ISO 27001 Annex A Controls

ISO 27001:2022 Annex A 8.12: How to Stop Data Leaks Before They Happen We have all been there. You are typing an email, you autocomplete the recipient’s name, hit send, and then feel that cold drop in your stomach. You just sent the confidential payroll spreadsheet to “John Smith” the external contractor, instead of “John […]

ISO 27001:2022 Annex A 8.13: The Complete Guide to Information Backup Let’s face it: data loss is a nightmare scenario for any business. Whether it is a ransomware attack locking up your servers, a disgruntled employee deleting critical files, or just a coffee spill on the wrong laptop, the result is the same—panic. This is

ISO 27001 Annex A 8.14: Redundancy of Information Processing Facilities Imagine this: It is Black Friday, or perhaps just a busy Tuesday morning. Your main server decides to quit. The screen goes black. Silence. How much money are you losing every minute that system is down? This is exactly the nightmare that ISO 27001 Annex

ISO 27001:2022 Annex A 8.15: The Ultimate Guide to Logging In the world of information security, there is an old saying: “If you didn’t log it, it didn’t happen.” Well, actually, if you didn’t log it, it did happen, you just have no way of proving how, when, or who was responsible. That is where

ISO 27001:2022 Annex A 8.16: Monitoring Activities Explained If logging is the memory of your Information Security Management System (ISMS), monitoring is its eyes. In the 2022 update of ISO 27001, Annex A 8.16 (Monitoring Activities) takes centre stage as a critical control for identifying security threats before they become full-blown disasters. It replaces and

ISO 27001 Annex A 8.17: Why Time Travel is Bad for Security Einstein might have said that time is relative, but if you say that to an ISO 27001 auditor, you are going to have a bad day. In the world of information security, time needs to be absolute. This brings us to Annex A

ISO 27001:2022 Annex A 8.18: The Ultimate Guide to Privileged Utility Programs In the world of information security, there are certain software tools that act like skeleton keys. They can bypass standard controls, rewrite data directly on a disk, or peek into the memory of running applications. These are “privileged utility programs,” and if they

ISO 27001:2022 Annex A 8.19: Mastering Software Installation on Operational Systems We have all seen it happen. A well-meaning employee downloads a “free PDF converter” to get their job done faster, and suddenly your operational server is crawling with malware. Or perhaps a developer pushes a new library directly to production without testing, bringing the

ISO 27001:2022 Annex A 8.20: A Practical Guide to Network Security If you think of your organisation’s data as gold in a vault, your network is the system of roads, hallways, and tunnels that leads to it. If those roads are unguarded, unmapped, and open to the public, your gold isn’t safe. This is the

ISO 27001:2022 Annex A 8.21: Managing Security of Network Services Let’s be honest: without a network, your business probably grinds to a halt. Whether it is sending emails, accessing the cloud, or just letting your team talk to one another, network services are the invisible backbone of modern operations. But here is the catch—just because

ISO 27001:2022 Annex A 8.22: Segregation of Networks Imagine your organisation’s network is a submarine. If a “flat” network—one big open space—springs a leak, the water fills the entire vessel, and you sink. But if you have watertight doors separating different sections, a leak in one room is contained. The rest of the submarine stays

ISO 27001:2022 Annex A 8.23: The Complete Guide to Web Filtering We have all been there. You click a link at work, maybe to check a sports score or buy a last-minute gift, and suddenly a screen pops up saying “Access Denied.” It can be annoying, sure, but in the world of information security, that

ISO 27001:2022 Annex A 8.24: Mastering the Use of Cryptography In the digital age, encryption is often seen as the silver bullet for information security. However, simply “switching on” encryption is rarely enough to satisfy a rigorous auditor. This is where ISO 27001:2022 Annex A 8.24 comes into play. This control, titled Use of Cryptography,

ISO 27001:2022 Annex A 8.25: Mastering the Secure Development Life Cycle In the fast-paced world of software development, it is tempting to prioritise speed over safety. We rush to get features out the door, promising to “fix the security bugs later.” But as any seasoned developer knows, “later” often means “never”—until a breach happens. This

