ISO 27001 Controls List 2022 (+PDF, Excel, Checklist & Guide)

ISO 27001 Controls

It’s fair to say that security-conscious organizations worldwide really care about ISO 27001. 

If your job—or the one you want—involves information security, you need to know about this international standard and understand its controls. 

So what exactly is this standard and who’s it for? What are the ISO 27001 controls, and what actions do they require of you? What courses and certifications should you focus on to develop your knowledge and prove your expertise in this area? 

To help you understand all of this, here’s our deep dive into ISO 27001 and ISO 27001 controls. To help you on your way to compliance, we’ve also included an ISO 27001 controls checklist for you to keep, use, and adapt as needed. 

If you’re ready, then read on!

Understanding ISO 27001:2022 Security Controls 

Here’s a closer look at ISO 27001's purpose and scope and the role of security controls within it.

What Is ISO 27001? 

ISO 27001 is a standard created by the International Organization for Standardization (ISO). In simple terms, it sets out what organizations need to do to establish and maintain an effective ISMS (Information Security Management System). 

What Is an ISMS? 

An ISMS is defined by TechTarget as “a set of policies and procedures for systematically managing an organization’s sensitive data.” If it’s devised and implemented in the right way, it should enable an organization to do four main things: 

  • Identifying specific risks to which the organization’s information assets are exposed. 
  • Setting out measures (i.e., controls) to protect those assets. 
  • Providing a plan of action in case of an information security breach. 
  • Identifying the individuals responsible for each step of the information security process.

What Is the Role of ISO 27001 Security Controls? 

ISO 27001 isn’t prescriptive. 

In other words, it doesn’t tell you what to do at a technical level—such as precisely what authentication measures to put in place—or how often you should carry out backups. 

But if it doesn’t show you what to do, then what’s the point? This standard provides a framework for identifying the specific protection your organization requires. 

There are two main elements to this: the need for risk management and assessment and the application of ISO 27001 controls. You need to consider them side-by-side.

Risk assessment

This is the starting point in creating an ISO 27001-compliant ISMS. The standard requires you to carry out a risk assessment by identifying and evaluating the information security risks faced by your organization. You need to evaluate the threats, vulnerabilities, and potential impact of security incidents on your organization’s information assets. 

ISO 27001 controls

The standard includes a comprehensive framework of controls organized into themed domains (more on this below). It requires you to review these controls systematically in the context of your risk assessment to identify those relevant to your risk profile.   

Who Is ISO 27001 For?

ISO 27001 is for pretty much everyone. 

Any organization can adopt ISO 27001 controls and implement the standard to boost its information security resilience. However, some choose to go a step further by gaining an ISO 27001 certification.

According to ISO’s 2022 survey, over 70,000 valid ISO 27001 certificates are in place across 150 countries. 

If an organization holds the certification, it shows it has implemented a system to manage the risks related to data security and adheres to the best practices and principles set out in the standard. 

About a fifth of all certificates are held by IT companies (e.g., software developers, managed support, and cloud service providers). The rest span virtually all sectors, including banking and financial services, healthcare, education, retail, manufacturing, and more. 

If you handle sensitive data and it’s important to your customers, investors, and other stakeholders that you are committed to managing data responsibly, the ISO 27001 certification is almost certainly worth considering.

The Structure of ISO 27001 Controls  

ISO 27001 is built on the core concepts of ISMS best practices.   

The requirements for ISO 27001 compliance are described in the main body of the standard (the clauses). An accompanying annex contains the more specific processes and policies you may need to put in place to achieve compliance (i.e., controls). Here’s how this all fits together. 

ISO 27001 Concepts 

At the heart of the standard lie three core concepts: confidentiality, integrity, and availability, commonly referred to as the CIA triad. To be ISO 27001-compliant, an ISMS must be designed and implemented in such a way that each of these topline areas is addressed. 

1. Confidentiality 

Information should only be accessible to authorized individuals with appropriate permissions. Measures to achieve this include implementing access controls and network security measures such as firewalls, intrusion detection systems, and encryption of data both in transit and at rest. 

2. Integrity 

This involves making sure that the data you are responsible for remains trustworthy and free from tampering. Integrity is maintained only if data remains authentic, accurate, and reliable. 

