ISO 27001 standard includes 114 security controls.
These controls are a critical part of Annex A of the ISO 27001 standard and serve as a comprehensive checklist for organizations seeking to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). While the term "major" can be subjective, it's most accurate to understand that all 114 controls are considered important and relevant, though their priority and applicability may vary based on the specific context and risk assessment of the organization.
The 114 security controls are organized into the following 14 control sets:
- A.5 Information security policies: Guidance on creating and maintaining information security policies.
- A.6 Organization of information security: Addresses internal organization and mobile devices.
- A.7 Human resource security: Focuses on security aspects related to employees.
- A.8 Asset management: Covers the identification and management of information assets.
- A.9 Access control: Describes the implementation of access controls to restrict access to information.
- A.10 Cryptography: Addresses the use of cryptographic controls to protect information.
- A.11 Physical and environmental security: Focuses on physical security measures for the organization's premises.
- A.12 Operations security: Covers operational procedures and responsibilities.
- A.13 Communications security: Concerns the security of network communications.
- A.14 System acquisition, development, and maintenance: Focuses on security considerations during system development.
- A.15 Supplier relationships: Addresses security aspects of supplier relationships.
- A.16 Information security incident management: Focuses on incident response and reporting.
- A.17 Information security aspects of business continuity management: Covers business continuity planning.
- A.18 Compliance: Focuses on compliance with legal and regulatory requirements.
It's crucial to remember that simply implementing these controls isn't enough to achieve ISO 27001 certification. Organizations must also demonstrate a commitment to continuous improvement and ongoing management of their ISMS. The standard emphasizes a risk-based approach, requiring organizations to identify and assess their information security risks and implement appropriate controls to mitigate those risks effectively.
