ISO 27001: What are the main controls of this standard?

ISO 27001 is an international standard developed by the International Organization for Standardization (ISO) with the aim of providing a model for Information Security Management within organizations. The first version as a certifiable standard was published in the year 2005. Information security-oriented standards establish a set of best practices that assist organizations in protecting and managing their information systems against intentional and accidental risks and threats. These standards are certifiable, which allows organizations to demonstrate to third parties that they have implemented proper information security management practices.

The concept of control in ISO 27001 refers to the security measures that we must implement with the objective of mitigating potential risks to which the organization may be exposed. In general, controls are commonly classified as:

• Preventive controls are the controls that reduce the likelihood of a threat occurring.
• Corrective controls are the controls that act to mitigate the actual impact of a threat once it has occurred.

The objective of security controls implemented in an organization is to ensure at all times the Confidentiality, Integrity, and Availability of the information hosted in its systems, against any type of adverse event that could negatively impact it.

An example of a preventive control is having an antivirus or antimalware, as it will detect and intercept any malicious software that may try to reach our systems, thus reducing the likelihood of malware entering. However, these types of programs are not perfect, and it is possible to design malware that, not being previously identified, manages to go undetected, causing an impact of loss and destruction of information, as in the case of ransomware.

Therefore, and acting in a complementary manner, we must also have corrective controls in place. In this case, it would be having a “backup” of the data, which would allow us to recover damaged or deleted information, both in the case of an intentional attack like malware and in the event of an accidental incident that damages the equipment and systems containing information within the organization.

Another type of controls is aimed at maintaining the availability of our systems by implementing redundancy for critical elements and equipment essential for the business. For example, duplicating communication lines with different providers or having processing equipment in various locations or data centers allows us to respond to the organization’s needs both during incidents and periods of increased demand.

Controls related to access to information systems require special attention, both for company personnel and for third parties who may temporarily require access to them. In this case, periodic reviews of both the individuals accessing the systems and the privileges granted to each case are important to detect discrepancies that could pose a security problem.

In ISO 27001, the controls are defined in Annex A. In the 2013 version of the standard, there are 114 controls grouped into 14 domains that cover the following areas: Security Policy, Organization of Information Security, Human Resource Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operations Security, Communications Security, System Acquisition, Development, and Maintenance, Supplier Relationships, Incident Management, Business Continuity, and Compliance.

In the new version of the ISO 27001 standard, published in May 2022, these controls have been reorganized within Annex A into four groups, which are:

• Organizational controls.
• People controls.
• Physical controls.
• Technological controls.

The Annex A is, therefore, a set of best practices focused on guiding which security elements and controls should be effectively targeted to prevent threats from having a significant impact on a company’s information management systems and infrastructure.

The ISO 27002 standard provides us with a series of best practices for implementing the controls from Annex A of ISO 27001.

Once an organization implements a set of security controls, they must be maintained and managed to achieve continuous improvement in their effectiveness. For this purpose, it is recommended to establish criteria and metrics that provide information about their level of performance and maturity.

Indeed, the best indicator of the proper functioning of controls is to observe a reduction in incidents, both in terms of probability, understood as a decrease in the frequency of adverse events, and in the impact of such events in case they occur.

The implementation of an Information Security Management System (ISMS) and the compliance with the established controls in the ISO 27001 standard are essential to protect the information handled by an organization. In this sense, GlobalSuite® is a platform that provides a comprehensive solution for the implementation and management of ISMS, and helps organizations more efficiently manage the established security controls.

Contact us and discover how our GRC software with the ISO 27001 module can help your organization comply with the established controls, protect your information, and enhance the company’s information security!