Specific safeguards to ensure integrity include configuring auditing and logging mechanisms to track data access and modifications, using digital signatures, and implementing robust version controls. 

3. Availability 

This describes the basic requirement that authorized individuals should be able to access all relevant information, right at the point of need. For this to happen, all systems, networks, and applications must be functioning at the right time. 

Regular backups are a key part of this, along with the creation of a comprehensive disaster recovery plan complete with provisions for restoring data and systems in the event of a breach or failure. 

With cloud computing now the norm, careful choice of cloud service providers is also important, with an emphasis on availability guarantees and vendor uptime track records. 

ISO 27001 Mandatory Clauses 

The main body of ISO 27001 consists of ten sections (i.e., clauses). 

The first three clauses provide general introductory information, terms, and definitions. Clauses four to ten contain mandatory requirements: you must follow these sections to become ISO 27001-compliant. 

Here’s an outline of the key points under each mandatory clause: 

Clause 4: The context of the organization 

  • There are obviously big differences between the information security aspects and needs of an online retailer and a healthcare provider. This clause requires you to assess and understand your organization's specifics. 
  • You need to consider the needs and interests of all relevant stakeholders, such as customers, employees, and professional regulators. 
  • You must document the boundaries and scope of your ISMS with reference to this organization-specific context. 

Clause 5: Leadership 

  • Top organizational management must demonstrate leadership with respect to the ISMS. 
  • Management is responsible for establishing an information security policy. 
  • Management is also responsible for assigning and communicating roles and responsibilities linked to the ISMS. 

Clause 6: Planning 

  • Organizations must adopt a risk-based approach to information security management. 
  • This includes the creation of a security risk assessment. 
  • The risk assessment needs to be accompanied by an information security risk treatment plan, including the selection of required risk treatment options and determining all controls necessary to implement the risk treatment options chosen. 

Clause 7: Support 

  • Organizations must determine and provide the resources needed for the establishment, implementation, maintenance, and continued improvement of the ISMS. 
  • This includes providing competent personnel, including training where necessary. 
  • The ISMS must be documented and communicated. 

Clause 8: Operation 

  • Organizations must plan, implement, and control the processes needed to meet ISO 27001 requirements. 
  • An information security risk assessment is not a one-off event. Additional assessments must be carried out at planned intervals or when significant changes take place. 

Clause 9: Performance evaluation 

  • Organizations must determine what needs to be monitored and measured (and how) to ensure the continued effectiveness of the ISMS. Monitoring and measurement data should be documented.
  • Organizations should carry out audits at regular planned intervals to assess the continued effectiveness of their ISMS. 
  • Top management should review the ISMS at planned intervals. 

Clause 10: Improvement 

  • Organizations should continually improve the suitability, adequacy, and effectiveness of their ISMS. 
  • Action should be taken to react to nonconformity, and corrective actions should be appropriate to the effects of the nonconformities encountered. This should all be documented. 

ISO 27001 Controls 

Immediately after the ten clauses, you’ll find Annex A. This contains 93 information security controls grouped according to theme. 

You’re not expected to implement each of these controls. 

Rather, when you’re undergoing your information security risk treatment process (see Clause 6 above), you need to go through Annex A to determine what controls your specific organization needs and verify that no necessary controls have been omitted. 

ISO 27001:2022 Annex A Controls 

As we’ve seen, the ISO 27001 main text tells you what you need to do to become compliant, whereas the Annex A controls are more concerned with how you’ll do it. Here’s a closer look at Annex A.  

ISO 27001 Annex A Controls List 

The controls are broken down into four numbered sections. These sections correspond with Clauses five to eight of a linked standard, ISO 27002, which provides more detailed guidance on how ISO 27001 controls can be implemented. 

The four categories are as follows: 

  • Clause 5: Organizational (37 controls) 
  • Clause 6: People (8 controls)
  • Clause 7: Physical (14 controls) 
  • Clause 8: Technological (34 controls) 

Overview of Annex A Controls Categories 

Clause 5: Organizational  

This section focuses on how an organization approaches information security, including the rules, procedures, and policies it has in place and how seriously it takes them. 

