ISO 27001 ISMS – Annex A Controls

ISO 27001 is an international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and information technology sectors.

The confidentiality, integrity, and availability of vital corporate and customer information are essential to maintain competitive edge, profitability, legal compliance and commercial image.

Annex A of ISO 27001 is probably the most mentioned annex of any management standard. Why is there so much talk about it? Let’s take a look at the security controls and examples.

If you have read Annex A, you have seen that 133 security controls are listed there.  Annex A contains the following clauses:

  • A.5 Security policy
  • A.6 Organization of information security
  • A.7 Asset management
  • A.8 Human resources security
  • A.9 Physical and environmental security
  • A.10 Communications and operations management
  • A.11 Access control
  • A.12 Information systems acquisition, development and maintenance
  • A.13 Information security incident management
  • A.14 Business continuity management
  • A.15 Compliance

These 133 controls which can be seen from the names of the clauses, are not focused solely on IT – they also cover for example physical security, legal protection, human resources management, and organizational issues. You could consider Annex A as a form of a catalogue of security measures to be used during your treatment process – once you identify unacceptable risks in risk assessment, Annex A will help you choose the right control(s) to decrease those risks. And ensure you don’t forget any important control.

Annex A is where ISO 27001 and ISO 27002 come together – the controls in ISO 27002 are named the same as in Annex A of ISO 27001, but the difference is in the level of detail – ISO 27001 gives only a short definition of a control, while ISO 27002 gives detailed guidelines on how to implement the control.


If by now you are thinking that Annex A is a perfect implementation tool for your information security project, don’t get confused – it also has some things that don’t always make good sense. For instance, some controls define almost the same issues, sometimes causing confusion – like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media).  Annex A mentions policies and procedures, however it does not require those to be documented. It might seem strange, but only where the word “documented” appears, does the standard require written policies and/or procedures.

Mandatory relationship with ISO 27001

The mandatory clauses 4 to 8 contain the management part of the standard – they prescribe the PDCA cycle (Plan-Do-Check-Act phases), including risk assessment and treatment, documentation control, records control, provision of resources, internal audit, management review, corrective and preventive actions.  The risk assessment & treatment process is the main connection between clauses 4 to 8 and the controls from Annex A – it will help you decide whether individual controls from Annex A are necessary for decreasing risks or not. It means clauses 4 to 8 and Annex A cannot exist one without the other.

The focus on risks and the flexibility to apply security controls according to what your organization considers as appropriate are the real benefits of the an ISO 27001 ISMS – you must be careful to take full advantage of them.

Question: How did/will your organization identify it’s appropriate controls, too many, too little, was it successful,  and what lessons have you learned?

Thanks for reply!

Leave a Reply