ISO 27001 – Defining Controls

Guide to ISO 27001_part 6_defining controls_blog header

Annex A of ISO 27001 is one of the most widely known lists of requirements of all the ISO standards. It provides companies with a structured checklist to define controls for their information security management system (ISMS) and to mitigate their cyber-related risks. Review the changes to ISO 27001:2022 controls here.

In the previous article, we covered the necessary steps of identifying, evaluating, and treating risks around an organization’s information assets. The risk management process addresses uncertainties and opportunities around your valuable assets to ensure the desired security outcomes are achieved, and threats are appropriately mitigated. 

In Part 6 of our Guide to ISO 27001, we review the core requirements of the Annex; explaining how to correctly define your controls, how they improve the security of your system and safeguard your assets. 

Information Security Domains  

The ISO 27001 Information Security domains consist of the list of controls found in Annex A. This list is organized into 14 sections or domains, which can be divided into five dimensions:  

General organizational and asset security controls A.5, A.6., A.8, A.15 
Human resources A.7 
Information technology, operations, and development A.9, A.10, A.12, A.13. A.14, A.16, A.17 
Physical security A.11 
Legal and compliance A.18 

The scope of your ISO project dictates the controls and sub controls that must be deployed. The document that maps the applicable and excluded ISO 27001 Annex A control is named Statement of Applicability (SoA). All controls excluded from your scope must be clearly justified in the SoA or you could be faced with multiple non-conformances.  

Annex A Sections 

Each Annex A domain presents a list of controls that must be deployed to achieve ISO 27001 compliance. Below is a summary of each section and the required corresponding documents. 

A.5 Information security policies – Information security policies must be documented and reviewed at planned recurring intervals.  

A.6 Organization of information security – Your organization must define information security roles and responsibilities and maintain a documented list of external stakeholders. This section also covers how duties are assigned and segregated to avoid a conflict of interest, including the necessary information security duties as part of project management. 

The technical and administrative controls associated with teleworking and mobile devices also fall under this section. 

A.7 Human resources security – Risk Management directly related to human resources is the topic of A.7, including controls before, during, and after a worker’s employment. 

A.8 Asset management – These controls are focused on identifying organizational assets and defining the necessary protection. Some of the requirements under the eighth domain are to keep a documented: 

  • Inventory of Assets 
  • Return of Assets Process 
  • Acceptable Use Policy 
  • Disposal of Media and Information Process 
  • Information Labeling Policy 

A.9 Access control – This section aims to limit access to information and establish the controls and processes for the management of access rights of users, systems, and applications. 

A.10 Cryptography – Here the focus is on ensuring proper and effective cryptography and Key Management processes to protect information’s confidentiality and integrity. 

A.11 Physical and environmental security – These controls require the definition of secure areas, equipment security, secure disposal, Clear Desk, and Clear Screen Policies. 

A.12 Operational security – The most complex technical processes and controls fall under A.12.,  

  • Change Management Process 
  • Capacity Management Process 
  • Malware Management 
  • Backup and Testing Process 
  • Logging and Monitoring Process 
  • Installation of Authorized software 
  • Patch management 
  • Vulnerability Management 

 A.13 Communications security – Network security, separation of the production environment, secure transfer of information, and information confidentiality are the most relevant requirements of this section. 

A.14 System acquisition, development, and maintenance – This section covers all the controls directly applicable to the secure development life cycle (SDLC) and how the organization documents its monitoring processes. 

A.15 Supplier relationships – Supplier security assessments, privacy compliance, and continuous monitoring processes must be documented under A.15.  

A.16 Information security incident management – This Annex A area’s objective is to ensure a consistent approach to the lifecycle of incidents and events that might put your informational assets at risk. Defining responsibilities, a communication structure, and keeping a documented Incident Management Process are at the core of this section. 

A.17 Information security aspects of business continuity management – Conducting a Business Impact Analysis is the first step when implementing this control and sub controls. By defining the critical business areas and assets, you will document an effective Business Continuity Plan and Disaster Recovery Process.  

A.18 Compliance – The objective here is to avoid breaches of any legal, statutory, regulatory, and contractual compliance obligations related to information security and of any security requirements.  


To achieve ISO 27001 certification, you will need to understand the many requirements described in Annex A to define appropriate and effective controls. Your Information Security Management System is structured based on the deployment of technical, administrative, and security controls prescribed in the Annex A domains. To implement a successful ISMS, you will need to develop and formalize processes and policies, manage people and create awareness all of which can be done with the help of a cloud-based management solution.  
In Part 7 of our Guide to ISO 27001 Compliance, we’ll be discussing how you can equip your compliance team with effective training to properly deploy controls, ensure compliance and develop security competence and awareness.  

How Can StandardFusion Help?  

StandardFusion is an inter-connected GRC platform that accelerates ISO 27001 implementation and streamlines the management of Annex A requirements. You can develop your ISO 27001 compliant controls, schedule recurring tasks, delegate compliance duties, control historical revision of your policies and procedures, and use those records to satisfy your ISMS requirements. StandardFusion has extensive reporting capabilities and can generate a complete Statement of Applicability for optimized visibility of your security framework at the press of a button. See how you can define your controls and implement an ISO 27001 compliant ISMS when you connect with our team! 

Guide to ISO 27001

Part 1 – Implementation & Leadership Support
Part 2 – Establishing Scope and Creating the Statement of Applicability
Part 3 – Mandatory Clauses
Part 4 – Understanding & Communicating with Stakeholders
Part 5 – Risk Management
Part 6 – Defining Controls
Part 7 – Competence, Training and Awareness
Part 8 – Monitoring Efficacy & Continuous Improvement