ISO 27001 Controls

Join us as we examine what ISO 27001 controls are all about and the steps your organization must take to achieve certification.

ISO 27001 is an international standard for information security. It helps organizations find security risks. Then, they can apply suitable controls to fix the risks. For SaaS providers, compliance for SaaS is crucial as it assures customers and stakeholders that their data is being secured with the highest security standard.

Adhering to ISO 27001 can help with SaaS compliance. It aligns with most legal and contract rules. If your organization is seeking certification or recertification, you must ensure your controls work. Your information security management system (ISMS) must meet ISO 27001 requirements.

This piece closely examines ISO 27001 controls to help you polish your ISMS and prepare for an audit.

What Are the ISO 27001 Requirements?

ISO 27001 requirements are a set of policies and procedures. An organization must implement and keep them to create a strong ISMS. You implement tailored compliance requirements. They fit your business and the scope of an audit. Here is a list of ISO 27001 requirements:

What Are the Six Key Security Areas Under ISO 27001?

The 2022 ISO 27001 standards have 14 domains, compared to the 2013's eleven domains. These domains are generally covered under six security areas. Let's take a look at the six key security areas under the ISO 27001 domains list:

Company Security Policy

The security policy is the cornerstone of an organization's ISMS. It outlines how management supports information security. The support follows business requirements and laws. Organizations should define the purpose of their security policies and their scope. They should regularly review and update the policies to stay relevant to the changing threats.

Asset Management

Asset management involves finding, sorting, and protecting information assets. It's to ensure they are well protected. It requires organizations to keep a list of information assets. These include hardware, software, and data. They must categorize them by importance and sensitivity. Organizations should also implement procedures for handling, storing, and disposing of assets securely.

Physical and Environmental Security

Security measures protect the organization's physical infrastructure and environment. They prevent unauthorized access, damage, and interference. It also involves establishing and protecting secure areas. These areas house critical information and systems and have asset controls.

Access Control

Access control ensures only authorized personnel have access. They can access information and systems based on their roles and responsibilities. Organizations must also create an access policy. It is for granting access, revoking it, and defining user privileges and duties.

Incident Management

Incident management involves finding, reporting, and responding to security incidents. The goal is to limit damage and ensure a quick recovery. It requires organizations to create incident response plans. The plans must cover how to report incidents and the procedures for responding and recovering.

Regulatory Compliance

Regulatory compliance ensures that the organization adheres to all applicable laws, regulations, and contractual obligations related to information security. It also requires organizations to find and write down all relevant legal, regulatory, and contract rules. They must also often check and judge their compliance.

How Many Controls Are in ISO 27001?

In ISO 27001, the controls are defined in "Annex A: controls and domains." The 2013 version outlined 114 ISO 27001 controls grouped into 14 domains. However, the ISO 27001: 2022 version reduced the controls to 93 following the merging, removal, and addition of some controls in the original version.

What Are the Major Controls of ISO 27001?

There are 14 major ISO 27001: 2013 controls stipulated in Annex A controls:

Information Security Policies

This control describes how the organization's leaders can give direction. They can also offer support toward strong information security through governance. It requires companies to implement policies. These are for employees, contractors, and other stakeholders. They must follow them to keep strong security and obey regulations.

Organization of Information Security

This sets up a framework for an organization's security. It covers both traditional and teleworking operations. It sets most of the responsibilities for infosec activities. It also reduces duties to cut risk.

Human Resource Security

This control focuses on human resources management before, during, and after employment. It focuses on the proactive steps to address employee-related security concerns, such as screening and running background checks on prospective employees and implementing clear terms of employment agreements.

Asset Management

This control focuses on measures for identifying and protecting an organization's technology and data assets. It also provides specific controls for managing assets. These include an inventory of assets, assigning of duties, and enforcing acceptable use of the assets.

Access Control

This provides several controls related to the management of user data access and system privileges. For instance, businesses must follow control policies. These policies enforce the principle of least privilege for networks and other vital assets.


This provides ways for groups to manage encryption. They do so to secure sensitive data. Organizations also need to enforce policies that require users to implement encryption and set minimum cryptographic standards.

Physical and Environmental Security

This control outlines measures to protect assets from unauthorized access and physical damage. It requires organizations to establish a physical perimeter with entry controls to secure all vital offices and facilities. The control also focuses on measures to protect physical assets from non-digital assets like natural disasters.

Operational Security

This requires organizations to make a system for documenting procedures. They must also make the procedures available. These procedures include change management. It controls changes to business processes, information facilities, and systems. It also mandates organizations to make controls. The controls must separate their development, testing, and operating environment. They must also include measures to back up data and protect it from malware.

Communications Security

This control is focused on strategies to manage network security. It requires firms to put in place a system. The system must identify, monitor, categorize, and control all access to digital resources. These resources include apps, data, and other critical network systems. It also addresses how organizations manage information security when communicating with external partners such as customers and suppliers.

System Acquisition, Development, and Maintenance

This is focused on the security of all systems and their lifecycles, from development support to test stages. It also mandates organizations to find their security needs. They must then make plans to secure apps on public networks and protect related transactions. Companies should create clear security policies. These policies should guide software development, change control, and technical reviews of apps. They should do so whenever changes happen to operating platforms.

