What are the ISO 27001 Controls?
The main focus of ISO 27001 is identifying risk, and mitigating or managing it through the use of controls.
In total ISO 27001 lists 114 controls across 14 control sets or ‘domains’, however it is not necessary for an organisation to implement all 114 of these controls in all cases.
To determine which controls should be applied to your business the first step is to identify where your risk areas are by carrying out a risk assessment and gap analysis.
The complete list of controls can be found in Annex A of the ISO 27001 standard, covering the following domains:
Information Security Policies
Organisation of Information Security
Human Resource Security
Physical and Environmental Security
System Acquisition, Development and Maintenance
Information Security Incident Management
Information Security Aspects of Business Continuity Management
A key part of your ISO 27001 submission is to declare precisely which of the 114 controls and policies are applicable to your organisation, and this is detailed in a mandatory document called a Statement of Applicability (SoA). Specifically the SoA will show how the controls and policies have been implemented relative to the risks and Information Assets detailed in the Scope. The scope is the parts of your business to which you are seeking to assess, and to which you plan to apply the relevant controls. This can be determined in a number of ways, for example by business units, Office, geographical regions of your business, or even specific business processes.
The SoA together with the Scope forms the core of your ISO 27001 documentation and is key in determining what is to be assessed and audited and what isn’t. It is important when drawing up the scope to consider all parts of your organisation- all departments, business units, locations and datacentres must be considered to make sure all your risk- and therefore controls- are in scope.
Of course the wider the scope the more controls may be applicable, and so the more broad and in-depth your SoA will need to be.
Though listed as a guide and reference in the ISO 27001 standard, ISO 27002 goes into more detail, covering the specific standards and guidelines required for each individual control.