Understanding ISO 27001 Controls in Annex A
Using ISO 27001 controls in Sri Lanka will help you understand Annex A’s organizational structure and how it relates to ISO 27002 and ISO 27001.
ISO 27001 Controls
A list of security controls (or safeguards) that should be used to improve the security of information assets is provided by ISO 27001 controls in Sri Lanka, which are essential tools for managing information security risks. Annexe A of ISO 27001 is probably the most well-known Annex of all the ISO standards.
How many domains are there in ISO 27001?
The 14 sections that make up the ISO 27001 controls list can be found in Annex A. (domains). Contrary to what many people think, not all of them have to do with IT. The areas of attention for each segment are listed below in brief:
Organizational issues are covered in Sections A.5, A.6, A.8, and A.15.
The topic of human resources is covered in Section A.7.
Sections A.9, A.10, A.12, A.13, A.14, A.16, and A.17 of the book Information Technology
Physical security is covered in Section A.11.
A.18, the section addressing legal issues
What are the 14 domains of ISO 27001?
Each of the fourteen sections is briefly explained below:
A.5 Controls over the development and evaluation of information security policies
A.6 Organization controls for information security cover teleworking, mobile devices, and job delegation.
A.7 Measures to ensure the security of human resources before, during, and after employment
A.8 The rules for media handling, information classification, asset inventory, and acceptable use are all parts of asset management.
A.9 Measures made to control user obligations and access privileges of users, systems, and applications are referred to as access control.
A.10 Cryptography controls for encryption and key management
A.11 Restrictions that specify clear desk and clear screen policies, secure zones, access controls, threat prevention, equipment security, and secure disposal.
A.12 Operational security is a term that refers to a broad variety of management practices used in managing IT production, such as change management, capacity management, malware, backup, logging, monitoring, installation, and vulnerabilities.
A.13 Regulations governing the security of message systems, information transfer, communications networks, and other network services.
A.14 Security requirements and security controls for system procurement, development, and maintenance processes in Sri Lanka
A.15 Restrictions on supplier interactions, what to include in contracts, and how to maintain an eye on the suppliers
A.16 Mechanisms for reporting events and weaknesses, defining responsibilities, drafting answers, and accumulating evidence in information security incident management
A.17 Information security features of business continuity management include controls requiring the design of business continuity, protocols, verification and evaluation, and IT redundancy.
A.18 Compliance – ISO 27001 controls in Sri Lanka are required to determine applicable laws and regulations, protect intellectual property, protect personal information, and assess information security.
How many controls does ISO 27001 have?
There are 114 ISO 27001 Certification information security rules mentioned in Annex A of the most recent 2013 iteration of the standard (compared to 133 from the previous 2005 revision of the standard). The many types of controls that are present are listed below:
24 controls for addressing organizational issues
Controls relating to human resources: 6
IT-related controls: 61
15 physical security measures
Legal matter controls: 8
The best approach to think of Annex A is as a selection of information security ISO 27001 controls. You can choose the 114 measures listed in Annex A that apply to the scope of your company. Utilizing Annex A as a checklist for the ISO 27001 controls in Sri Lanka is another method for determining whether your company is prepared to implement the information security management process.
Relationship to the ISO 27001 main clauses
Businesses can choose the ISO 27001 controls in Sri Lanka they think are appropriate and must implement those (in most cases, at least 90%), rather than all of the ISO 27001 controls are relevant; the other controls are viewed as being irrelevant. Control A.14.2.7, for example, if a company does not outsource software development. Outsourced development can be excluded from consideration. The fundamental factor in selecting the controls is risk management, which is discussed in clauses 6 and 8 of ISO 27001’s main section. Click here to read more about risk assessment and management in ISO 27001: 6 core procedures.
Additionally, clauses 5 and 9 of the major portion of ISO IEC 27001 require you to identify who will be in charge of managing these controls and evaluate their efficacy, respectively. Finally, article 10 requires that you fix any problems with those measures and ensure that they support your information security goals.