Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Anti-Money Laundering

Easily identify, establish controls, and monitor AML risks→



Improve your internal audit processes, support regulatory compliance, and generate value for your organization through continuous improvement →

What will you learn? Learn with our experts about critical topics on Risk Management that will be useful in your daily work.

Piraní Academy

How many controls does ISO 27001 have?

written by Maria Camila Arévalo, On November 23, 2022


ISO 27001 is focused on data assurance, confidentiality and integrity, as well as on the systems responsible for managing information security. 

This international standard was created to provide a model for establishing, implementing, monitoring, reviewing and maintaining an information security management system (ISMS).

One focus of the process for information security management presented in this standard is to encourage its users to emphasize the importance of:

  • Understanding an organization's information security requirements and the need to establish a policy and objectives for this. 
  • Implement and operate controls to manage information security risks. 
  • Monitor and review the performance and effectiveness of the ISMS.
  • Continuous improvement based on the measurement of the objective.

It must be taken into account that within the ISO 27001 standard there is annex A, which is essential to implement since it is the normative one and within it there is everything related to the information security controls, which are fundamental because they help in the protection of the information of the companies, in addition, putting them into practice is mandatory. 

ISO 27001 controls

In Annex A of this standard there are a total of 114 security controls. Each organization must choose which ones apply best to their needs and it is important to understand that it is not only limited to the technology area, but also involves departments such as human resources, financial security, communications, among others.

In 2013 this change was made, as previously in the 2005 standard there were a total of 133 controls and the standards for preventive actions were eliminated, as well as the requirement to document certain procedures.

The 114 controls of ISO 27001 are divided into 14 sections:

  • Information security policies.
  • Information security organization.
  • Human resources security.
  • Asset management.
  • Access controls.
  • Cryptography - Encryption and key management.
  • Physical and environmental security.
  • Operational security.
  • Communications security.
  • System acquisition, development and maintenance.
  • Information security incident management.
  • Compliance.

With a technological solution such as Pirani and its information security module, companies can comply with ISO 27001, a certifiable standard. For example, with this module you can manage in a simple way the information assets that the organization has, know their level of criticality and also manage the risks and incidents to which they are exposed by not performing an adequate information security.

Try Pirani for FREE

What should you take into account to implement these controls?

The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.

The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.

It is essential to generate training on this standard in order to establish the appropriate controls in the management of information security.   

Additionally, the ISO 27001 standard requires something more about security controls, so it is necessary to carry out the following actions:

  • Define responsibilities for managing controls.
  • Measure and monitor the effectiveness of controls.
  • Implement corrective actions when failures in the controls are detected, so as to ensure the achievement of the proposed objectives.

Therefore, attention to Annex A and adequate training on the standard are essential to establish the relevant security controls.

Try Pirani For FREE NOW
Download a free Excel Risk Matrix Template
Free e-book Prevention & Correction of Human Error For Risk Management

Leave us your comments