Supplier Relationships

This provides a control mechanism to secure assets that third-party suppliers access. It requires organizations to develop policies to manage supplier relationships and security within agreements. Organizations should also consider and tackle risks associated with supply chains regarding managed technology systems.

Information Security Incident Management

This provides ways organizations can address cybersecurity incidents and breaches. It requires a company to stipulate responsibilities and specific incident response procedures. They should also provide reporting procedures in case of events and system vulnerabilities.

Information Security Aspects of Business Continuity Management

This provides procedures for companies to run their operations after an incident. It also requires businesses to document and implement clear business continuity plans that ensure data and resources are available whenever primary environments are closed down due to incidences.


This focuses on the management of all company legal and contractual security obligations. It requires businesses to identify the compliance requirements for information security specific to them. They should also establish their intellectual property rights and implement systems to safeguard records under their custody, such as personally identifiable information (PII). Also, it requires organizations to do internal evaluations. These evaluations guarantee compliance with internal security policies and procedures.

How Many Controls in ISO 27001: 2022

There are 93 controls in ISO 27001: 2022. As mentioned, the 2022 version merged, removed, and added some controls in the original 2013 standards. Here are the 11 new controls introduced by the ISO 27001: 2022 domains:

What Is the ISO 27001 Control Clause?

ISO 27001 control clauses are procedures that support the implementation and maintenance of ISMS. ISO 27001 provides ten management system clauses. They cover the scope, normative references, and terms. It stipulates the ISO 27001: 2022 controls list and the purpose of the certification, thus helping organizations gain a better understanding of their ISMS.

What Is the ISO 27001 Checklist?

An ISO 27001 checklist is a list of criteria that organizations must satisfy to achieve certification. The checklist also helps companies organize their efforts, identify compliance gaps, and ensure they are thoroughly prepared for the certification audit. Generally, the ISO 27001 PDF checklists outline key steps to help organizations prepare for certification and achieve compliance.

How to Pass the ISO 27001 Exam

Preparing for an ISO 27001 audit can be challenging. There are several factors and steps to demonstrate your expertise in implementing and managing the ISMS. Here are some tips to pass the ISO 27001 exam and achieve certification:

Understand ISO 27001

Take time to learn the ISO 27001 standard. Learn its requirements, structure, and terms. It's also important to study the official ISO documents. You can enroll in ISO 27001 training courses. Accredited training providers offer these. They will help you gain a deeper understanding.

Identify Gaps in Your Current Security

Conduct a gap analysis and compare your organization's current security measures against ISO 27001 requirements to identify areas of non-compliance. Additionally, keep detailed records of identified gaps and implement measures to address them.

Define the ISMS Scope

Clearly define the boundaries of your ISMS to determine the parts of your organization that will be covered. This may also require you to take into account the organization's context, internal and external issues, and interested parties.

Establish Management Framework

You should also define clear information security objectives aligned with your organization's overall goals and designate roles and responsibilities for ISMS implementation and maintenance. These objectives act as a yardstick to measure progress with your compliance efforts.

Conduct Risk Assessments

Determine potential threats and vulnerabilities to your information assets and evaluate the potential impact and likelihood of identified risks. Afterward, decide how to address each risk, including whether to mitigate, transfer, or avoid them.

Implement Controls

Next, choose appropriate controls from ISO 27001 Annex A and create comprehensive documentation for all implemented controls, policies, and procedures.

Train Employees

Provide ongoing training sessions to ensure all employees are aware of the ISMS, their roles, and the importance of information security. You should also consider providing specialized training for staff with specific ISMS responsibilities.

Monitors and Review Your ISMS

Continuously monitor the effectiveness of your ISMS and controls through regular reviews and performance metrics. You should also update your ISMS documentation and controls to suit any changes in the organization and the evolving threat landscape.

Undertake Internal Audit

There is also a need to conduct regular internal audits to ensure compliance with ISO 27001 requirements and determine the areas for improvement. An audit can help you develop and adhere to an internal audit schedule.

Complete External Certification Audit

Choose a reputable certification body to perform the external audit. The certification body can conduct a preliminary audit to review your ISMS documentation and readiness.

Meet the ISO 27001 Certification Cost

There is an ISO 27001 certification cost associated with your certification efforts. The cost includes training, consulting, implementation, and audit fees. It is imperative to plan for this cost early to ensure a seamless process. Additionally, ensure the necessary financial resources are allocated for maintaining and improving the ISMS over time.

Trava Can Help You Achieve ISO 27001 Certification

Certification to ISO 27001 demonstrates that your organization has implemented the best-practice information security processes that protect sensitive information. This step can also boost your organization's credibility and trust. It can give you a competitive edge in the marketplace. However, compliance with ISO 27001 can be challenging. The process requires familiarity with the standards, as well as diligent planning and committed implementation of all required controls.

If you need help to become ISO 27001, the experts at Trava are ready to assist. We provide tailored compliance and cybersecurity advisory solutions designed to protect your digital assets and help your organization achieve fast compliance with new regulations. Contact us today and allow us to guide you through your ISO 27001 compliance journey with expertise and a personal touch.


We can help!  Talk to the Trava Team and see how we can assist you with your cybersecurity needs.