ISO 27001 is an international standard that provides a systematic approach to managing information security within an organization. It outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Within the framework of ISO 27001, there are a set of controls that organizations are required to consider and implement to ensure the confidentiality, integrity, and availability of their information assets. These controls are categorized into 14 domains, each addressing specific aspects of information security.
In total, there are 114 controls specified in ISO 27001.
- Information Security Policies (2 controls): These controls focus on defining and establishing information security policies, objectives, and responsibilities within the organization.
- Organization of Information Security (7 controls): These controls deal with aspects like defining roles and responsibilities, providing awareness and training, and managing human resources in relation to information security.
- Human Resource Security (6 controls): These controls aim to ensure that employees and contractors understand their information security responsibilities and that appropriate background checks are conducted.
- Asset Management (10 controls): Asset management controls cover the identification, classification, and protection of information assets, including hardware and software.
- Access Control (14 controls): Access control controls are crucial for ensuring that only authorized individuals can access and modify information systems and data.
- Cryptography (2 controls): These controls relate to the use of cryptography to protect sensitive information, such as encryption and key management.
- Physical and Environmental Security (15 controls): This domain addresses the physical protection of assets and the prevention of unauthorized access to physical facilities.
- Operations Security (14 controls): These controls deal with the secure operation of information processing facilities and systems, including backups, system maintenance, and incident management.
- Communications Security (13 controls): Communication security controls focus on securing network infrastructure, including email and remote access.
- System Acquisition, Development, and Maintenance (13 controls): These controls guide organizations in the secure development and maintenance of information systems.
- Supplier Relationships (5 controls): Supplier relationship controls ensure that third-party suppliers and contractors meet information security requirements.
- Information Security Incident Management (7 controls): These controls address the management and reporting of information security incidents and vulnerabilities.
- Information Security Continuity (4 controls): Ensuring business continuity and disaster recovery capabilities are the key focus of these controls.
- Compliance (8 controls): Compliance controls help organizations adhere to legal, regulatory, and contractual requirements related to information security.
It's important to note that ISO 27001 follows a risk-based approach, allowing organizations to tailor the implementation of controls to their specific needs and risk profiles. The selection and implementation of controls should be guided by a comprehensive risk assessment and the organization's objectives.
In summary, ISO 27001 specifies a total of 114 controls distributed across 14 domains, covering a wide range of aspects related to information security. Organizations use these controls as a framework to establish a robust Information Security Management System (ISMS) to protect their information assets and ensure the confidentiality, integrity, and availability of sensitive data.