ISO/IEC 27001:2022 Annex A
ISO/IEC 27001:2022 Annex A provides a reference set of generic information security controls including implementation guidance. The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.
This standard has been licensed from Standards Australian License No. CL 12206cl for use internally in the 6clicks platform only. This content is made available on a view only basis for the purpose of linking to questions (in an Assessment) and controls (in a Control Set). Use or reproduction of this content outside of the 6clicks platform must be in accordance with your own Standards Australia Licence.
As a condition of use for the download of this particular marketplace item, we request that you hold your own suitable license from the relevant body for your use of this content.
The Standard takes a risk-based approach to information security, requiring organisations to identify threats to their organisation and select appropriate controls to tackle them.
The document is structured as follows:
5 Organizational controls
6 People controls
7 Physical controls
8 Technological controls
Each control in this document has been associated with five attributes with corresponding attribute values (preceded by "#" to make them searchable), as follows:
a) Control type:
Control type is an attribute to view controls from the perspective of when and how the control modifies the risk with regard to the occurrence of an information security incident. Attribute values consist of Preventive (the control that is intended to prevent the occurrence of an information security incident), Detective (the control acts when an information security incident occurs) and Corrective (the control acts after an information security incident occurs).
b) Information security properties:
Information security properties is an attribute to view controls from the perspective of which characteristic of information the control will contribute to preserving. Attribute values consist of Confidentiality, Integrity and Availability.
c) Cybersecurity concepts:
Cybersecurity concepts is an attribute to view controls from the perspective of the association of controls to cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110. Attribute values consist of Identify, Protect, Detect, Respond and Recover.
d) Operational capabilities:
Operational capabilities is an attribute to view controls from the practitioner’s perspective of information security capabilities. Attribute values consist of Governance, Asset_management, Information_protection, Human_resource_security, Physical_security, System_and_network_security, Application_security, Secure_configuration, Identity_and_access_management, Threat_and_vulnerability_management, Continuity, Supplier_relationships_security, Legal_and_compliance, Information_security_event_management and Information_security_assurance.
e) Security domains:
Security domains is an attribute to view controls from the perspective of four information security domains: “Governance and Ecosystem” includes “Information System Security Governance & Risk Management” and “Ecosystem cybersecurity management” (including internal and external stakeholders); “Protection” includes “IT Security Architecture”, “IT Security Administration”, “Identity and access management”, “IT Security Maintenance” and “Physical and environmental security”; “Defence” includes “Detection” and “Computer Security Incident Management”; “Resilience” includes “Continuity of operations” and “Crisis management”. Attribute values consist of Governance_and_Ecosystem, Protection, Defence and Resilience.
The attributes given in this document are selected because they are considered generic enough to be used by different types of organizations. Organizations can choose to disregard one or more of the attributes given in this document. They can also create attributes of their own (with the corresponding attribute values) to create their own organizational views