ISO 27001 Security Controls in ISO 27001 Security Controls in ISO 27001 by Type and Function

Security Controls in ISO 27001 by Type and Function

by Poorva Dange

Introduction

Information security in the modern business world  has perhaps been the most emphasized due to an ever-changing and evolving cyber threat landscape. Even the trend of adopting strong security frameworks covers organizations, whether big, small, or belonging to any sector, in the protection of sensitive data, adherence to laws, and creation of trust with clients and stakeholders. Theory: one of the most recognized standards worldwide in information security management is ISO/IEC 27001, and the updated version reflects the times in terms of sharpening and modernizing security controls, which is now indispensable in risk environments. Understanding security controls by type and function-not to mention practical examples-empowers organizations to achieve compliance while building resilience against the beasts of cyber threats.

ISO/IEC 27001:2022 Controls: Structure and Categories

ISO/IEC 27001:2022 has introduced 93 controls that have been rearranged from the previous circular-wise version. The controls have been placed under four major categories reflecting a newer school of thought on information security management:

  • Organizational controls (37 controls)

  • People controls (8 controls)

  • Physical controls (14 controls)

  • Technological controls (34 controls)

The revised control categories will help organizations align their controls to the existing operational realities while maintaining the standard’s rigor in risk-based approach.

Security Control Types by Function

One of the prime features of ISO/IEC 27001:2022 is an explicit classification of each control according to function, otherwise termed as "control type." The three main control types are preventive, detective, and corrective.

  • Preventive: Controls preventing security incidents before they take place.

  • Detective: Controls that aim at identification and detection of security incidents.

  • Corrective: Controls which address and resolve an incident post-occurrence to restore normal operation.

This classification ensures complete coverage of the information security management system (ISMS) in anticipation of defense, detection of real-time incidents, and rapid recovery.

1) Preventive Controls: Objective and Examples

Preventive controls comprise the backbone of an organization’s defenses by attempting to thwart threats or reduce incident probabilities.

Key Features

  • Reduce potential attack surfaces

  • Implement secure policies and procedures before incidents occur.

Preventive Control Examples ISO/IEC 27001:2022

  • A.5.1: Policies for Information Security: Define consistent and enforceable security expectations throughout the organization.

  • A.5.15: Access Control: Access to information assets is limited only to authorized users.

  • A.5.17: Authentication Information: Strong mechanisms are enforced to prevent unauthorized access.

  • A.5.23: Information Security for use of Cloud services: Specifies controls necessary while adopting and managing the cloud technology.

  • A.5.12: Classification of Information: Preventing unauthorized disclosures requires that information be defined under given categories.

  • A.5.9: Inventory of Assets: Each information asset is identified and managed to prevent loss or unauthorized access.

Implementation Guidance for Preventive Controls

  • Clear, organization-wide security policies are clearly stated.

  • Tools for the automated management of access may also be used.

  • Periodic training is provided to employees on secure practices.

What Are Iso 27001 Controls

2) Detective Controls: Purpose and Examples

Detective controls help discover and respond to security events that have by-passed preventive layers. They are crucial for early detection and limiting the impact of threats. 

Key Features

  • Provide visibility into systems and user actions.

  • Enable real-time monitoring and alerting. 

ISO/IEC 27001:2022 Detective Control Examples

  • A.8.16: Monitoring activitiesMandates continuous system and network monitoring for suspicious actions.

  • A.7.4: Physical security monitoring Requires surveillance or access logs for sensitive physical locations.

  • A.5.28: Collection of evidence Ensures evidence is available for investigation and legal action after incidents.

  • A.6.8: Information security event reporting Facilitates prompt reporting of suspected incidents for faster detection

Implementing Guidelines for Detective Controls 

  • Deploy and regularly update intrusion detection system (IDS)

  • Implement security information and event management (SIEM) solutions.

  • Analyze audit logs frequently for anomalies or signs of compromise. 

3) Corrective Controls - Purpose and Examples 

Corrective controls support organizations in recovering from security incidents and preventing recurrence. They focus on minimizing damage and restoring normal operations. 

Key Features:

  • Enable swift containment, eradication and restoration 

  • Support post-incident analysis and continuous improvement. 

ISO/IEC 27001:2022 Corrective Control Examples

  • A.5.26: Response to information security incidents Sets out detailed steps for responding to security incidents and managing them.

  • A.5.27: Learning from information security incidentsIntegrates lessons learned to improve the ISMS.

  • A.8.10: Information deletion Ensures information compromised during an incident is properly deleted such that it does not pose further risk.

  • Backup and recovery procedures Though not a single annex control, these are of utmost importance in restoring all systems back to their pre-incident status.

  • Patching vulnerabilities: That is applying security patches to fix the problem created by the corrective action.

Implementation Tips

  • Develop, document, and regularly test incident response plans

  • Ensure backup and recovery processes are robust and frequently validated

  • After any security incident, conduct root cause analysis and update controls accordingly. 

Control Integration For A Resilient ISMS

A resilient ISMS based on ISO/IEC 27001:2022 implies an equilibrium being derived at. The trio of preventive, detective, and corrective controls are multilayered; none should be fully relied upon by itself. Integration, then, must involve the following:

Risk assessments done thoroughly will lead to a mix of controls that are appropriate. The controls must be reviewed and updated regularly to keep pace with changing threats or business needs. Control rationale, implementation, and results must be adequately documented in the Statement of Applicability (SoA).

Conclusion

One of the most critical factors for creating a strong ISMS suitable for present-day risks is to understand and implement security controls based on the type and function defined in ISO/IEC 27001:2022. Preventive controls should protect the organization by stopping attacks before they happen; detective control should identify the problem as it develops; and corrective controls should oversee restoration in a timely manner, ensuring that lessons from the incident are absorbed into processes. With these controls being effectively integrated within the organization, many organizations are achieving compliance and further strengthening their posture against today‘ s dynamically-changing threat environment.

 

More from: ISO 27001 Security Controls in ISO 27001 Security Controls in ISO 27001 by Type and Function
Back to ISO 27001 ISMS