How many controls does ISO 27001 have?

ISO 27001 is focused on data assurance, confidentiality and integrity, as well as on the systems responsible for managing information security. 

This international standard was created to provide a model for establishing, implementing, monitoring, reviewing and maintaining an information security management system (ISMS).

One focus of the process for information security management presented in this standard is to encourage its users to emphasize the importance of:

• Understanding an organization's information security requirements and the need to establish a policy and objectives for this. 
• Implement and operate controls to manage information security risks. 
• Monitor and review the performance and effectiveness of the ISMS.
• Continuous improvement based on the measurement of the objective.

It must be taken into account that within the ISO 27001 standard there is annex A, which is essential to implement since it is the normative one and within it there is everything related to the information security controls, which are fundamental because they help in the protection of the information of the companies, in addition, putting them into practice is mandatory. 

ISO 27001 controls

In Annex A of this standard there are a total of 114 security controls. Each organization must choose which ones apply best to their needs and it is important to understand that it is not only limited to the technology area, but also involves departments such as human resources, financial security, communications, among others.

In 2013 this change was made, as previously in the 2005 standard there were a total of 133 controls and the standards for preventive actions were eliminated, as well as the requirement to document certain procedures.

The 114 controls of ISO 27001 are divided into 14 sections:

• Information security policies.
• Information security organization.
• Human resources security.
• Asset management.
• Access controls.
• Cryptography - Encryption and key management.
• Physical and environmental security.
• Operational security.
• Communications security.
• System acquisition, development and maintenance.
• Information security incident management.
• Compliance.

With a technological solution such as Pirani and its information security module, companies can comply with ISO 27001, a certifiable standard. For example, with this module you can manage in a simple way the information assets that the organization has, know their level of criticality and also manage the risks and incidents to which they are exposed by not performing an adequate information security.

What should you take into account to implement these controls?

The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.

The controls are mandatory depending on the applicability in each organization. Those in charge of information security are the ones who must define which ones are going to be implemented to ensure data protection.

It is essential to generate training on this standard in order to establish the appropriate controls in the management of information security.   

Additionally, the ISO 27001 standard requires something more about security controls, so it is necessary to carry out the following actions:

• Define responsibilities for managing controls.
• Measure and monitor the effectiveness of controls.
• Implement corrective actions when failures in the controls are detected, so as to ensure the achievement of the proposed objectives.

Therefore, attention to Annex A and adequate training on the standard are essential to establish the relevant security controls.