Talk to us!

Depending on your specific organisation or business, you’ll need to apply certain ISO 27001 controls. Annex A lines them all out for you so you know what to expect. Read further to dive deep into each group of controls and why they are important for your ISO 27001 certification.

What is Annex A?

‍

Annex A is the control based side of the ISO 27001 standard. It is not mandatory for you to comply with each control like the clauses set out in the standard, meaning you have more flexibility in choosing the controls you need to implement. Annex A contains 93 controls, split across 4 sections (Organisation, Technical, People, Physical). Traditionally, larger companies with offices, servers and networks will implement all of these controls as they are relevant to the way they operate. However, smaller organisations that may not have servers (Onsite, IaaS or PaaS), networks or offices they won’t need to adhere to some of the Physical and Technical Controls.

How many controls are in each section?

‍

Organisational controls (37)

Organisational controls center around how your organization approaches data security. This section contains most of the controls from Annex A. It includes:

• Assigning dedicated roles and responsibilities for the ISMS
• Creating relevant information security policies and procedures
• Classifying Information for appropriate use
• Management and Protection of Personal Identifiable Information (PII)

Technical controls (34)

Technical controls help to secure and protect the confidentiality, integrity and availability of your networks, devices and servers. These include the following:

• Logged Backup of data 
• Web Filtration and Safe internet usage
• Secure Development
• Capacity and configuration management for networks, servers and devices

‍People controls (8)

This is where you’ll include your HR department or equivalent into the implementation into controls such as:

• Screening and background checking of employees
• Setting terms of employment
• employee onboarding necessary to the job role
• Confidentiality and information security in employment contracts.

Physical controls (14)

Whether you have physical infrastructure or not, knowing how to apply these controls effectively will show you understand in case you need them in your company. Typical controls include:

• Monitoring of physical locations (CCTVs, Security Guards)
• Maintenance of company equipment for continued use
• Keeping physical desks and screens clear of Sensitive data when not in use
• Cabling for powering systems should be protected from damage.

Once you’ve gone through the controls list and worked through what is relevant for your organisation and how to apply it, you are ready to move on and present your case to an auditor. For that, you’ll need a Statement of Applicability.

‍
What is a Statement of Applicability?

A statement of applicability or SOA, is a document that lists all the controls of the standard, disclosing those you deem necessary and those you don’t. It should clearly explain the reasons why some controls aren’t applicable. Something we covered in our last ISO 27001 blog, was that “a remote based company would not benefit from having policies and processes of how to work in an office”. If this is similar to your case, this would be written in in your SOA, showing you understand the standard and relevant information security in this context.

Thankfully, Annex A is simple because it is practical. Not all of the controls are mandatory, so you simply use the ones you need and apply to your company.

‍

So How can we Help?

Looking for assistance with Annex A? Book your free discovery call today with Acorn Compliance. We can support you with any questions you have regarding the relevance of controls to your organisation, how to structure your statement of applicability or gain ISO 27001 compliance through our trusted team of experts.