Examples of areas covered:  

  • Drawing up security policies 
  • Infosec roles and responsibilities
  • How information is classified and labeled
  • Identity and access controls 
  • Planning for how to maintain information security during disruption 

Clause 6: People 

As our recent guide to insider threat statistics highlighted, the majority of data breaches are linked in some way to insider actions—particularly human error. This section of controls addresses the human aspect of information security. 

Examples of areas covered:  

  • Information security awareness and training
  • Screening of job candidates 
  • Disciplinary processes 
  • Applicability of confidentiality and non-disclosure agreements 
  • Information security measures in the context of remote working

Clause 7: Physical 

How easy is it for someone to just walk into your server room? This section is focused mostly on controls to protect the physical environment where information assets are stored or processed. 

Examples of areas covered: 

  • Physical security perimeters and the design of measures to protect offices, rooms, and facilities
  • Protection against natural disasters and other environmental threats 
  • Clear desk and clear screen rules 
  • Secure disposal and reuse of equipment

Clause 8: Technological 

The controls in this section focus on technological measures for protecting information, IT  assets, systems, and networks from unauthorized access, misuse, or compromise. 

Examples of areas covered: 

Implementation: ISO 27001 Controls Checklist 

Getting your information security management system ISO 27001-compliant requires planning, time, and know-how. Here are some of the challenges that can arise, and how you can overcome them. 

ISO 27001 Implementation Challenges 

1. Achieving management buy-in 

If the boss isn’t into it, your ISO 27001 project probably isn’t worth it. Organizational leaders need to be on board from the outset. You may need to sell them on the idea of ISO 27001 compliance, stressing that building a compliant system will boost the company’s resilience and reputation but that it’ll require resources to get it right. 

2. Time and resources 

The CTO cannot leave this to an administrator to sort out as a quick, discrete task. It requires allocating workforce resources and time, conducting risk assessments, and developing or updating security policies and procedures. Depending on what technical gaps you need to fill, any new control measures will also require a budget. 

3. Staying ISO 27001-compliant

ISO 27001 isn’t a one-off event. Many of the clauses and controls within the standard stress the importance of continuous monitoring, review, and improvement of your ISMS. To take it seriously, you need to be ready to assess your information security posture on a regular basis.  

4. Expertise

Effective ISO 27001 implementation requires knowledge. Key areas of expertise include the ability to map and understand your IT estate, knowledge of current threats, and the know-how required to select and implement appropriate security measures. To get familiar with all of this, cyber security professionals should consider upskilling through training in this area (see below). 

ISO 27001 Implementation Best Practice 

1. Risk assessment 

As per the mandatory requirement of clause 6 of ISO 27001, you need to carry out a thorough risk assessment. Make sure you map your entire environment and inventory all information assets under your control. Next, identify potential threats and vulnerabilities and evaluate the likelihood and impact of identified threats. 

2. Define your desired outcome

Set out your organization’s security objectives and priorities, flagging up the areas where security controls are most needed to mitigate the risks identified in your risk assessment. 

3. Approach the ISO 27001 controls systematically 

Review Annex A in full. Be ready to identify which controls are relevant to your risk profile and organizational objectives. Remember that the standard also requires you to justify which controls are not relevant and why. 

4. Prioritization 

Implement your controls in a phased approach, starting with the most critical and high-priority controls (again, with reference to your risk assessment and security objectives). 

Download Our ISO 27001:2022 Annex A Controls Checklist Template 

Are you worried that you’ve missed or forgotten to update a policy or form regarding ISO 27001 compliance? Download, adapt, and keep our ISO 27001 Annex A Controls List template to help you stay on top of your obligations.

The template is available in three formats:

  • ISO 27001 Controls List Excel
  • ISO 27001 Controls PDF
  • ISO 27001 Controls Google Sheets

ISO 27001 Certifications 

What does it take for organizations to get ISO 27001 certified? How can information security professionals boost their credentials in this area? Here’s what you need to know. 

How Does an Organization Get ISO 27001 Certified? 

ISO doesn’t actually perform certification or issue certificates itself. For this, you need to go through an external certification body. The process involves an audit of your ISMS documentation, accompanied by an examination of your operating environment and interviews with your team. 

The ISO Certification Page is a great starting point to identify certification bodies in your locality.

