Understanding the Controls in ISO 27001: An Overview of Organizational, People, Physical, and Technological Controls

Introduction

ISO 27001 provides a comprehensive set of controls, grouped in Annex A, that organizations can implement to secure their information assets. These controls can be broadly categorized into four areas: Organizational, People, Physical, and Technological. Understanding these controls is key to implementing a robust and effective Information Security Management System (ISMS). A total of 93 controls as available for the organizations to consider and implement.

Organizational Controls

Organizational controls focus on the strategic and operational practices that an organization needs to have in place. These involve policies, procedures, and structures designed to provide a foundation for the information security management effort.

Under ISO 27001, this involves the following areas:

• Information Security Policies : This section involves establishing high-level information security directives, their review process, and their dissemination within the organization.
• Organization of Information Security : This includes defining roles and responsibilities, establishing contacts with authorities and special interest groups, and setting up policies for mobile device and telework.
• Supplier Relationships: This pertains to managing third-party relationships to ensure the organization’s information remains secure when dealing with suppliers.

People Controls

People controls focus on ensuring that employees and other users understand their responsibilities and perform their tasks in a manner that maintains security.

In ISO 27001, these controls include:

• Human Resource Security: This involves responsibilities that should be defined and communicated with employees and contractors, and the training required before employment and when leaving or changing roles.
• Access Control: This involves setting up user access management, defining user responsibilities, and setting up system and application access control policies.

Physical Controls

Physical controls are designed to protect the organization’s physical environment and prevent unauthorized access to information.

Under ISO 27001, these controls fall under:

• Physical and Environmental Security: This involves defining secure areas, setting up equipment security, and protecting against threats from the environment.

Technological Controls

Technological controls involve the use of technology to protect information and systems, and to support the organization’s information security objectives.

In ISO 27001, these controls are outlined in several areas, including:

• Cryptography: This involves establishing policies for the use and protection of cryptographic keys.
• Operations Security: This involves setting operational procedures, malware protection, backup, logging and monitoring, managing technical vulnerabilities, and defining audit considerations.
• Communications Security: This involves setting up network security, managing information transfer, and segregating networks.
• System Acquisition, Development, and Maintenance: This includes setting requirements for information systems, maintaining security in development and support processes, and managing test data.

Conclusion

A robust ISMS requires a balanced mix of these controls. While technological solutions often receive the most attention, it’s crucial not to overlook the importance of organizational, people, and physical controls. An organization needs to understand its unique context and risk environment to select and implement the most appropriate controls from the ISO 27001 standard. With the effective application of these controls, organizations can ensure the confidentiality, integrity, and availability of their information assets.