ISO/IEC 27001:2022 Annex A Controls
International standard for information security management systems (ISMS). Annex A defines 93 reference controls across organizational, people, physical, and technological categories.
Policies for information security
An information security policy and topic-specific policies shall be defined, approved, communicated, and reviewed.
Privileged access rights
The allocation and use of privileged access rights shall be restricted and managed.
Configuration management
Configurations, including security configurations, shall be established, documented, and maintained.
Use of cryptography
Rules for the use of cryptography, including key management, shall be defined and implemented.
Secure development lifecycle
Rules for the secure development of software and systems shall be established and applied.
Application security requirements
Information security requirements shall be identified and specified when developing or acquiring applications.
Threat Intelligence
Information relating to information security threats shall be collected and analysed to produce threat intelligence relevant to the organisation.
Acceptable Use of Information and Other Associated Assets
Rules for the acceptable use of information and other associated assets shall be identified, documented, and implemented.
Access Control
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
Identity Management
The full life cycle of identities shall be managed.
Authentication Information
Allocation and management of authentication information shall be controlled by a management process; users shall be made aware of their responsibilities for protecting it.
Information Security in Supplier Relationships
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of suppliers' products or services.
Information Security for Use of Cloud Services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security requirements.
Information Security Incident Management Planning and Preparation
The organisation shall plan and prepare for managing information security incidents.
ICT Readiness for Business Continuity
ICT readiness shall be planned, implemented, maintained, and tested based on business continuity objectives.
Privacy and Protection of PII
The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of personally identifiable information (PII).
Compliance with Policies, Rules, and Standards
Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Information Security Awareness, Education and Training
Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education, and training; regular updates of organisational policies and procedures shall be provided as relevant to their job function.
Remote Working
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organisation's premises.
Physical Entry
Secure areas shall be protected by appropriate entry controls and access points.
Storage Media
Storage media shall be managed through its life cycle of acquisition, use, transportation, and disposal in accordance with the organisation's classification scheme.
Equipment Maintenance
Equipment shall be maintained correctly to ensure the availability, integrity, and confidentiality of information.
Secure Authentication
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
Protection Against Malware
Protection against malware shall be implemented and supported by appropriate user awareness.
Management of Technical Vulnerabilities
Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure to such vulnerabilities shall be evaluated, and appropriate measures shall be taken.
Information Deletion
Information stored in information systems, devices, or in any other storage media shall be deleted when no longer required.
Data Leakage Prevention
Data leakage prevention measures shall be applied to systems, networks, and any other devices that process, store, or transmit sensitive information.
Information Backup
Backup copies of information, software, and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Logging
Logs that record activities, exceptions, faults, and other relevant events shall be produced, stored, protected, and analysed.
Monitoring Activities
Networks, systems, and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
Network Security
Networks and network devices shall be secured, managed, and controlled to protect information in systems and applications.
Segregation of Networks
Groups of information services, users, and information systems shall be segregated in the organisation's networks.
Web Filtering
Access to external websites shall be managed to reduce exposure to malicious content.
Secure Coding
Secure coding principles shall be applied to software development.
Outsourced Development
The organisation shall direct, monitor, and review the activities related to outsourced system development.
Change Management
Changes to information processing facilities and information systems shall be subject to change management procedures.