About the Annex A Controls

As you may remember from  earlier on in this course, ISO 27001 relies heavily on a risk assessment process and unlike other ISO Standards, 114 controls are provided within Annex A.

You should not ignore the Controls in Annex A.

The standard requires you to justify the inclusion or exclusion of every control within Annex A.  Controls should only be excluded if they do not help you:

• Manage Risk,
• Meet Legal Requirements,
• Meet Contractual Requirements,
• Achieve Best Practice.

Statement of Applicability Document

The standard requires you to put these justifications into a Statement of Applicability (SOA).

Often this takes the form of a list covering every control in the annex, and against each the justification for inclusion or exclusion.

The SOA can become an invaluable document during audit.  If you reference key policies, procedures or other evidence against each control, it becomes much easier to manage your system.

You don’t necessarily need a document for EVERY control.

While there are many controls which state “Documented”, “Policy’ or ‘Procedure’ many only require that the control is met, which can be evidenced in other ways.  Think carefully about the level of documentation your organisation needs to effectively operate the ISMS.

Sub-Categories

The controls of Annex A are divided into several sub-categories:

• A5 Infosec Policies
• A6 Organisation of Infosec
• A7 Human Resource Security
• A8 Asset Management
• A9 Access Control
• A10 Cryptography Controls
• A11 Physical Security
• A12 Operations Security
• A13 Communications Security
• A14 System Development Acquisition & Maintenance
• A15 Supplier Relationships
• A16 Incident Management
• A17 Infosec in Business Continuity
• A18 Compliance

Responsibilities for implementing controls should be delegated to relevant people within the organisation, and so you may be asked to take on some extra responsibilities, or document some information, in line with your job role.