After answering the question “What is ISO 27001?”, you might want to know more about ISO 27001 controls and objectives. These are listed Annex A of the standard where you can find 133 controls and 39 control objectives. For those of you who don’t know, a control is a measure to deal with an unwanted event. For example, let’s say the organisation has very sensitive information on a salesman’s laptop. They consider the risk of data breach unacceptable, so they implement cryptographic controls. This will ensure that if a memory medium is lost (e.g. the notebook’s hard drive), at least it has a layer of protection and they won’t make the front page of the newspapers and end up paying fines.
The control objectives and their corresponding controls are grouped in 11 sections (clauses A.5 to A.15):
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
These “super-objectives” are not focused entirely on information technology systems. One of the most dangerous misconceptions is that information security deals only with IT systems. Consequently, it is often believed that the IT department is the only one responsible with protecting the information. But the most serious mistake is that non-digital information is neglected. This is completely wrong, as the information “lives” in a much wider range of “containers”. It can be held on paper, spoken during conversations and so on. ISO 27001 controls aim to address all the possible aspects. It is also worth mentioning that there are no mandatory security controls.
What are ISO 27001 controls good for?
The answer to this question should be obvious. Information security is achieved by employing a series of measures. These controls include policies, processes and procedures. After successfully completing an information risk assessment, you need to select the appropriate controls. The selection is most probably unique, as it applies only to your organisation. To complicate things further, after the implementation of the controls, you need to monitor, review and, if possible, to fine tune the security measures. Over the time you might decide to implement more or discard some of them.
Most organisations have some measures in place. So, in practice, a gap analysis is often carried out to determine which controls need to be implemented for ISO 27001. There is no way you can achieve certification without addressing all the ISO 27001 controls (by implementing them or, if not, justifying why they are not applicable).