ISO 27001 is an international standard for information security management systems (ISMS). While it doesn't specify exactly 114 controls, it does provide a framework for organizations to establish, implement, maintain, and continually improve their information security management system. Within ISO 27001, there are a set of control objectives and controls defined in Annex A, which consists of 114 individual controls grouped into 14 categories. These controls help organizations address various aspects of information security to protect their assets and sensitive information.
Here are the 14 categories of controls within ISO 27001 along with a brief description of each:
- Information Security Policies: Establishing and maintaining policies to manage information security within the organization.
- Organization of Information Security: Defining the roles and responsibilities for information security, including risk management and compliance.
- Human Resource Security: Ensuring that employees and contractors understand their security responsibilities and are adequately trained.
- Asset Management: Identifying and managing information assets and associated risks.
- Access Control: Controlling access to information systems to prevent unauthorized access.
- Cryptography: Protecting sensitive information using encryption and other cryptographic techniques.
- Physical and Environmental Security: Protecting the physical environment in which information systems are housed.
- Operations Security: Ensuring the secure operation of information processing facilities.
- Communications Security: Protecting the security of information during its transfer.
- System Acquisition, Development, and Maintenance: Ensuring that security is integrated into the development and maintenance of information systems.
- Supplier Relationships: Managing security in relationships with suppliers and third parties.
- Information Security Incident Management: Preparing for and responding to security incidents.
- Information Security Continuity Management: Ensuring the availability of critical information and information processing facilities.
- Compliance: Ensuring compliance with legal, regulatory, and contractual requirements.
Each of these categories contains a set of controls designed to address specific aspects of information security. Organizations can choose which controls are relevant to their specific context and implement them based on their risk assessment and security needs.
It's worth noting that ISO 27001 is a flexible standard, and organizations can tailor its implementation to their unique requirements. The number of controls implemented can vary depending on the organization's size, industry, and specific security concerns. The key is to establish a robust information security management system that effectively protects the confidentiality, integrity, and availability of sensitive information.