ISO/IEC 27001:2013 controls
The Standard doesn’t mandate that all 114 Annex A controls be implemented. A risk assessment should determine which controls are required and explain why other controls are excluded from the ISMS.
Below is the list of control sets.
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 and risk management
Risk management forms the cornerstone of an ISO/IEC ISMS. All ISMS projects rely on regular information security risk assessments to determine which security controls to implement and maintain.
The Standard has ten management system clauses. Together with Annex A, which lists 114 information security controls, they support the implementation and maintenance of an ISMS, as shown in the infographic below.