ISO 27001 Bootcamp Part 2: Understanding Annex A Controls

Categories: ISO 27001 Tags:

Welcome to the second installment of Tugboat Logic’s ISO 27001 Bootcamp series. In part 1, we covered mandatory clauses, one of two parts of the framework. In part 2, we examine the second part—Annex A controls.

Tugboat’s Director of InfoSec Risk and Compliance, Jitendra Juthani, recently led a webinar on Annex A controls, and we share the highlights here.


3 Basics to Know About Annex A Controls

Annex A controls are critical to the ISO 27001 audit process and the focus of the Statement of Applicability (SoA). It’s worth noting that the SoA is one of the most important documents you must submit to the auditor. Here are some basics that are important to know.

There are 114 security controls in total. These controls can be physical (locks, gates, etc.), technical (firewalls, encryption, etc.), or administrative (employee security training or off-boarding processes, e.g.). 

Controls are grouped into 14 domains, each covering specific aspects of the organization’s security posture. (See the chart below for a list of all 14 domains and the number of controls per domain.) Each domain has specific objectives and contains several controls that satisfy these objectives. These are the 14 domains that the auditor will be evaluating your organization’s security capabilities against. 

You must include all 114 controls in the SoA. For each control, you need to provide a statement explaining how you have implemented it into your environment. You must also provide justifications for why it does or doesn’t apply to your organization.

A horizontal bar chart showing the number of Annex A controls across each of the four domains

How to Create an Audit-ready SoA

The SoA document is central to the audit process. Your auditor will use it to evaluate the state of your information security processes, tools and technologies. 

So, what does an audit-ready SoA look like? Here are some of the key considerations.

Format. If you are using a compliance management platform, you will gather SoA materials inside the platform and grant the auditor access when the work is complete. If you’re not using a compliance management platform, the SoA will usually be submitted as an Excel file, along with any supporting documents.

Contents. The SoA must include a policy statement. It defines your approach to security for each of the 14 domains. These policy statements provide a 30,000-foot view of your approach to security in this domain. In other words, how do you plan to ensure security in this business area? 

You also need to identify whether each of the controls across the 14 domains applies to your organization and include your justification for that decision. (See the example below.)

Proof. You’ll need to provide evidence that shows how you support this specific aspect of security within your organization for every applicable control. This proof may include policy documents, records, and direct access to the tools and technologies that reinforce security.  

The documentation doesn’t need to be exhaustive. It just needs to be a representative sample that shows the auditor how you control this aspect of the business. For example, let’s take the “screening” control in Annex A.7: Human Resource Security domain. In this case, you could share:

  • A few job descriptions to show that you have formal, detailed descriptions on file
  • A policy document that outlines your process for communicating job requirements to new employees
  • A sample written acknowledgment that each employee signs to confirm that they have received and understood the information

(Note that you will want to redact or omit confidential information and personally-identifying data from any documentation you provide to the auditor.) 

Versioning. The audit documents you submit need to include some form of numbering or version control. When the auditor issues your ISO 27001 certificate, that certification is tied to a specific version of the documents you submitted. This version becomes the point of reference for any future audits.

Quality assurance. The SoA and supporting documents also need to record who reviewed the information and when it was reviewed so that the auditor can see it through an internal quality management process.

An example of justification for and against three Annex A controls

>>> To watch part two of the full ISO 27001 bootcamp webinar, click here.


Advantages of a Platform for Collecting Annex A Controls 

A compliance management platform isn’t mandatory, but it can offer advantages over a spreadsheet when it comes to creating the SoA. Here are some of the top advantages of a technology-supported audit process.

Version control. Spreadsheets don’t lend themselves to versioning. The versioning process can quickly spin out of control as different people across the organization contribute and collaborate. A platform automatically saves and numbers new versions of various files as they move from one person to the other and records that chain of custody. Because versioning is such a critical part of the process, the ability to track and control versioning plays a big role in ensuring the success of the effort. 

Head starts. A platform like Tugboat Logic also helps you get a head start on the certification process. It does this by providing prompts and content suggestions that can be customized for your organization. Rather than having to develop policy language, domain policies, and control justification and implementation statements from scratch, you can customize the best-practice content provided in the platform. 

A platform also gives the organization a head start on future audit activity by creating an organized repository containing all the policies, applicability, and documented proof that the auditor will need to you to resubmit annually. Instead of sifting through inboxes and folders to re-assemble the audit materials a year later, the organization can log into the platform to review, update, and share information with the auditor. 

Reminders. A compliance platform keeps the audit process on track by issuing automated reminders about risks identified during the project scoping process but remains unaddressed so that nothing falls through the cracks. 

Evidence-gathering. Collecting the right evidence to prove that you support each applicable control is time-consuming. Thankfully, a compliance platform can help.

Instead of emailing each piece of evidence to the auditor, you can attach them directly to the relevant control. These controls, in turn, are linked to specific risks that the organization identified during the ISO 27001 scoping process so that all the interrelated elements are connected and easier to navigate.

In some cases, the platform will automate evidence collection entirely. For example, Tugboat Logic’s onboarding/off-boarding module tracks the different access levels for every employee across all company applications. It also automatically creates a record that is linked to the relevant control and shared with the auditor. Demonstrating this type of access control using a spreadsheet, in contrast, would be a headache. You’d have to export user lists, send them to application owners for review and confirmation, and collect confirmed documentation in permissioned folders. Finally, you’d share those permissioned folders via email. 


Get More Details and Examples for Annex A Controls 

As a high-profile global security benchmark, ISO 27001 is a rewarding endeavour. Achieving a level of preparedness and knowledge at the outset can make all the difference to the experience. Get even more practical insights into Annex A controls and the ISO 27001 process, plus a deep dive into three critical domain areas—Human Resource Security, Access Control, and Supplier Relationships—by tuning in to this ISO Bootcamp webinar on-demand.


Need Help With ISO 27001?

If you’re looking at kickstarting an ISO 27001 project, we can help. Feel free to get in touch and one of our audit pros will provide you with the guidance you need to take that essential first step. We also automate ISO 27001 compliance, so if you’d like to seriously reduce the level of effort that’s involved, take a look at what we offer here.