What are ISO 27001 controls?
ISO 27001 controls are a set of security best practices developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to help businesses build effective information security management systems (ISMSs).
Updated in 2022, and now referred to as ISO/IEC 27001:2022, these controls basically make up a risk management toolkit. Even though they’re voluntary, controls can be mandatory for organizations operating in industries like healthcare and finance. They provide guidance for setting up, maintaining, and enhancing security and risk mitigation processes in your organization’s IT environment.
This blog post is your cheat sheet for understanding the ISO 27001 controls, implementing them to tackle security risks, and getting ISO 27001 certified—without any hassles.
The Data Security Best Practices [Cheat Sheet]
No time to sift through lengthy guides? Our Data Security Best Practices Cheat Sheet condenses expert-recommended tips into a handy, easy-to-use format. Get clear, actionable advice to secure your cloud data in minutes.
Download cheat sheet
Why are ISO 27001 controls important?
ISO 27001 controls set organizations up with clear-cut guidelines for supercharging security and compliance. These controls are vital in cloud environments, which are particularly risk prone.
Here are the top reasons to implement ISO 27001 controls:
1. Enhanced security posture
The ISO 27001 controls provide a solid framework of measures that zero in on data classification, labeling, and handling. These measures help define the roles that are allowed to access data of varying degrees of sensitivity and the kind of access those roles can have (e.g., read or write).
Network security is another area where the ISO 27001 controls come into play. The controls map out network segmentation, network access control, and network security testing guidelines, providing solid pointers for reducing your network attack surface and locking threat actors out of enterprise network environments.
In other words, you can look to ISO 27001 to improve your organization’s cloud security and governance, reduce the risk of data breaches, improve incident response, and put strong protections into place for sensitive information.
2. Increased business value
Implementing ISO 27001 controls will strengthen your organization’s information security posture. This enables you to manage security incidents more efficiently, and in an era where data breaches are rife and cause huge reputational damage, a demonstration of commitment to security best practices can give your organization a competitive edge in the market.
ISO 27001 implementation also helps you align your security protocols with international standards, which can better streamline your processes, reduce overhead costs, and foster a culture of continuous improvement, ultimately driving long-term growth and profitability.
3. Regulatory compliance
ISO 27001 controls provide a robust framework that helps organizations align with a wide range of regulatory requirements and industry standards. Many regulations, such as GDPR, HIPAA, and CCPA, emphasize the importance of protecting sensitive data and implementing strong security measures. ISO 27001’s comprehensive set of controls addresses key areas like risk management, access control, encryption, and incident response, which are often core components of these regulations. By adopting ISO 27001, organizations can simplify their compliance efforts, reducing the risk of non-compliance and the resulting penalties.
Now that you get why ISO 27001 is crucial, let’s take a closer look at Annex A controls.
Overview of ISO 27001 Annex A controls
The 93 ISO 27001:2022 Annex A controls are broadly classified into four themes: organizational, physical, people, and technological controls. These themes were reorganized in the 2022 ISO update to improve their alignment with modern security best practices.
Organizational controls
Made up of 37 safeguards, these controls are largely focused on information security and, you guessed it, its organization. Organizational controls take into account the policies, roles, identity access management (IAM), information transfer, and incident response measures that you can implement to protect sensitive information.
Physical controls
These controls consist of 14 measures to support the physical security of IT infrastructure that hosts sensitive data. Here, ISO suggests measures like physical perimeter security and monitoring, storage media security, work area security, and secure disposal of IT equipment.
Some of the physical and environmental security controls are also targeted at making sure cloud service providers (CSPs) handle their security responsibilities. For example, to get ISO 27001 certified, cloud services must demonstrate that they’ve set up access restriction, surveillance, failover, and other risk management measures.
People controls
These 8 controls are best practices for preventing unauthorized access to and manipulation of sensitive data. People controls cover human resource security and remote work security policies.
Technical controls
There are 34 technical controls in total. They outline specific measures that organizations must adopt for a secure and compliant IT environment, like continuous monitoring, data masking, cryptography, and secure coding.
