Scribd Logo
Upload

Welcome to Scribd!

  • What Are The Annex A Controls?

    Uploaded by

    Sonya
    27 views3 pages

    Original Title

    Annex A Controls

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views3 pages

    What Are The Annex A Controls?

    Uploaded by

    Sonya

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    What Are The Annex A Controls?

    Annex A.5 – Information Security Policies


    Annex A.5.1 is about management direction for information security. The objective of this
    Annex is to manage direction and support for information security in line with the
    organisation’s requirements.

    Annex A.6 – Organisation of Information Security


    Annex A.6.1 is about internal organisation. The objective in this Annex A area is to establish
    a management framework to initiate and control the implementation and operation of
    information security within the organisation.
    Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is
    to establish a management framework to ensure the security of teleworking and use of mobile
    devices.

    Annex A.7 – Human Resource Security


    Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that
    employees and contractors understand their responsibilities and are suitable for the roles for
    which they are considered.
    Annex A.7.2 – the objective in this Annex is to ensure that employees and contractors are
    aware of and fulfil their information security responsibilities during employment.
    Annex A.7.3 is about termination and change of employment. The objective in this Annex is
    to protect the organisation’s interests as part of the process of changing and terminating
    employment.

    Annex A.8 – Asset Management


    Annex A.8.1 is about responsibility of assets. The objective in the Annex is to
    identity information assets in scope for the management system and define appropriate
    protection responsibilities.
    Annex A.8.2 is about information classification. The objective in this Annex is to ensure that
    information receives an appropriate level of protection in accordance with its importance to
    the organisation (and interested parties such as customers).
    Annex A.8.3 is about media handling. The objective in this Annex is to prevent unauthorised
    disclosure, modification, removal or destruction of information stored on media.

    Annex A.9 – Access Control


    Annex A.9.1 is about the business requirements of access control. The objective in this
    Annex is to limit access to information and information processing facilities.
    Annex A.9.2 is about user access management. The objective in this Annex A control is to
    ensure users are authorised to access systems and services as well as prevent unauthorised
    access.
    Annex A.9.3 is about user responsibilities. The objective of this Annex A control is to make
    users accountable for safeguarding their authentication information.
    Annex A.9.4 is about system and application access control. The objective in this Annex is to
    prevent unauthorised access to systems and applications.

    Hit your ISO 27001 deadline.


    Get your quote

    Annex A.10  – Cryptography


    Annex A.10.1 is about Cryptographic controls. The objective of this Annex is to ensure
    proper and effective use of cryptography to protect the confidentiality, authenticity and/or
    integrity of information.
     

    Annex A.11 – Physical & Environmental Security


    Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of
    this Annex is to prevent unauthorised physical access, damage and interference to the
    organisation’s information and information processing facilities.
    Annex A.11.2 is about equipment. The objective in this Annex control is to prevent loss,
    damage and theft or compromise of assets and interruption to the organisation’s operations.
     

    Annex A.12 – Operations Security


    Annex A.12.1 is about operational procedures and responsibilities. The objective of this
    Annex A area is to ensure correct and secure operations of information processing facilities.
    Annex A.12.2 is about protection from malware. The objective here is to ensure that
    information and information processing facilities are protected against malware.
    Annex A.12.3 is about backup. The objective here is to protect against loss of data.
    Annex A.12.4 is about logging and monitoring. The objective in this Annex A area is to
    record events and generate evidence.
    Annex A.12.5 is about control of operational software. The objective in this Annex A area is
    to ensure the integrity of operational systems.
    Annex A.12.6 is about technical vulnerability management. The objective in this Annex A
    control is to prevent exploitation of technical vulnerabilities.
    Annex A.12.7 is about information systems and audit considerations. The objective in this
    Annex A area is to minimise the impact of audit activities on operational systems.
     

    Annex A.13 – Communications Security


    Annex A.13.1 is about network security management. The objective in this Annex is to
    ensure the protection of information in networks and its supporting information processing
    facilities.
    Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the
    security of information transferred within the organisation and with any external entity, e.g. a
    customer, supplier or other interested party.
     

    Annex A.14 – System Acquisition, Development & Maintenance


    Annex A.14.1 is about security requirements of information systems. The objective in this
    Annex area is to ensure that information security is an integral part of information systems
    across the entire lifecycle. This also includes the requirements for information systems which
    provide services over public networks.
     

    Annex A.15 – Supplier Relationships


    Annex A.15.1 is about information security in supplier relationships. The objective here is
    protection of the organisation’s valuable assets that are accessible to or affected by suppliers.
    Annex A.15.2 is about supplier service development management. The objective in this
    Annex A control is to ensure that an agreed level of information security and service delivery
    is maintained in line with supplier agreements.
     

    Annex A.16 – Information Security Incident Management


    Annex A.16.1 is about management of information security incidents, events and
    weaknesses. The objective in this Annex area is to ensure a consistent and effective approach
    to the lifecycle of incidents, events and weaknesses.

    Annex A.17 – Information Security Aspects of Business Continuity


    Management
    Annex A.17.1 is about information security continuity. The objective in this Annex A control
    is that information security continuity shall be embedded in the organisation’s business
    continuity management systems.
    Annex A.17.2 is about redundancies. The objective in this Annex A control is to ensure
    availability of information processing facilities.
     

    Annex A.18 – Compliance


    Annex A.18.1 is about compliance with legal and contractual requirements. The objective is
    to avoid breaches of legal, statutory, regulatory or contractual obligations related to
    information security and of any security requirements.

    You might also like