ISO 27001:2022 Annex A 8.26: Securing Your Application Lifecycle In the rush to release new features or acquire the latest software tools, security often takes a backseat to functionality. We’ve all seen it happen: a project is 90% complete, and suddenly someone asks, “Wait, how are we handling user passwords?” This “build first, secure later”

ISO 27001:2022 Annex A 8.27: Building Secure Systems by Design We often hear the phrase “secure by design,” but what does it actually mean in practice? Too often, security is bolted on at the end of a project like an afterthought—a firewall here, an encryption key there. But if the underlying architecture is flawed, no

ISO 27001:2022 Annex A 8.28: The Ultimate Guide to Secure Coding If you have ever been part of a software development project, you know the drill: deadlines are tight, features are piling up, and the pressure to “just ship it” is immense. In the past, security often took a backseat to functionality, treated as something

Let’s be honest, outsourcing development is a massive part of modern business. Whether you are a startup needing an MVP or an enterprise scaling up operations, handing over coding to an external team saves time and money. But it also introduces a significant risk: loss of control. That is exactly where ISO 27001:2022 Annex A

Mastering ISO 27001 Annex A 8.31: How to Separate Your Environments Effectively If you have ever accidentally deleted a live database because you thought you were on the staging server, you already know why ISO 27001:2022 Annex A 8.31 exists. It is one of those controls that sounds purely technical, but it saves organisations from

ISO 27001:2022 Annex A 8.32 Change Management Explained Let’s be honest, change is inevitable. Whether you’re upgrading a server, rolling out a new software feature, or just tweaking a firewall rule, things change in business all the time. But in the world of information security, change is also one of the biggest risks. If you

ISO 27001:2022 Annex A 8.33: A Guide to Securing Test Information If you have ever been involved in a software development project, you know the drill. You need to test the new feature, but creating fake data from scratch is a pain. So, what happens? Someone exports a chunk of the live database, drops it

If there is one irony in information security, it is this: the very process designed to find weaknesses in your systems—audit testing—can sometimes be the thing that breaks them. We have all heard horror stories of a vulnerability scan that accidentally flooded a network or a penetration test that knocked a critical database offline during

ISO 27001 Annex A 8.7 is about protection against malware, which means when you think about protection against harmful software (malware), you should look at the whole picture, not just using antivirus programmes. Antivirus software is certainly important, but you also need to think about a few other things. What is ISO 27001 Annex A

ISO 27001 Annex A 8.6 is about capacity management, which means a company should watch how resources are used and change them to meet the needs you have now and the needs you expect to have later. What is ISO 27001 Annex A 8.6? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October

ISO 27001 Annex A 8.5 is about secure authentication, which means you must have a system to handle how people authenticate based on access restrictions and the access control policy. What Is Secure Authentication? Authentication means you prove your identity. We need to be certain that you are the person asking for access. Authentication is the

ISO 27001 Annex A 8.4 is the rule about access to source code, which means a company must have a system to control access to source code, development tools and software libraries. What is ISO 27001 Annex A 8.4? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022

ISO 27001 Annex A 8.3 is about information access restriction, which means you must have a system to handle to restrict who can access information and IT systems. What Is Information Access Restriction? The best way to keep your information safe is by using access control and limits on who can see data. Its main

ISO 27001 Annex A 8.2 is about privileged access rights, which means a company must restrict access to privileged accounts and manage them. What are Privileged Access Rights? There are users that will be granted privileged access such as administer (admin) accounts, super user accounts, global admin accounts and even service accounts. ISO 27001 Privileged

ISO 27001 Annex A 8.1 is about User End Point Device Security. This rule says that an organisation must create and follow rules to control devices you use to connect to your systems and data. What is User End Point Device Security? Endpoint devices are the equipment you use to do your job, and you must

ISO 27001 Annex A 7.14 is a simple rule. You must safely get rid of old equipment. If you reuse equipment, you must wipe all data first. Make sure the data cannot be brought back. This rule focuses on how you get rid of or reuse your hardware. You must protect the data on the

ISO 27001 Annex A 7.13 is about maintaining your equipment following all guidance. This keeps it working and keeps your data private and safe. The main idea for this control is simple: You should maintain equipment as the maker suggests. This stops equipment from breaking or getting damaged. Equipment maintenance means you must care for

