ISO/IEC 27001:2013 Annex A Question Set

By : 6clicks
This download includes the ISO 27001 Annex A control set and mapped questions that you can use to internally audit your organisation. ISO 27001 (ISO/IEC 27001:2013) Annex A defines 114 controls for consideration in the implementation of your industry standard ISMS.
In stock


This download includes the ISO 27001 Annex A control set and mapped questions that you can use to internally audit your organisation.

ISO 27001 (ISO/IEC 27001:2013) is the international standard that provides the specification for an information security management system (ISMS). The latest version was published in October 2013.

This standard has been licensed from Standards Australian License No. CL 12206cl for use internally in the 6clicks platform only. This content is made available on a view only basis for the purpose of linking to questions (in an Assessment) and controls (in a Control Set). Use or reproduction of this content outside of the 6clicks platform must be in accordance with your own Standards Australia Licence.

The Standard is designed to help organisations manage their information security processes in line with international best practice while optimising costs. It is technology and vendor neutral and is applicable to all organisations - irrespective of their size, type or nature.

The Standard takes a risk-based approach to information security, requiring organisations to identify threats to their organisation and select appropriate controls to tackle them.

Those controls are outlined in Annex A of the Standard. There are 114 in total, divided into 14 different categories, which are summarised below.

  • A.5 - Information security policies (2 controls): how policies are written and reviewed.
  • A.6 - Organisation of information security (7 controls): the assignment of responsibilities for specific tasks.
  • A.7 - Human resource security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • A.8 - Asset management (10 controls): identifying information assets and defining appropriate protection responsibilities.
  • A.9 - Access control (14 controls): ensuring that employees can only view information that’s relevant to their job role.
  • A.10 - Cryptography (2 controls): the encryption and key management of sensitive information.
  • A.11 - Physical and environmental security (15 controls): securing the organization’s premises and equipment.
  • A.12 - Operations security (14 controls): ensuring that information processing facilities are secure.
  • A.13 - Communications security (7 controls): how to protect the information in networks.
  • A.14 - System acquisition, development, and maintenance (13 controls): ensuring that information security is a central part of the organization’s systems.
  • A.15 - Supplier relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • A.16 - Information security incident management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities.
  • A.17 - Information security aspects of business continuity management (4 controls): how to address business disruptions.
  • A.18 - Compliance (8 controls): how to identify the laws and regulations that apply to your organization.

Getting Started

Click "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.

More Information

More Information
Jurisdiction All
Type Assessment, Control