When it comes to keeping information assets secure, ISO27k controls are important. The controls made up most of your ISO’s attention.
For beginners, there are a lot of buttons to learn from. But, we will only discuss the control sets of Annex A.
We will know the basic description of 14 of these control sets. Also, build some foundation towards an ISO career.
We will name each control by the number. Next, we will discuss a few words related to them.
The Magic 14
Annex A.5 – Information security policies (2 controls)
This helps to ensure that it writes and reviews policies. According to the organization’s information security practices.
Annex A.6 – Organisation of information security (7 controls)
This annex covers the assignment of responsibilities for specific tasks.
Annex A.7 – Human resource security (6 controls)
The goal is to make sure that employees and contractors understand their roles. Also their responsibilities.
Annex A.8 – Asset management (10 controls)
This annex concerns the way organizations identify information assets. Also in creating appropriate protection responsibilities.
Annex A.9 – Access control (14 controls)
First, it aims to ensure that employees can only view information that’s only suited to their job. It’s divided into four sections.
Aside from that, it also includes access to user management and responsibilities. Also, systems access, and application access.
Annex A.10 – Cryptography (2 controls)
Speaking of cryptography, it tackles data encryption. Also, it teaches how to to take care of sensitive information.
It designs the two controls.
First, to make sure that organizations use cryptography the right way. Then, protect the confidential data, its integrity, and its availability.
Annex A.11 – Physical and environmental security (15 controls)
This annex addresses the organization’s physical and environmental security. It’s the largest annex in the Standard. Because it contains 15 controls separated into two sections.
Annex A.12 – Operations security (14 controls)
To summarize, this ensures that information processing facilities are safe and secure. Furthermore, this consists of seven sections.
Annex A.13 – Communications security (7 controls)
This annex concerns the way organizations protect the information in networks.
Annex A.14 – System acquisition, development, and maintenance (13 controls)
The goal is to ensure that the focus of the process will always be about securing information. As a result, sustaining the entire lifecycle.
Annex A.15 – Supplier relationships (5 controls)
This annex concerns the contractual agreements organizations have. Especially with third parties.
It’s divided into two sections.
Annex A.16 – Information security incident management (7 controls)
This annex is about how to manage and report security situations. Part of this process involves identifying which employees should take responsibility. Also, be accountable for certain actions.
As a result, there will be consistency and effectiveness when incidents occur.
Annex A.17 – Information security aspects of business continuity management (4 controls)
As the name suggests, the goal is to create a system to manage disruptions occurring in the business.
Annex A.18 – Compliance (8 controls)
This annex ensures that organizations identify relevant laws and regulations.
As a result, they will perform a legal business. Also, understand their contractual requirements.
Thus, reducing the risk of non-compliance, and the penalties that come with that.