ISO 27001 Annex A 7.12 Cabling Security is a simple way to protect your vital cables. This control helps you make sure nobody damages or interferes with your cables. It also stops people from using your cables to intercept your private communications. Both power and data cables can be easily damaged or tapped into. To

ISO 27001 Annex A 7.11 is a simple control. It asks you to check important services like power and internet. You need to plan what you will do if these services fail. This ISO 27001 control helps keep you safe from a break in your utilities, such as power or water. What is ISO 27001

ISO 27001 Annex A 7.10 is about the full life of your storage media. You must manage media from its first use to its final destruction based on how sensitive the information is. ISO 27001 Annex A 7.10 protects your storage media from harm. What is ISO 27001 Annex A 7.10? The latest version of

ISO 27001 Annex A 7.9 is about protecting your assets when they are outside your normal work area to prevent loss, damage, theft or compromise of off-site devices and interruption to the organisations operations. What is ISO 27001 Annex A 7.9? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In

ISO 27001 Annex A 7.8 is an important control. This rule helps you protect your equipment by placing it in a secure spot. The main goal of this ISO 27001 control is to ensure your equipment is safe where you put it. You must check that your equipment is protected right where it sits. What

ISO 27001 Annex A control 7.7 is called Clear Desk and Clear Screen. This rule asks you to keep all information safe on desks, screens, and other open spots. This control focuses on keeping items secure when the workday ends. You must lock away all private documents after working hours. What is ISO 27001 Annex

ISO 27001 Annex A 7.6 is a control about working in secure areas. You need to set rules for security when you work in these special places. This control focuses on your secure areas. As part of ISO 27001, this stops the people who work there from causing harm or making unauthorised changes. What is

ISO 27001 Annex A 7.5 asks you to protect your business from physical threats. This rule means you must guard against both natural and physical dangers. This is one of the controls that helps you limit harm. It works to cut damage from things you cannot plan for or control. What is ISO 27001 Annex

ISO 27001 Annex A 7.4 is a control about physical security. You need a security border for your offices and work areas. The main goal is to watch for people trying to get in without permission. This control helps you catch people who should not enter if they manage to do so. What is ISO

ISO 27001 Annex A 7.3 is a about how you to protect your offices, rooms, and facilities. You must use physical security. This control focuses on physical access. It is about letting the right people enter. They can then do their work easily. It keeps out anyone you do not want to access these areas.

ISO 27001 Annex A 7.2, called Physical Entry, is a rule that asks you to protect secure areas. You must use clear access points and entry controls for these areas. This rule helps you keep people who are not approved out of secure parts of your buildings. What is ISO 27001 Annex A 7.2? The

ISO 27001 Annex A 7.1 is a control about physical security. It asks you to set up a security perimeter to protect your offices and work areas. This control helps you stop unwanted people from getting inside your buildings. What is ISO 27001 Annex A 7.1? The latest version of the ISO 27001 standard is ISO/IEC

ISO 27001 Annex A 6.7 is about working remotely, which is when you do your job from a place that isn’t the main office. This might be your house, a cafe, or another spot that has good internet. The rule says you must put security steps in place when you work far away from the

ISO 27001 Annex A 6.6 is about a Confidentiality Agreement or Non-Disclosure Agreement (NDA). This is a legal document that stops you or your company from sharing secret information with other people. You often use this kind of agreement in business, during hiring, and in other times when you need to give someone sensitive information.

ISO 27001 Annex A 6.5 asks you to make sure that security duties are still valid even after an employee stops working for you. You need to have these duties clearly stated, shared with people, and enforced. This term is generally a requirement in the contract that explains what you expect an employee to do when they leave the company or when they move

ISO 27001 Annex A 6.4 the Disciplinary Process, asks you to have a way to take action against people who break your rules. This means you need a procedure for addressing anyone who goes against your information security policy, any related policies, or your standard work procedures. Your disciplinary process should be a clear, step-by-step

ISO 27001 Annex A 6.3 deals with Information Security Awareness, Education, and Training. This control requires you to teach people about information security. This includes everything from general security awareness training and education to giving regular updates on your information security policy, any specific policies you have on certain topics, and all your security procedures.

