What are the 14 domains of ISO 27001?

The 14 domains of ISO 27001 controls provide the best practices for an Information Security Management System (ISMS). As outlined in Annex A of the ISO 27001 standard, this approach requires companies to determine information security risks and then choose appropriate controls to handle them. At Citation Certification, our goal is to inspire your ISO certification journey to the highest international organisation standards and help discover your business’s full potential.

In this article, we explain what controls mean in the context of ISO 27001: Information Security Management, the differences between ISO 27001 and ISO 27002, and what new controls have been added since the update to the standard.

What do ISO controls mean?

ISO controls refer to the specific measures, policies, and procedures outlined in the ISO 27001 standard to protect an organisation’s information systems and ensure the confidentiality, integrity, and availability of data. These ISO 27001 controls cover a wide range of areas, including physical security, technological controls, password management systems, and risk management. By implementing these control objectives, organisations can achieve certification and demonstrate their commitment to managing information security effectively.

ISO 27001 – 14 Information security controls as outlined in Annex A

Annex A.5: Information security policies

The main objective of this annex is to align policies with the company’s information security practices. Annex A.5 is further divided into two sub-domains:

• Annex A.5.11: Policies for Information Security
• Annex A.5.1.2: Review the Policies for Information Security

Annex A.6: Organisation of information security

With seven controls, this annex establishes a structure to initiate and manage the implementation of a security management system. It’s also classified into two sections:

• Annex A.6.1 is responsible for the assignment of information security roles and responsibilities within the organisation.
• Annex A.6.2 addresses security practices for mobile gadgets and remote working.

Annex A.7: Human resource security

This annex focuses on the role of human resources. It ensures employees, contractors, and the rest of the workforce understand their responsibilities.

Annex A.8: Asset management

The objective of this annex is to pinpoint information assets and identify proper protection responsibilities. It is divided into three:

• Annex A.8.1: identification of information assets according to ISMS.
• Annex A.8.2: information asset classification.
• Annex A.8.3: protection of sensitive data from unauthorised access, modification, or destruction.

Annex A.9: Access control

Annex A.9 ensures restricted access to information processing facilities. It allows employees to only view information that is relevant to their individual roles.

Annex A.10: Cryptography

This annex addresses data encryption and the security of confidential information. Its two controls ensure that businesses use cryptography appropriately to facilitate data integrity, confidentiality, and protection.

Annex A.11: Physical and environmental security

Annex A.11 addresses the physical and environmental aspects of the organisation. It is the biggest annex with 15 domains which are broadly classified into two categories:

• Annex.A.11.1: Prevents unpermitted physical access, interference, trespass, or damage to the organisation’s facility.
• Annex A11.2: Protects company equipment from damage, theft, or loss.

Annex A.12: Operations security

The objective of this Annex is to safeguard information processing facilities. It ensures that the organisation has appropriate defences in place to reduce the risk of infection and prevent data loss. Annex A.12 is divided into seven different sections.

Annex A.13: Communications security

This addresses the strategies used to protect the organisation’s information within networks.

Annex A.14: System acquisition, development, and maintenance

This annex has thirteen controls that address information security and ensure it remains a central aspect of the company’s operations throughout the life cycle.

Annex A.15: Supplier relations

This annex covers contractual agreements between the organisation and third parties.

Annex A.16: Information security incident management

This involves steps taken to report and manage security incidents. It defines which employee is responsible for specific actions.

Annex A.17: Information security aspects of business continuity

This annex addresses the management of business disruptions. It involves taking necessary measures to ensure security continuity.

Annex A.18: Compliance

This annex helps the organisation establish applicable laws and regulations to help understand its legal requirements and avoid possible penalties.

What are the changes to ISO 27001?

The changes to ISO 27001 include updates to the control set in Annex A, which now aligns with the revised ISO 27002 standard. These changes focus on modernising technological controls, addressing emerging threats, and improving risk assessment processes. Additionally, the new version emphasises threat intelligence, supplier relationships, and the security of remote workers.

Organisations are encouraged to review their risk treatment plan and ensure their management review processes are updated to reflect these changes.

ISO 27001 Annex A controls vs ISO 27002

While ISO 27001 provides the framework for an information security system, ISO 27002 offers detailed guidance on how to implement the controls outlined in Annex A. Essentially, ISO 27001 focuses on the “what” (e.g., control objectives and requirements), while ISO 27002 focuses on the “how” (e.g., practical steps to implement controls). Together, they provide a comprehensive approach to managing information security.

What are the 11 new controls in ISO 27001?

The 11 new controls introduced in the updated ISO 27001 standard address modern security challenges. These include:

1. Threat intelligence.
2. Information security for cloud services.
3. ICT readiness for business continuity.
4. Physical security monitoring.
5. Configuration management.
6. Data masking.
7. Data leakage prevention.
8. Monitoring activities.
9. Web filtering.
10. Secure coding.
11. User access monitoring.

These additions ensure that organisations can better protect their login credentials, secure their physical environment, and maintain compliance throughout the entire process.

Securing your future with ISO 27001 certification

Achieving ISO 27001 certification requires a comprehensive approach to managing information security across the entire lifecycle of your data and assets. By implementing a robust information security system, your organisation can effectively address everything from risk assessment and business continuity management to physical security and technological controls. This commitment to strong risk management and adherence to the control set defined by the international organisation not only protects your information systems but also provides clear management direction for the entire process.

How can Citation Certification help?

Complimentary online training for all clients: we offer complimentary online training courses for our clients that can be accessed by your entire organisation – it’s the best way to gain confidence and knowledge and help you prepare for your audit.

Partner with us to get your business to higher standards: with 30 years of experience, Citation Certification has partnered with thousands of organisations on their certification journey.

Lean on us to access our expertise: feel at ease knowing that our auditing team is supportive, friendly and personable people who are passionate about high standards. They’re locally based and dedicated to delivering high-quality customer care. Have a question or need some guidance on a standard? We’re always available to answer any questions you have. Contact us here.