ISO 27001 Certification for Information Security Professionals 

The following accreditations are definitely worth considering to increase your knowledge in this area and boost your employability in organizations seeking to become or remain ISO 27001-certified.

ISO 27001 Foundations Certification

Several bodies offer certifications that help you develop and demonstrate a fundamental knowledge of the ISO 27001 standard and its requirements. Three examples are as follows: 

  • PECB (Professional Evaluation and Certification Board) offers an ISO 27001 Foundations Certification course that covers the basic principles of ISMS and provides an overview of the standard’s requirements. 
  • EXIN also offers an ISO 27001 Foundations Certification with content similar to the above. It examines organizational security, threats and risks, and mitigation measures in the context of ISO 27001 compliance.
  • ISC2’s Certified Information Systems Security Professional (CISSP) is also definitely worth considering. Although it’s not specifically focused on this particular standard, it gives you a thorough understanding of the principles and practices surrounding it. 

ISO 27001 Certified Internal Auditor Certification

These certifications help you showcase your knowledge on how to assess and benchmark an organization’s ISMS against ISO 27001 requirements: 

  • The PECB ISO/IEC 27001 Lead Auditor certification covers the knowledge needed for information security professionals to plan and conduct an audit in accordance with ISO/IEC 17021-1 requirements, ISO 19011 guidelines, and other best practices of auditing. 
  • Although it’s not an ISO 27001-specific certification, the ISACA Certified Information Systems Auditor (CISA) certification gives you a broad understanding of how to audit IT frameworks. This certification provides detailed information about auditing practices related to the organization of information systems security. You might want to consider this alongside an ISO 27001-specific foundations course.   

ISO 27001 ISMS Certified Implementer Certification  

These certifications demonstrate that you have the know-how necessary to implement an ISMS in line with the standard: 

  • Suitable for experienced cyber security professionals, project managers, and consultants, the PECB Certified ISO/IEC 27001 Implementer certification enables participants to acquire and demonstrate the knowledge necessary to effectively plan and implement an ISO 27001-compliant ISMS. 
  • The APMG International ISO/IEC 27001 Practitioner—Information Security Officer certification is for internal managers and personnel seeking to implement, maintain, and operate an ISMS that meets the standard. 

ISO 27001 Training 

Becoming ISO 27001-compliant is far from being a box-ticking exercise. 

It demands familiarity with the standard itself, an understanding of the threat landscape, and the know-how necessary to implement the right controls. Training is essential for maximizing the likelihood of a successful project and for boosting employability in this area. 

To get you on the right track for ISO 27001 success, take a look at these training courses: 

ISO 27001 Foundations Training 

Completely new to information security and ISO standards? This course is a great starting point. By the end of it, you’ll have a solid grounding in ISO 27001, and on successful completion, you’ll earn a certificate proving you’ve attained information security management systems competency.

4.8

ISO 27001 Auditor Training 

Learn everything you need to know about how to perform an internal ISO 27001 audit within your company. 

ISO 27001 Lead Implementer Training 

Get real-life training on how to implement an ISO-compliant ISMS from scratch in any organization.  

Conclusion 

All information security professionals should be knowledgeable about ISO 27001. Even if your organization doesn’t feel the need to obtain formal certification, it’s still crucial to follow best practices in designing a resilient, fit-for-purpose ISMS. 

Against this backdrop, ISO 27001 isn’t a tick-box compliance exercise. It’s actually a very useful framework for ensuring that nothing’s missing from your security management system. 

Want to dive right into the best ISO 27001 courses and other ISMS-related resources? The StationX Accelerator Program makes it easy to plug the gaps in your knowledge. 

Suitable for cyber security and infosec professionals of all levels, the program gives you instant access to 1,000+ training classes, virtual labs, exam simulations, and more. 

We build your very own study roadmap, provide one-on-one expert support and mentorship, and guide you through your career and learning goals. 

It’s one of the best ways to learn ISO 27001 and all other essential security standards.   

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Gary Smith

    Gary spends much of his working day thinking and writing about professional and personal development, as well as trends and best practice in IT recruitment from both an organizational and employee perspective. With a background in regulatory risk, he has a special interest in cyber threats, data protection, and strategies for reducing the global cyber skills gap.

>