For the ISO 27001 control Annex A 6.2, called Terms and Conditions Of Employment, you need to ensure your organization has agreements with employees. These agreements define your information security responsibilities. Terms of Employment are the specific conditions and agreements that establish the relationship between you as the employee and the employer. Usually, these terms explain the

ISO 27001 Annex A 6.1 is about employee screening and performing background checks on people both before you hire them and while they are working for you. What is ISO 27001 Annex A 6.1? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Screening”. What is the ISO

You need to document your processes and procedures to meet the requirements of ISO 27001 Annex A 5.37. A documented operating procedure in ISO 27001 is simply a written guide that tells you exactly how to do a task securely. Think of it as a set of instructions for a particular process. This makes sure

You need to follow the policies, rules, and standards you have set for information security, as this is required by ISO 27001 Annex A 5.36. You must make sure that you are compliant with your information security policy, as well as any specific policies, rules, and standards you have created. You should also check these

ISO 27001 Annex A 5.35 is about how a company should independently review its information security management system to ensure it is effective, meeting it’s objectives and operating as intended. What is ISO 27001 Annex A 5.35? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard

ISO 27001 Annex A 5.34 is a control that asks you to look after personal data. This control is called “Privacy and Protection of Personally Identifiable Information.” It means you must find and then meet all the rules for this type of data. These rules include laws, things you agree to in contracts, and official

ISO 27001 Annex A 5.33, called Protection of Records, is a rule that asks you to keep records safe. You must protect your records based on rules from the law, government, and contracts. You also need to meet what society and the community expect. This means you must keep your records from being accessed by

ISO 27001 Annex A 5.32 is about Intellectual Property Rights. That means you need to know and follow the rules about intellectual property that come from outside your organisation. You should put these rules into practice. These rules are things like laws, government regulations, and agreements you have made about intellectual property. The standard covers

ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements, asks you to know what outside rules and laws apply to your information security and then make sure you follow them. It specifically deals with the legal and contract rules that tell you exactly how you should handle and use information security. What is

This rule is about ICT Readiness for Business Continuity, which means the IT team having business continuity planned, implemented and tested. What is ISO 27001 Annex A 5.30? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “ICT Readiness For Business Continuity”. What

This rule is about ensuring that information security is maintained during a disruption, outage or business continuity event. What is ISO 27001 Annex A 5.29? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Information Security During Disruption”. What is the ISO 27001

This rule is about collection of evidence, which means a company must have a system to handle the the collection and management of evidence from information security events. What is ISO 27001 Annex A 5.28? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is

This rule is about learning from information security incidents so that they do not happen again and so that information security is improved. What is ISO 27001 Annex A 5.27? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Learning From Information Security

This rule is about responding to information security incidents, which means a company must have a system to respond to information security incidents and events. What is ISO 27001 Annex A 5.26? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Response

This rule is about assessing incidents and then deciding if they are an information security incident and prioritising them for action. What is ISO 27001 Annex A 5.25? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Assessment And Decision On Information Security

This rule is about information security incident management, which means a company must have a system and people to handle the information security incidents. What is ISO 27001 Annex A 5.24? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Incident

This rule is about cloud supplier management, which means a company must have a system to handle the information security risks of its third party cloud systems, products and services. What is ISO 27001 Annex A 5.23? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the

This rule is about ICT supplier management, which means a company must have a system to handle the management of its third party IT systems, products and services. What is ISO 27001 Annex A 5.22? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the control is

This rule is about ICT supplier management, which means a company must have a system to handle the information security risks of its third party IT systems, products and services. What is ISO 27001 Annex A 5.21? The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022). In the ISO/IEC 27001:2022 Standard the

ISO 27001 Annex A 5.20 is a simple rule. It says that your business must create and agree upon information security rules with all your suppliers. What Does This Mean? This rule is about putting a legal plan in place. This plan is often a formal contract, a business agreement, or set of terms. This

The ISO 27001 Annex A 5.19 rule is about managing information security when working with other companies (suppliers). This rule requires your business to handle the security risks that come from using products and services provided by these suppliers. In short, it helps you keep your supply chain secure. Suppliers are one of your biggest

