ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
The latest revision (ISO 27001:2022) includes 93 controls, grouped into 4 themes:
Contents
🏛 1. Organisational Controls (37 controls)
Focus on governance, policies, roles, risk management, and operational structure.
Examples:
- A.5.1 – Policies for Information Security
- A.5.17 – Information Security in Project Management
- A.5.23 – Information Security for Use of Cloud Services
- A.5.30 – Suppliers and Third-Party Relationships
🛠 2. People Controls (8 controls)
Related to employee awareness, responsibilities, screening, and disciplinary actions.
Examples:
- A.6.1 – Responsibilities for Information Security
- A.6.2 – Information Security Awareness, Education and Training
- A.6.3 – Disciplinary Process
🖥 3. Physical Controls (14 controls)
Concerned with physical access, environmental security, equipment, and secure disposal.
Examples:
- A.7.1 – Physical Security Perimeter
- A.7.4 – Secure Disposal or Reuse of Equipment
- A.7.7 – Protection from Physical and Environmental Threats
🔐 4. Technological Controls (34 controls)
Controls around system access, network security, encryption, backups, monitoring, and endpoint protection.
Examples:
- A.8.1 – User Endpoint Devices
- A.8.10 – Authentication Information
- A.8.15 – Logging and Monitoring
- A.8.28 – Secure Coding
🧭 Mapping ISO 27001 Controls to Risk Management
Each control supports:
- Risk mitigation (e.g. limiting access to data)
- Incident response (e.g. monitoring and logging)
- Security governance (e.g. assigning roles and policies)
Controls should be selected based on a Statement of Applicability (SoA) and tailored to an organisation’s context.
✅ Summary Table
| Theme | Control Count | Example Focus |
|---|---|---|
| Organisational | 37 | Governance, roles, supplier risk |
| People | 8 | Awareness, HR screening |
| Physical | 14 | Access control, secure disposal |
| Technological | 34 | Authentication, monitoring, encryption |
🔐 ISO 27001 isn’t just about controls—it’s about building trust through secure practices.