ISO 27001 Annex A Controls

Wednesday, October 27, 2010

Dejan Kosutic


Annex A of ISO 27001 is probably the most mentioned annex of any management standard. Why is there so much talk about it? Why is it sometimes controversial?

If you have read the Annex A, you have seen that 133 security controls are listed there. If that is the case, what is the main part of the standard used for?

The purpose

Annex A contains the following clauses (sometimes called ISO 27001 Annex A domains):

  • A.5 Security policy
  • A.6 Organization of information security
  • A.7 Asset management
  • A.8 Human resources security
  • A.9 Physical and environmental security
  • A.10 Communications and operations management
  • A.11 Access control
  • A.12 Information systems acquisition, development and maintenance
  • A.13 Information security incident management
  • A.14 Business continuity management
  • A.15 Compliance

As already mentioned, Annex A contains 133 controls which, as can be seen from the names of the clauses, are not focused solely on IT - they also cover physical security, legal protection, human resources management, organizational issues, etc.

Therefore, you could consider Annex A as a form of a catalog of security measures to be used during your treatment process - once you identify unacceptable risks in risk assessment, Annex A will help you choose the right control(s) to decrease those risks. And ensure you don't forget any important control.

Annex A is where ISO 27001 and ISO 27002 come together - the controls in ISO 27002 are named the same as in Annex A of ISO 27001, but the difference is in the level of detail - ISO 27001 gives only a short definition of a control, while ISO 27002 gives detailed guidelines on how to implement the control.


If by now you are thinking that Annex A is a perfect implementation tool for your information security project, don't be too optimistic - it also has some things that don't make sense.

For instance, some controls define almost the same issues, sometimes causing confusion - like A.9.2.6 (Secure disposal or re-use of equipment) and A.10.7.2 (Disposal of media). On the other hand some issues, like relationships with third parties, are scattered around various clauses of Annex A - you can find it in clause A.6.2 (External parties), A.8 (Human resources security) and A.10.2 (Third party service delivery management), and control A.12.5.5 (Outsourced software development). This sometimes makes Annex A difficult to use as an implementation tool.

But those are not the only ambiguities - in some of the controls, Annex A mentions policies and procedures, however it does not require those to be documented. It might seem funny, but only where the word "documented" appears, does the standard require written policies/procedures.

When you analyze the whole Annex A, it mentions the word "documented" in only 6 controls (A.5.1.1, A.7.1.3, A.8.1.1, A.10.1.1, A.11.1.1, A.15.1.1) - that means you can implement all the other controls without documenting them.

However, you shouldn't abuse this flexibility of Annex A - the larger the organization, the more documents you should produce in order to ensure that everyone is aware of (and complies with) your security procedures.

On the other hand, you should be careful not to overdo the documentation - if it is excessive, no one is going to observe it.

Relationship with the main part of the ISO 27001

The main part of the standard, or more precisely the mandatory clauses 4 to 8 contain the management part of the standard - they prescribe the PDCA cycle (Plan-Do-Check-Act phases), including risk assessment and treatment, documentation control, records control, provision of resources, internal audit, management review, corrective and preventive actions, etc.

As said earlier, the risk assessment & treatment process is the main connection between clauses 4 to 8 and the controls from Annex A - it will help you decide whether individual controls from Annex A are necessary for decreasing risks or not.

It means clauses 4 to 8 and Annex A cannot exist one without the other - risk assessment does not make sense if there are no controls to decrease the risks, and the only way to determine the applicability of controls is through risk assessment.

In my opinion, this focus on risks and the flexibility to apply security controls according to what you consider as appropriate are the best things in ISO 27001 - you just have to be careful to take full advantage of them.

*   *   *

Win a Platinum ISO 27001 and BS 25999 Package

Infosec Island is pleased to announce a special prize drawing specifically aimed at our member companies. The drawing winner will receive a Platinum ISO 27001 & BS 25999 Documentation and Service Package from the Information Security & Business Continuity Academy.

