Share Post

ISO/IEC 27001: 2013 clauses

ISO 27001 has ten management system clauses. Together with its control set from Annex A (which lists 114 controls), they support the implementation and maintenance of an ISMS, as shown in the infographic below.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context: Internal and external issues that may be relevant to the business and to the achievement of the objectives of the ISMS. Includes confirming interested parties and scope.
  5. Leadership: How top management will support the ISMS by creating roles and measures to implement and monitor it. Includes developing an information security policy aligned to business objectives.
  6. Planning and risk management: How the organization creates actions to address risks. Includes setting information security objectives.
  7. Support: Securing the right resources, the right people and the right infrastructure to manage and maintain the ISMS.
  8. Operations: How the plans and processes will be executed, including documentation that needs to be produced.
  9. Performance evaluation: How the organization will monitor, measure, analyze and evaluate the ISMS.
  10. Improvement: Corrective action and continual improvement requirements.

ISO/IEC 27001: 2013 controls

The Standard doesn’t mandate that all 114 controls be implemented. Instead, the risk assessment should define which controls are required, and a justification provided as to why other controls are excluded from the ISMS.  Some of these controls may not be relevant to you, in which case you can say so, in a required document called the Statement of Applicability.

Below are the list of control sets.

  • 5 Information security policies : to make sure that policies are written and reviewed in line with the overall direction of the organization’s information security practices.
  • 6 Organization of information security : controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking.
  • 7 Human resource security : controls prior to employment, during, and after the employment.
  • 8 Asset management : controls related to inventory of assets and acceptable use; also for information classification and media handling.
  • 9 Access control: controls for the management of access rights of users, systems and applications, and for the management of user responsibilities.
  • 10 Cryptography: controls related to encryption and key management.
  • 11 Physical and environmental security: controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk and Clear Screen Policy, etc.
  • 12 Operations security: controls related to the management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
  • 13 Communications security: controls related to network security, segregation, network services, transfer of information, messaging, etc.
  • 14 System acquisition, development and maintenance: controls defining security requirements, and security in development and support processes.
  • 15 Supplier relationships: controls on what to include in agreements, and how to monitor the suppliers.
  • 16 Information security incident management: controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence.
  • 17 Information security aspects of business continuity management: controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy.
  • 18 Compliance: controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security.

 Contact Us

cybercomply provide a range of ISO 27001 Consultancy Services from ISO27001 Gap Analysis through on-site ISO 27001 Certification Audit Support, our ISO 27001 Consultants work collaboratively with you throughout the entire ISO 27001 certification process.

We also provide a variety of ongoing Managed ISMS services to our successfully certified clients, often participating in Information Security Risk Assessments, supporting Internal ISMS Audits, external visits and other activities.

Get in touch with one of our ISO 27001 experts and let us know what your business needs.

Contact Us

Share Post