How Many Controls Are There In ISO 27001

by Alex .

ISO 27001, the internationally recognized standard for information security management systems (ISMS), is a comprehensive framework designed to help organizations establish, implement, maintain, and continually improve their information security practices. At its core, ISO 27001 aims to safeguard sensitive information, ensure data confidentiality, integrity, and availability, and mitigate risks related to information security breaches.

ISO 27001

Central to ISO 27001 are its controls, which serve as essential building blocks for achieving these goals. The ISO 27001 standard, in its previous iteration (ISO 27001:2013), included a total of 114 controls that were distributed across 14 distinct control domains. These domains collectively encompass various facets of information security management, ensuring a holistic and systematic approach to safeguarding organizational assets.

1. Information Security Policies (A.5): This domain emphasizes the establishment of a coherent set of information security policies and processes that provide a foundation for the organization's overall security strategy. It outlines the need for policies that align with business objectives and legal requirements while addressing roles, responsibilities, and management commitment.

2. Organization of Information Security (A.6): Focusing on the internal structure and responsibilities within the organization, this domain emphasizes the importance of clear roles and responsibilities related to information security. It also highlights the need for effective communication and coordination among stakeholders.

3. Human Resource Security (A.7): This domain underscores the significance of addressing security concerns related to personnel. It covers areas such as employee screening, training, awareness, and the management of employee responsibilities during various stages of their employment.

ISO 27001

 4. Asset Management (A.8): Within this domain, the focus is on identifying, classifying, and managing information assets throughout their lifecycle. This involves understanding the value of assets, implementing appropriate safeguards, and ensuring proper disposal when assets are no longer needed.

5. Access Control (A.9): Access control measures, both physical and logical, are critical to preventing unauthorized access to information and systems. This domain covers aspects like user authentication, authorization, and monitoring access activities.

6. Cryptography (A.10): The use of cryptographic mechanisms to protect data confidentiality, integrity, and authenticity is highlighted in this domain. It underscores the importance of encryption and other cryptographic techniques in securing sensitive information.

7. Physical and Environmental Security (A.11): This domain addresses the physical security of organizational premises, equipment, and facilities. It includes controls related to securing physical access, protecting against threats like theft and environmental hazards, and ensuring business continuity.

8. Operations Security (A.12): Focusing on secure operational practices, this domain covers areas such as secure system development, change management, and operational procedures. It emphasizes the importance of minimizing security vulnerabilities in day-to-day operations.

9. Communications Security (A.13): Secure communication channels and networks are essential for protecting data during transmission. This domain outlines controls to ensure the confidentiality and integrity of data exchanged between parties.

10. System Acquisition, Development, and Maintenance (A.14): Throughout the lifecycle of information systems, security considerations are crucial. This domain provides controls for secure system development, testing, and maintenance, ensuring that security is embedded in the process.

11. Supplier Relationships (A.15): Organizations often rely on external suppliers and partners. This domain addresses the need to manage the security aspects of these relationships, including assessing and monitoring suppliers' security practices.

12. Information Security Incident Management (A.16): Incidents are inevitable in the world of information security. This domain focuses on preparing for and responding to incidents effectively, minimizing their impact, and preventing their recurrence.

13. Information Security Aspects of Business Continuity Management (A.17): Business continuity planning integrates information security considerations to ensure the organization can respond to disruptions and maintain essential functions.

14. Compliance (A.18): Finally, compliance with relevant laws, regulations, and internal policies is paramount. This domain outlines controls for ensuring adherence to legal and regulatory requirements while also addressing compliance-related risks.

ISO 27001

These 14 domains collectively provide a robust framework for organizations to assess, manage, and improve their information security posture. The 114 controls specified in ISO 27001:2013 offer detailed guidance on how to implement best practices within each domain, enabling organizations to tailor their information security efforts to their specific needs, risk appetite, and operational context.

The Vital Purpose of ISO 27001 Controls in Information Security

The controls within ISO 27001 serve as a structured framework essential for the comprehensive protection of sensitive information and the maintenance of robust information security management systems (ISMS). These controls are meticulously designed to address a spectrum of potential risks and vulnerabilities that could compromise an organization's data integrity, availability, and confidentiality.

By implementing these controls, organizations aim to mitigate risks, ensure compliance with legal and regulatory mandates, protect critical assets, and foster a culture of trust among stakeholders. These controls offer a standardized approach, facilitating audits, assessments, and continuous improvement. Spanning diverse domains such as access control, cryptography, and incident response, ISO 27001 controls allow organizations to tailor their ISMS to their unique risks and operational requirements. Ultimately, the purpose of these controls is to fortify information security, minimize disruptions, and ensure the longevity of an organization's operations in an ever-evolving digital landscape.

Categorization of Controls in ISO 27001: Safeguarding Information Security

ISO 27001 categorizes controls into 14 domains, each addressing distinct aspects of information security. These domains provide a systematic framework for organizations to establish a robust Information Security Management System (ISMS). The categories encompass a comprehensive range of security measures, ensuring a holistic approach to safeguarding sensitive information.

The domains cover a wide spectrum of security considerations, including risk assessment and treatment, security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, information security incident management, and business continuity management.

By organizing controls into these domains, ISO 27001 enables organizations to methodically address security challenges while tailoring their ISMS to their specific needs. This categorization ensures that critical areas of information security are systematically assessed and fortified, fostering a comprehensive and resilient approach to protecting valuable data assets.


ISO 27001's comprehensive framework and set of controls provide organizations with a structured approach to information security management. By implementing these controls across the 14 domains, organizations can proactively protect their information assets, ensure regulatory compliance, and maintain the trust of stakeholders in an increasingly digital and interconnected world.

ISO 27001