The prize package includes:

  • Platinum Package from Information Security & Business Continuity Academy. For this purpose, 6 months subscription will be included, worth US$3,594.00
  • ISO 27001 & BS 25999 Premium Documentation Toolkit worth US$849.00
  • details on eligibility and prize package HERE

To qualify for a chance to win this industry leading compliance package, companies must have a completed profile registered at Infosec Island, as well as at least one employee with a completed member profile, including profile picture (instructions HERE).

The drawing selection will be made from all eligible Island members employed by registered companies with completed profiles. The prize will be awarded to the company, along with kudos and acknowledgment for the lucky staff member chosen in the drawing.

The more registered members with completed profiles a company has, the greater their chance of winning this valuable ISO package - so encourage your coworkers and employees to take two minutes to complete their brief profile at Infosec Island today, and register your Company profile before the December 31, 2010 cutoff.

Cross posted from ISO 27001 & BS 25999 blog -

Possibly Related Articles:
Compliance ISO 27001
Post Rating I Like this!
Alexander Schjelde I think it's important to understand the difference between the two references ISO-27001 and 27002 and what's really required.
Implementing an effective ISMS for certification has to follow the PDCA model (Plan-Do-Check-Act). Not different from any other well managed framework.

ISO27001 are THE requirements needed to eventually have your ISMS (Information Security Management System) certified by an accredited company such as BSI.

ISO 27001, as you correctly stated, consist of 133 controls listed in Annex A, some of these can be excluded if they don't apply to your environment. Exclusions have to be documented and be reasonable. (exclusions such as "we didn't have time" are not acceptable).
Besides the Annex controls you have the ISO27001 clause 4-8 completed.
These are all required and cannot be excluded.

ISO-27002 is considered best practices document, meaning that if you don't know how to comply with 27001 Annex A controls - you can use 27002 to get ideas how to implement the control. Remember - you cannot be certified against 27002. You could as well have used ITIL as a guide to implementation, as long as the result makes you compliant with the 27001 control.

Then the risk assessment and treatment plan -
The method used has to ensure that it can produce comparable and reproducible results.
Remember that all assets within your ISMS scope has to be registered (type, Serial#, location, owner, protection, cost/value etc.) and accounted for.
Threat and risks to these are then assessed and potential controls are applied (treatment).

Good practice will make references to policies / procedures along with reason for non-conformaties to the standard. At this point you may discover that your organization is missing some key policies - fix it.

When the risk assessment is complete it's time to present to management for approval of residual risk (YES, senior management has to accept the Risk Assessment / Treatment plan). What they accept is the residual risk, since risk can never be mitigated 100% - only reduced.

Now you can create your SoA (Statement of Applicability). It is important to remember that any control implemented in your SoA has to be traceable back to the Risk Assessment. The idea is not to spend money on stuff that doesn't need fixing. (One area where companies goes wrong, either overkill or not enough).

Also, don't forget that if your company are required to comply with any other statutory, legal or industry requirement (HIPAA, HITECH, PCI, SOX, GLBa, etc) - all these needs to be included into you SoA (we call it mapping to existing controls). For PCI, you may have to add additional controls to your SoA, since 27001 isn't all encompassing for all 218 required PCI controls.

At this point you must obtain managements approval (agreement) to implement and operate the ISMS.

Now it's time to select key ISMS metrics (yes, you have to be able to measure the effectiveness of you ISMS)... This is the CHECK phase.

When implemented, you start monitoring the processes. Evaluate your data, include and let management make decisions if something should be adjusted.

If so, that would be the ACT phase.

If you are interested in getting your ISMS certified by a third party - you have to have an internal audit of your ISMS completed and have gone through the "management review" process prior to a stage I audit.

Enough for now... this was just a 30,000 feet description of an ISMS implementation process.

Since this seems to have an audience, I will find time to take each process (PDCA) and describe what's needed and what can be left out... along with some small hints on how to make your life easier based on personal experiences when helping clients with implementations or from auditing an ISMS as an auditor.

Feedback is appreciated....
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.