CLAUSES & CONTROLS

1. ISO 27001 comprises 114 security controls categorized into different functions.
These controls are prepared throughout numerous clauses that define specific
requirements for an Information Security Management System (ISMS).

S NO FUNCTION NO OF CONTROLS ANNEX A

a. Organizational Issues 24 A.5, A.6, A.8, A.15
b. Human Resources 6 A.7
c. Information Technology 61 A.9, A.10, A.12, A.13, A.14,
A.16, A.17
d. Physical Security 15 A.11
e. Legal Issues 8 A.18
2. The aforementioned controls cover the technologies, policies, and processes an
organization uses to build and maintain its information security management system
(ISMS). All the controls are written in a way that allows different organizations and
businesses to meet ISO 27001 requirements in their own way.

3. Organizations, however, must compulsorily meet the requirements from Clauses

4-10 of the ISO 27001 to claim compliance. In other words, organizations can achieve
certification to ISO 27001 only when they meet all the requirements in Clauses 4
through 10.

4. Organization may select the controls that apply to them based on their risk
profile. However, it requires to document a valid reason why some controls don’t apply
to the organization.

S NO CLAUSE NO FUNCTION
a. 4 Organization
b. 5 Leadership
c. 6 Planning
d. 7 Support
e. 8 Operation
f. 9 Performance Evaluation
g. 10 Improvement

5. ISO 27001 Controls List comprises 14 domains, each centered on specific

security functions within the organization.

S NO DOMAIN NO OF CONTROLS ANNEX

a. Information Security Policies 2 A.5
b. Organization of Information Security 7 A.6
c. Human Resources Security 6 A.7
d. Asset Management 10 A.8
e. Access Control 14 A.9
f. Cryptography 2 A.10
 g. Physical & Environmental Security 15 A.11
h. Operational Security 14 A.12
j. Communications Security 7
k. System Acquisition, Development & 13 A.14
Maintenance
l. Supplier Relationships 5 A.15
m. Information Security Incident 7 A.16
Management
n. Information Security Aspects of 4 A.17
Business Continuity Management
p. Compliance 5 A.18

RESPONSIBILITY FOR IMPLEMENTATION OF ANNEX A CONTROLS

6. Infosec Officer/ team is responsible to spearhead the implementation of controls

and the organization’s compliance with ISO 27001 standard, the fundamental
responsibility of implementing the Annex A controls vests on all the employees.
Employees are the first line of defense in a security attack; therefore, it is a shared
responsibility.

7. Management role is also very critical here. Therefore, the entire process of ISO
27001 implementation rests equally on management review and approval of policies
and procedures at every decisive step.