ISO 27001 Requirements: Complete Guide to Annex A Controls

You must understand your organization, its context, the needs of interested parties (customers, regulators, etc.), and define the scope of your ISMS. This means documenting what your ISMS covers and the internal/external factors that affect it.

Top management must demonstrate leadership by establishing an information security policy, assigning roles and responsibilities, and ensuring the ISMS is integrated into business processes. Management must actively participate, not just sign off.

You must establish a risk assessment process that identifies information security risks, analyzes their likelihood and impact, and evaluates them against your risk criteria. A risk treatment plan must specify how each risk will be addressed (mitigate, accept, transfer, or avoid).

You must produce a Statement of Applicability (SoA) that lists all Annex A controls, indicates which are applicable and which are not, justifies exclusions, and maps controls to your risk treatment plan. The SoA is a key document auditors review.

You must monitor, measure, analyze, and evaluate your ISMS performance. This includes internal audits at planned intervals and management reviews to ensure the ISMS remains suitable, adequate, and effective.

When nonconformities are identified, you must take corrective action. You must also continually improve the suitability, adequacy, and effectiveness of the ISMS. This means documenting nonconformities, root cause analysis, and corrective actions.

You must define, approve, publish, and communicate a set of information security policies. These policies must be reviewed at planned intervals or when significant changes occur.

All information security responsibilities must be defined and allocated. Everyone must know their security responsibilities and be held accountable for fulfilling them.

You must establish processes for acquisition, use, management, and exit from cloud services. This includes evaluating cloud provider security, defining responsibilities, and planning for cloud service termination.

Background verification checks on all candidates must be carried out before hiring and at regular intervals, proportional to the business requirements and classification of information they will access.

All personnel must receive appropriate awareness education, training, and regular updates on your information security policies. Training must be relevant to their job function.

Security perimeters must be defined and used to protect areas containing information and information processing facilities. This includes office buildings, data centers, and any location where sensitive data is processed or stored.

Information stored on, processed by, or accessible via user endpoint devices must be protected. This includes laptops, phones, tablets, and any BYOD devices with policies covering encryption, patching, and remote wipe capabilities.

Secure authentication technologies and procedures must be established based on access control policies. This includes multi-factor authentication, password policies, and protection against brute-force attacks.

You must obtain timely information about technical vulnerabilities, evaluate your exposure, and take appropriate measures. This includes regular vulnerability scanning, patch management, and penetration testing.

Rules for the effective use of cryptography, including key management, must be defined and implemented. This covers encryption of data at rest and in transit, key generation, storage, rotation, and destruction.

Networks, systems, and applications must be monitored for anomalous behavior, and appropriate actions taken to evaluate potential security incidents. This includes SIEM, log analysis, and alerting.