How Many Controls are in ISO 27001?

by Sneha Naskar

ISO 27001 is a globally recognized information security management standard that provides a systematic approach for organizations to establish, implement, maintain, and continually improve their information security management systems (ISMS). Within ISO 27001, there is a set of controls outlined in Annex A, which is an essential part of the standard. These controls are categorized into 14 sections, each addressing specific aspects of information security. In total, there are 114 controls in ISO 27001.

How Many Controls are in ISO 27001?

Here's a breakdown of the 14 sections and the number of controls in each section:

  • Information Security Policies (2 controls): This section includes controls related to defining and maintaining information security policies, procedures, and guidelines within the organization.
  • Organization of Information Security (7 controls): This section focuses on controls related to the management of information security responsibilities, roles, and accountability.
  • Human Resource Security (6 controls): These controls are designed to ensure that employees and other personnel understand their roles and responsibilities in relation to information security.
  • Asset Management (10 controls): Controls in this section address the management of organizational assets, including information, hardware, software, and physical assets.
  • Access Control (14 controls): This section deals with controls that restrict and manage access to information systems and data.
  • Cryptography (2 controls): These controls pertain to the use of cryptographic techniques to protect sensitive information.
  • Physical and Environmental Security (15 controls): Controls here focus on securing the physical premises and equipment that house information systems.
  • Operations Security (14 controls): This section addresses controls related to the ongoing operation and management of information systems.
  • Communications Security (13 controls): Controls in this section are aimed at securing information during its transmission over networks.
  • System Acquisition, Development, and Maintenance (13 controls): These controls help ensure that information security is integrated into the development and maintenance of information systems.
  • Supplier Relationships (5 controls): This section emphasizes the importance of managing security risks associated with third-party suppliers.
  • Information Security Incident Management (7 controls): Controls in this section outline the process for managing and responding to information security incidents.
  • Information Security Aspects of Business Continuity Management (4 controls): This section addresses how to ensure the continuity of critical business processes in the event of a security incident.
  • Compliance (8 controls): These controls focus on ensuring that the organization complies with relevant laws, regulations, and contractual agreements related to information security.

In summary, ISO 27001 consists of 14 sections with a total of 114 controls. These controls provide a comprehensive framework for organizations to establish and maintain effective information security practices, helping them protect their sensitive information and reduce the risks associated with information security threats. Implementing these controls can also enhance an organization's overall cybersecurity posture and demonstrate its commitment to information security to stakeholders.

ISO 27001:2022 Documentation Toolkit