Annex A-Overview  and short description




Overview of the ISO 27001 Annex A
Annex A of ISO 27001 is an essential operating procedure for managing security. It provides guidelines of security controls to be used to improve information security. As you can see from the list below, ISO 27001 is not fully focused on IT, while IT is very important, IT on its own cannot protect information. Instead, there is requirement of Physical security, HR management, organisational issues and legal protection, along with IT are required to secure the information. A useful way to understand Annex A is to think of it as a catalogue of security controls – based on the gap analysis and  risk assessments, auditor  should then select the ones that are applicable to the  organisation and tie into your statement of applicability.


Annex A.5 – Information Security Policies
Annex A.5.1 is about management direction for information security. The objective of this Annex is to manage direction and support for information security in line with the organisation’s requirements.
Annex A.5.2 is about review of policies. The policies must be also reviewed and updated on a regular basis.  ISO considers ‘regular’ to be at least annually, which can be hard work if you are manually managing that many reviews and also dovetailing it with the independent review as part of A.18.2.1. 

READ MORE --https://covid19guide2020.blogspot.com/2020/05/cyber-threats-are-on-rise-as-more.html

Annex A.6 – Organisation of Information Security
Annex A.6.1 is about internal organisation and within the stake-holders for making and executing the IS policies. The objective in this Annex A area is to establish a management framework to initiate and control the implementation and operation of information security within the organisation. 
Annex A.6.2 is about mobile devices and teleworking. The objective in this Annex A area is to establish a management framework to ensure the security of teleworking and use of mobile devices .BYOD can also be considered.
Annex A.7 – Human Resource Security
Annex A.7.1 is about prior to employment. The objective in this Annex is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Annex A.7.2 – the objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.  During On-board, the new joiner should be provided proper IS induction.
Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment. 
Annex A.8 – Asset Management
Annex A.8.1 is about responsibility of assets. The objective in the Annex is to identity information assets in scope for the management system and define appropriate protection responsibilities. 
Annex A.8.2 is about information classification. The objective in this Annex is to ensure that information receives an appropriate level of protection in accordance with its importance to the organisation (and interested parties such as customers). 
Annex A.8.3 is about media handling. The objective in this Annex is to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
Annex A.9 – Access Control
Annex A.9.1 is about access control of the organisation. The objective in this Annex is to provide limited access to information and information processing facilities. 
Annex A.9.2 is about user access management. The objective in this Annex A control is to ensure users are authorised to access systems and services as well as prevent unauthorised access. 
Annex A.9.3 is about user responsibilities. The objective of this Annex A control is to make users accountable for safeguarding their authentication information. 
Annex A.9.4 is about system and application access control. The objective in this Annex is to prevent unauthorised access to systems and applications. 
Annex A.10 – Cryptography
Annex A.10.1 is about Cryptographic controls. The objective of this Annex is to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. 
Annex A.11 – Physical & Environmental Security
Annex A.11.1 is about ensuring secure physical and environmental areas. The objective of this Annex is to check and prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities. 
Annex A.11.2 is about equipment. The objective in this Annex control is to prevent loss, damage and theft or compromise of assets and interruption to the organisation’s operations. 
Annex A.12 – Operations Security
Annex A.12.1 is about operational procedures and responsibilities. The objective of this Annex A area is to ensure correct and secure operations of information processing facilities. 
Annex A.12.2 is about protection from malware. The objective here is to ensure that information and information processing facilities are protected against malware. 
Annex A.12.3 is about backup. The objective here is to protect against loss of data. 
Annex A.12.4 is about logging and monitoring. The objective in this Annex A area is to record events and generate evidence. 
Annex A.12.5 is about control of operational software. The objective in this Annex A area is to ensure the integrity of operational systems. 
Annex A.12.6 is about technical vulnerability management. The objective in this Annex A control is to prevent exploitation of technical vulnerabilities. 
Annex A.12.7 is about information systems and audit considerations. The objective in this Annex A area is to minimise the impact of audit activities on operational systems. 
Annex A.13 – Communications Security
Annex A.13.1 is about network security management. The objective in this Annex is to ensure the protection of information in networks and its supporting information processing facilities. 
Annex A.13.2 is about information transfer. The objective in this Annex is to maintain the security of information transferred within the organisation and with any external entity, e.g. a customer, supplier or other interested party. 
Annex A.14 – System Acquisition, Development & Maintenance
Annex A.14.1 is about security requirements of information systems. The objective in this Annex area is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. 
Annex A.15 – Supplier Relationships
Annex A.15.1 is about information security in supplier relationships. The objective here is protection of the organisation’s valuable assets that are accessible to or affected by suppliers. 
Annex A.15.2 is about supplier service development management. The objective in this Annex A control is to ensure that an agreed level of information security and service delivery is maintained in line with supplier agreements. 
Annex A.16 – Information Security Incident Management
Annex A.16.1 is about management of information security incidents, events and weaknesses. The objective in this Annex area is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. 
Annex A.17 – Information Security Aspects of Business Continuity Management
Annex A.17.1 is about information security continuity. The objective in this Annex A control is that information security continuity shall be embedded in the organisation’s business continuity management systems.
Annex A.17.2 is about redundancies. The objective in this Annex A control is to ensure availability of information processing facilities. 
Annex A.18 – Compliance
Annex A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.