Controls to Ensure Security (Appendix A)
Appendix A, often referred to as the Controls section, is a part of ISO 27001 that contains a collection of 114 security controls or safeguards that are the standard for the industry. These controls are divided into 14 parts and grouped into the following categories:
Information Security Policies
These include determining the management direction and rules for information security in accordance with the needs of the organization and applicable laws and regulations.
Establishing an organizational structure
Establishing an organizational structure to start and control the implementation of information security. This is referred to as the “organization of information security”.
Personnel security involves ensuring that employees and contractors are aware of their responsibilities and are qualified for the positions for which they are eligible; they must also be aware of and fulfill their information security responsibilities before, during and after their employment with the company.
Asset management is the process of identifying corporate assets and determining appropriate protection responsibilities, such as preventing unauthorized disclosure, alteration, removal, or destruction of information stored on media. This is known as “preventing the unauthorized disclosure, alteration, removal or destruction of information”.
Access control is the process of restricting user access to information and information processing facilities to allow only authorized users to use those facilities and prevent unauthorized users from gaining access to other systems and services.
Ensuring the correct and effective use of cryptography to maintain the validity and integrity of information and its confidentiality.
Physical and environmental security
The prevention of illegal physical access, damage and interference with the information and information processing facilities of the organization. This also includes protection against environmental hazards such as fire and flooding.
This refers to the process that ensures that the information processing facilities are operated correctly and securely.
Communication security involves ensuring the security of data stored on networks and the information processing facilities employed to support those networks, as well as maintaining the confidentiality of data transmitted both within an organization and to third parties.
Acquisition, development and maintenance of systems
Ensuring that information security is an integral part of information systems throughout the lifecycle of information systems. This also includes the standards for information systems that must be met in order to provide services over public networks.
Protecting the organization’s information assets provided to suppliers while maintaining positive relationships with those companies
information security incidents
Information security incident management ensures a consistent and effective approach to information security incident management, including communication about security incidents and vulnerabilities. This task falls under the broader category of information security.
Business Continuity Management (BCM)
The incorporation of information security continuity into an organization’s business continuity management (BCM) systems. This relates to the information security components of business continuity management.
Compliance refers to preventing breaches of legal, statutory, regulatory or contractual obligations associated with information security and security requirements. This includes compliance with legal and contractual requirements and assessment of information security.
How to meet the requirements of ISO/IEC 27001
- Who: An organization that wants to strengthen its information security management system using the well-known standard of best practices in information security and achieve the required level of security should consider implementing ISO/IEC 27001.
- When: ISO/IEC 27001 can be implemented and certified at any time, but is not mandatory. If the organization is required to do so by regulations, or if it wants to increase customer and client confidence through enhanced security assurances, it can choose to implement the standard first and get certified later. This may be the case when the organization is forced to do so due to regulations.
- Where: The Standard can be accepted and implemented in any organization, regardless of its size, type and nature, whether private or governmental, and whether making a profit or not.
- Why: ISO/IEC 27001 is beneficial to organizations because it requires them to take a holistic approach to security. It helps organizations comply with government regulations, gives them a marketing advantage by assuring consumers of security, saves costs by preventing incidents, and improves organizational efficiency by creating policies and procedures for a coordinated approach to information security.
- As? An organization that uses ISO/IEC 27001 as the standard for its safety management system would take the actions listed below to improve its safety management system.
Performing a GAP Analysis: This is the very first action that needs to be taken to achieve compliance. A gap analysis can be performed either in-house or by an external information security specialist. Through a gap analysis, an organization can better determine which standards and controls it is complying with and which are not.
Addressing the gap: If there are requirements or controls that the organization is not meeting, it has the ability to make changes to its people, processes, and technology to ensure compliance with those requirements and controls.
Measure, monitor and check
It is expected that the performance of the ISMS will be continuously evaluated and assessed for effectiveness and compliance, and that improvements to current processes and controls will be identified. This is a requirement that must be met at all times.
The ISMS requires practical knowledge of the leading audit process at planned intervals. It is also critical for those responsible for implementing and maintaining ISO/IEC 27001 compliance before a certification audit is conducted by an external auditor or organization authorized to certify an organization as ISO/IEC 27001 compliant and to register. This knowledge is required for the ISMS at planned intervals.
During the first stage certification audit, the auditor will assess whether the documents meet the criteria of the ISO/IEC 27001 standard. The auditor will also point out areas where the management system is non-compliant and can be improved. After all necessary adjustments have been made, the organization will be prepared for a second stage audit once this point is reached. In the second stage of the audit, the auditor makes a comprehensive assessment to determine whether the company is compliant with the ISO/IEC 27001 standard or not.