Total Number of ISO 27001 Controls and Which Ones You Can Exclude

ISO 27001 is the dominant standard that helps organizations and companies protect their assets against the risk and vulnerabilities of cyber attacks and other IT security and privacy disruptions. 

The standard provides a well-rounded model for setting up an information security management system with recommended ISO 27001 controls.

How ISO 270012022 will benefit your organization:

  • Securing information which includes both paper, digital, and even information in the cloud
  • will make your organization resilient against cyber attacks
  • being ready to respond to changing information security threats
  • Manage costs related to information security controls in a more methodical way
  • Protect overall confidentiality, integrity, and availability of data in the organization
  • compliance with legal requirements

How many ISO 27001 controls are there in total?

The list of iso 27001 controls is given in Annex A of the ISO 27001:2022 standard document. Total ISO 27001 controls are 114, further subdivided across 14 different categories of ISMS, called domains. 

 These 14 domains and the corresponding number of ISO 27001 security controls against each domain are given below:

1.  Information Security Policies – 2 controls

The purpose of controls in this domain is to ensure that the organization has a development policy that is written, documented, and approved information security policy that reflects its requirements. 

2. Organisation of Information Security – 7 controls

These fundamental controls help ensure that the organization has established a security management framework with clear roles and responsibilities for the information security function. The information security roles are then responsible for implementing information security controls according to approved policies and procedures. 

3.  Human Resource Security |- 6 controls

Human resource is a critical and usually the weakest link in the information security structure. The controls ensure that all the human resources (including outsourced employees and contractors) are aware of their roles related to information security. Some key controls include background checks and implementing awareness and training regime regarding information security. 

4.  Asset Management |- 10 controls

Organizations want to protect assets the most when implementing an information security management system. The 10 ISO 27001 controls in this domain help entities ensure that assets are correctly classified, handled as per classification and securely disposed of when no longer required. 

5.  Access Control |- 14 controls

The next step is to control access to assets and information on a need-to-know basis per the access control policy. Another principle that helps achieve secure access control is the principle of least privilege. 

Other controls include ensuring reliable authentication mechanisms and controls against the override of programs. 

6.  Cryptography |- 2 controls

Based on the classification of assets, the entity must approve a cryptographic policy and help secure assets and data at store and in transit to remain secure by proper cryptographic controls. Another control is to ensure the safety of the cryptographic keys because if these are compromised, then even encrypted assets will not be safe. 

7.  Physical and Environmental Security – 15 controls

The main objective of these ISO 27001 controls is to prevent loss of data and assets of information by introducing controls like establishing a physical perimeter, securing transport of equipment,  protecting equipment against environmental damage, and securing data center equipment against fire and flooding damages etc. 

8.  Operational Security – 14 controls

These are technical controls against data loss, protecting logs, and protections against viruses and malware. Some controls include ensuring reliable onsite and offsite backups, keeping software updated, monitoring installation of unauthorized software, and ensuring installations and updates of antivirus software. 

9.  Communications Security – 7 controls

These ISO 27001 controls are targeted toward ensuring that the transfer of internal and external data (e.g., email, instant messaging, and social media) is regulated and managed per organizational policies. 

10.  System Acquisition, Development, and Maintenance – 13 controls

These are critical ISO 27001 controls that establish the process for acquiring software and development (including change management) and maintenance of already existing systems and software. 

One of the critical controls is the separation of development, testing and production environment so that systems development follows a secure development methodology. 

11.  Supplier Relationships – 5 controls

These five controls for the Supplier Relationships domain are targeting ensuring that assets and information that external suppliers access remain secure and follow the agreed security protocols. The provisions are generally made in agreements regarding information security which may include monitoring their activities on systems and establishing audit trails for their activities. 

12.  Information Security Incident Management – 7 controls

Information security incidents may happen even with the best controls in place. These ISO 27001 controls help organizations manage information security incidents effectively and consistently. The controls include reporting incidents promptly, managing these as per escalation protocols/procedures, preserving evidence, and documenting lessons learned. 

13.  Information Security Aspects of Business Continuity Management – 4 controls

These controls ensure that organizations have documented business continuity and disaster recovery plans so that the entity can continue its operations and remain available in case of significant incidents. 

14. Compliance – 8 controls

Almost all entities dealing with digital information are subject to legal and regulatory compliance. These controls under the Compliance domain of ISO 27001 standard include identifying compliance requirements and protecting information by using controls to ensure that the organization complies with relevant laws and regulations. 

Identifying ISO 27001 Controls, You Should Implement

Out of these 114 ISO 27001 controls, the organization will need to identify the controls that need to be implemented, keeping in view the risks identified as a result of the risk assessment exercise.

As a next step, the controls are identified as a risk treatment exercise and risk appetite, which considers residual risk. Though more controls would unusually mean better security, the controls instituted without a proper risk assessment are not likely to cover all the risks.

However, it is possible to exclude some of the controls out of these 114 from ISMS, keeping in view the context or the organization. For example, if there is no in-house software development, then clearly, the controls related to software development may be excluded. 

However, controls  from Annex A  can be excluded if  it is  believed  they are irrelevant. An example of this is when an organization does  not develop  any  software. But any exclusion would need to be appropriately documented in the Statement of Applicability with full justification of grounds for exclusion. 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.