Access Rights are the permissions that tell a system exactly what you are allowed to do. Think of it like a key card for a building: your card might let you into the office floor, but not the server room. This rule is about making sure everyone is given only the specific rights they need

Think of Authentication Information as the special keys you use to prove you are who you say you are when you access systems or data. This rule is all about managing and protecting those keys, things like your passwords, PINs, biometric data (like your fingerprint), or security tokens. Essentially, it makes sure you have a

This rule is about identity management, which means a company must have a system to handle who and what can access its information and IT systems. It covers the entire life of an identity, from when it’s created until it’s deleted. What Is Identity Management? Identity management is a way to make sure that only the

ISO 27001 Annex A 5.15 is about Access Control. This rule says that an organisation must create and follow rules to control who can access information and other assets. This is based on what the business needs and what is required for security. The main goal is to let authorised people in and keep unauthorised people

This rule is about information transfer that says a company must have policies, plans, or agreements to make sure information is transferred safely. This includes all types of transfers, both inside the company and with other groups. What is Information Transfer? Information transfer is usually defined as the process of sending data or knowledge between

ISO 27001 Annex A 5.13 is all about labelling information. This rule is a key part of your security plan. It makes sure that important data is clearly marked. This helps people know how to handle and share it safely. It also helps computers handle data the right way. What is labelling of information? Information

ISO 27001 Annex A 5.12 is about how a company should classify its information. This means sorting information into groups based on how important and sensitive it is. By doing this, a company can make sure it protects its most important data the right way. What Is Information Classification? Information classification is a way to

The ISO 27001 Annex A 5.11 rule says that people must return all company items when they leave a job. This includes employees and outside workers. The main goal is to keep company information safe. It makes sure that no one keeps things they should not have. What to Return An asset is anything that

ISO 27001 Annex A 5.10 is about making rules for how people can use a company’s information and other assets. The goal is to make sure that these items are used safely and correctly. This helps keep data private, correct, and available. What is ISO 27001 Annex A 5.10? The latest version of the ISO

ISO 27001 Annex A 5.9 is about making a list of a company’s information and other important items. This list is a key part of keeping data safe. The rule says that a list of information and other assets, along with their owners, must be made and kept up to date. What is ISO 27001

ISO 27001 Annex A 5.8 is about making sure that security is a part of how you manage projects. This rule helps you handle security risks during a project, from the very beginning to the very end. The main idea is that security should be built into your projects, not just added on at the

ISO 27001 Annex A 5.7 is about threat intelligence. This is a new control in the 2022 update to the standard. It asks organizations to collect and study information about security threats. The goal is to be proactive and take action to stop threats before they cause harm. What Is Threat Intelligence? Threat intelligence is the

ISO 27001 Annex A 5.6 is a rule about a company staying in touch with outside groups that care about information security. This helps the company get new knowledge and stay up to date. What is Contact With Special Interest Groups? This rule asks a company to connect with special interest groups, like security forums or

ISO 27001 Annex A 5.5 is about a company keeping in touch with important authorities. The main goal is to make sure information about security flows the right way between the company and groups like law enforcement or government bodies. This helps a company stay safe and follow the law. What is ISO 27001 Annex

ISO 27001 Annex A 5.4 is about a company’s leadership making sure everyone follows information security rules. This rule is part of a larger system called the Information Security Management System (ISMS). It makes sure that people know what they are supposed to do to keep data safe. What Is Management Responsibilities? Management has to

ISO 27001 Annex A 5.3 is about separating duties. This means you divide up tasks and jobs so no one person has total control over a key process. This helps keep things safe by adding checks and balances. What is Segregation of Duties? The main reason to separate duties is to reduce the chance of fraud, mistakes,

ISO 27001 Annex A 5.2 is about setting clear rules for who does what to keep data safe. This means giving everyone a job and a duty for information security. It helps to make sure that the right tasks are done by the right people. What is ISO 27001 Annex A 5.2? The latest version

ISO 27001 Annex A 5.1 is about policies for keeping information safe. A policy is a written rule that tells people what to do. This part of the standard says that a company must have a main information security policy and other specific policies. What is ISO 27001 Annex A 5.1? The latest version of