Core ISO 27001 controls explained
Here’s a closer look at ISO/IEC 27001:2022 Annex A, focusing on 11 core controls:
1. Policies for information security—Annex A.5.1
Annex A 5.1 is made up of two controls: A.5.11 and A. 5.12. These controls require enterprise leadership to create, document, and periodically revise IT governance policies in keeping with international standards.
To create information security policies, factor in your specific security objectives, the shared responsibility model, risks associated with multi-tenancy, and other cloud-specific considerations.
So what’s in it for your organization? By mandating that enterprises outline their security policies, the A.5.1 controls help you meet security requirements and mitigate cloud risks.
2. Access control—Annex A.5.15
Annex A.5.15 is about safeguarding sensitive information by granting entities—including employees and apps—only the access they need to perform their duties. It’s one of the controls all enterprises, regardless of size or industry, must meet to get ISO certified.
This control centers on enforcing security measures like least privilege, role-based access controls (RBAC), and zero-trust architecture (ZTA) to ensure that only designated roles and identities can access business-critical assets.
3. Information security roles and responsibilities—Annex A.5.2
This control is all about creating identities and corresponding roles and getting enterprise leadership to commit to setting up secure information systems. The goal is to ensure that stakeholders, from top to bottom, all understand and carry out their responsibilities towards protecting IT assets and data.
Applying this control involves listing all security roles, assigning responsibilities to stakeholders, training stakeholders on how to handle their responsibilities, and putting monitoring measures in place to spot lapses. Annex A.5.2 helps organizations establish a framework for accountability. It also mitigates IAM risks and enhances data security compliance.
4. Incident response (IR)—Annex A.5.29
Tagged “Information Security During Disruption,” A.5.29 explains security incident management. Acknowledging that attacks and disasters can still happen despite our best efforts, the control stresses that enterprises must detect, respond to, and recover from incidents swiftly. And while they’re at it, enterprises must keep security controls like encryption, firewalls, and access controls in place to contain the damage.
5. Standards compliance—Annex A.5.36
The crux of Annex A.5.36 is mitigating risks by complying with regulatory frameworks, industry best practices, and internal policies. It involves continuously preventing, tracking, and resolving non-compliance. Where adherence issues persist, COOs must investigate the root cause and take corrective steps in a timely manner.
6. Human resources security—Annexes A.6.1-6.8
The Annex A controls ranging from 6.1 to 6.8 follow a similar theme. They require organizations to conduct thorough background checks of contractors, third-party partners, and prospective employees to prevent insider attacks. They also encourage methods to cut down attackers’ ability to leverage the “human element” in attacks.
7. Data masking—Annex A.8.11
Relevant to data security in transit and during AI model training, Annex A.8.11 encourages organizations to mask data, especially PII, via the use of pseudonyms and anonymization. Data masking cuts off the connection between sensitive information and its referent, making it unusable for attackers and ultimately minimizing the risk of breaches.
8. Continuous monitoring—Annex A. 8.16
Annex A.8.16 is about managing security risks by monitoring inbound and outbound traffic to and from networks, servers, systems, and data repos. It outlines steps like behavioral analytics, event log collection, configuration management, and code checks to detect unusual or unwanted activities in enterprise IT stacks.
The control suggests IP monitoring and blocking to prevent DDoS attacks along with intrusion prevention to stop unwanted entities from accessing enterprise networks.
9. Cryptography—Annex A.8.24
ISO 27001:2022 Annex A.8.24 mandates data encryption in transit and at rest to ensure data confidentiality and integrity at all times. It also requires enterprises to create cryptographic control policies to make data encryption effective. It offers steps for applying cryptography and outlines its benefits: For example, when data is encrypted in transit, it’s an effective deterrence against man-in-the-middle (MITM) attacks.
10. Secure SDLC—Annex A.8.25
A secure software development lifecycle (SDLC) begins with applying security controls from the very first phases of software development.
A.8.25 advocates for testing for and resolving all software risks before software is deployed. This helps sidestep attacks and massively cuts breach-related financial costs.
11. Secure coding—Annex A.8.28
In A.8.28, ISO warns against insecure coding practices, such as weak encryption, insecure secrets storage, and improper input validation. These practices are common causes of data breaches, SQL injection (SQLi), cross-site scripting (XSS), and other attacks.
