
• Annex A.5.1.2: Review the Policies for Information Security

Annex A.6: Organisation of information security

With seven controls, this annex establishes a structure to initiate and manage the implementation of a security management system. It’s also classified into two sections;

• Annex A.6.1 is responsible for the assignment of information security roles and responsibilities within the organisation.
• Annex A.6.2 addresses security practices for mobile gadgets and remote working.

Annex A.7: Human resource security

This annex focuses on the role of human resources. It ensures employees, contractors, and the rest of the workforce understand their responsibilities.

Annex A.8: Asset management

The objective of this annex is to pinpoint information assets and identify proper protection responsibilities. It is divided into three;

• Annex A.8.1: identification of information assets according to ISMS
• Annex A.8.2: information asset classification
• Annex A.8.3: protection of sensitive data from unauthorised access, modification, or destruction

Annex A.9: Access control

Annex A.9 ensures restricted access to information processing facilities. It allows employees to only view information that is relevant to their individual roles.

Annex A.10: Cryptography

This annex addresses data encryption and the security of confidential information. Its two controls ensure that businesses use cryptography appropriately to facilitate data integrity, confidentiality, and protection.

Annex A.11: Physical and environmental security

Annex A.11 addresses the physical and environmental aspects of the organisation. It is the biggest annex with 15 domains which are broadly classified into two categories.

• Annex.A.11.1: Prevents unpermitted physical access, interference, trespass, or damage to the organisation’s facility.
• Annex A11.2: Protects company equipment from damage, theft, or loss.

Annex A.12: Operations security

The objective of this Annex is to safeguard information processing facilities. It ensures that the organisation has appropriate defences in place to reduce the risk of infection and prevent data loss. Annex A.12 is divided into seven different sections.

Annex A.13: Communications security

This addresses the strategies used to protect the organisation’s information within networks.

Annex A.14: System acquisition, development, and maintenance

This annex has thirteen controls that address information security and ensure it remains a central aspect of the company’s operations throughout the life cycle.

Annex A.15: Supplier relations

This annex covers contractual agreements between the organisation and third parties.

Annex A.16: Information security incident management

This involves steps taken to report and manage security incidents. It defines which employee is responsible for specific actions.

Annex A.17: Information security aspects of business continuity

This annex addresses the management of business disruptions. It involves taking necessary measures to ensure security continuity.

Annex A.18: Compliance

This annex helps the organisation establish applicable laws and regulations to help understand its legal requirements and avoid possible penalties.