A.8.28 suggests using integrated development environments (IDEs), security testing tools, vulnerability scanners, and implementing other measures to ensure code remains vulnerability-free throughout the SDLC.
ISO 27001 implementation tips
As you might have noticed, implementation can seem overwhelming—but it doesn’t have to be. Here are cloud-focused tips to help simplify your ISO 27001 implementation.
Understand the shared responsibility model: The specifics of the model differs across various platforms. But the bottom line is that service providers are responsible for protecting the infrastructure, while enterprise customers must safeguard their data and assets.
Use RBAC and ABAC to enforce fine-grained access controls: Define roles and relevant permissions precisely. The clearer your access control policies are, the easier it will be to detect and respond to deviations that could put data at risk.
Implement MFA: Multi-factor authentication can help you lock out attackers even when they’re in possession of the right login credentials.
Disguise sensitive data: Encrypt data at rest and in transit and deploy hash-based value masking to make data unreadable to hackers.
Ensure secure data storage: This is a crucial part of meeting compliance requirements and getting ISO certified. For example, you want to develop policies for automatically deleting obsolete data and keeping data within legislated regions.
Automate threat intelligence gathering and risk assessment: Keep this step simple by using threat intelligence feeds and risk-based vulnerability assessment solutions.
Apply robust monitoring and logging: Continuously monitor and log user activities. These logs do double duty: They’re useful for investigating incidents and for preventing future attacks.
Be proactive with incident response: Your incident response roadmaps should be crystal clear and outline roles and degrees of response for various scenarios.
Build secure-by-design software: Embed security into software development from the get-go. Use SAST and DAST tools, IaC scanners, and vulnerability management platforms to detect risks early, deploy software securely, and prevent misconfigurations.
Automate code reviews to discover vulnerabilities and hardcoded secrets: Leverage tools for detecting and securely storing secrets like cryptographic keys and API tokens, and look to software composition analysis (SCA) tools to uncover vulnerabilities in third-party code, libraries, and dependencies.
Consider security a non-stop process: This means you’ll conduct regular policy and compliance audits, train employees on security best practices, continuously apply security patches, and ensure everyone has a security-first mindset.
Differences between ISO 27001 and 27002
Both ISO 27001 and ISO 27002 share the common goal of enhancing information security, but they differ significantly in their scope, structure, and application. This section will explore the key differences between ISO 27001 and ISO 27002, clarifying their unique roles and how they complement each other in building a robust information security management system (ISMS).
| Standard | ISO 270001 | ISO 270002 |
|---|---|---|
| Purpose and scope | Stipulates how to establish, implement, and maintain an information security management system (ISMS) | Provides guidelines for selecting, implementing, and maintaining information security controls (ISCs) |
| Certification | Can be certified by a third-party auditor | Not certifiable, but provides guidance for implementing ISO 27001 controls |
| Risk management | You must formally establish a risk management process to detect and handle any information security risks | Provides guidelines for risk management, but does not require a formal risk management process |
| Controls | Since you must implement controls to mitigate any IS risks, you can use it to demonstrate compliance with information security regulations and standards | Implementation of controls is not mandatory, so it’s not a direct compliance requirement |
| Audit and review | Regular audits and reviews are key to the efficacy of the ISMS | Does not require regular audits and reviews, but recommends regular review and update of information security controls |
ISO 27001 compliance with Wiz
At the end of the day, the ISO controls are based on the idea that all environments come with their own unique risks, which enterprises must continuously work to fix. Wiz helps you comply with ISO 27001 by providing a built-in compliance framework that maps to the standard's requirements, while our compliance heatmap gives you an at-a-glance view of your compliance score. The end result is real-time visibility into your ISO compliance status in easy-to-interpret figures.
The Wiz compliance framework surfaces relevant issues and facilitates swift remediation to ensure adherence to ISO 27001 standards. We offer controls and rules that align with ISO 27001's guidelines for information security management to provide you with automated playbooks for detecting and responding to compliance risks—like misconfigured network and storage access.
Another great thing about Wiz? It’s ideal for both private and government organizations. Try Wiz compliance to fast-track your ISO certification journey.
Protect your most critical cloud data
Learn why CISOs at the fastest companies choose Wiz to secure their cloud environments.
