Understanding ISO 27001’s 93 Security Controls: Your Essential Guide

By |2025-08-30T13:39:31+01:00September 1st, 2025|ISO 27001 Controls|

Understanding ISO 27001's 93 Security Controls: Your Essential Guide If you've ever wondered what lies behind ISO 27001's reputation as the gold standard for information security management, the answer is largely found in Annex A. This technical appendix contains 93 specific security controls that form the backbone of any robust information security framework. Think of these controls as your organisation's security toolkit. They're organised into four main themes that cover every aspect of information security: organisational security policies, people security, physical and environmental security, and technology [...]

Read More
 0

ISO 27001 Risk Assessment: How to Map Business Risks to Annex A Controls

By |2025-06-29T16:53:26+01:00June 30th, 2025|ISO27001 Certification, ISO27001 Implementation, Risk Assessment|

ISO 27001 Risk Assessment: How to Map Business Risks to Annex A Controls In a previous blog post, I explored whether organisations should choose scenario-based or asset-based risk management techniques when implementing ISO 27001. Today, I want to build on that discussion by examining a critical aspect that many organisations overlook: ensuring your risk register properly addresses the broader organisational risks that underpin the controls in Annex A. This isn't just about compliance box-ticking. When done correctly, your risk mapping demonstrates that you've genuinely considered the [...]

Read More
 0

ISO27001 – Control 5.17 – Authentication Information

By |2025-06-16T17:44:25+01:00June 16th, 2025|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.17  - Authentication Information Control 5.17 Wording Control 5.17 - Authentication Information states "Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information." What this means Control 5.17 aims to ensure that your organisation has in place proper rules for creating, giving out, and looking after login details like passwords, PINs, and access codes. This matters because the organisation needs to make sure that only the right people [...]

Read More
 0

ISO27001 – Control 5.16 – Identity Management

By |2025-06-16T17:47:26+01:00May 5th, 2025|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.16 - Identity Management Control 5.16 Wording Control 5.16 - Identity Management states "The full life cycle of identities should be managed." What this means Control 5.16 focuses on managing digital identities throughout their complete lifecycle - from creation to deletion. Think of it as a comprehensive system for tracking and controlling every digital identity in your organisation, ensuring that the right people and systems have the right identities and access. It's not just about creating usernames; it's about maintaining a [...]

Read More
 0

ISO27001 – Control 5.15 – Access Control

By |2024-11-24T16:48:08+00:00November 25th, 2024|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.15 - Access Control Control 5.15 Wording Control 5.15 - Access Control states "Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements." What this means Control 5.15 - At its core, access control is about ensuring the right people have access to the right resources at the right time. Think of it as a sophisticated bouncer for your business assets, both digital and physical. It's not [...]

Read More
 0

ISO27001 – Control 5.14 – Information Transfer

By |2024-11-09T16:25:08+00:00November 11th, 2024|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.14 - Information Transfer Control 5.14 Wording Control 5.14 - information transfer states "Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties". What this means Control 5.15 - information transfer is aiming to ensure that any information transfer processes are robust and secure and available to all within the organisation. The most obvious means of data transfer is email but there is also the consideration [...]

Read More
 0

ISO27001 – Control 5.13 – Labelling of Information

By |2024-10-17T16:57:49+01:00October 21st, 2024|Information Security, ISO 27001 Controls|

ISO 27001 - Control 5.13 - Labelling of Information Control 5.13 Wording An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. What this means This is the followup control to 5.12 - Classification. This control is designed to make sure that all business assets are labelled as part of securing information within the organisation. It's all about marking your data so everyone knows how to handle it properly. Let's break down [...]

Read More
 0

ISO27001 – Control 5.12 – Classification of Information

By |2024-09-08T13:14:30+01:00August 26th, 2024|Information Security, ISO 27001 Controls|

Control 5.12 – Classification of Information Control Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. What this means There needs to be a classification scheme implemented to protect information assets and this classification scheme should be documented and communicated to all staff and other relevant parties such as contractors, data processors etc. When classifying documents the organisation needs to consider the confidentiality, integrity, and availability requirements in the classification scheme. Try [...]

Read More
 0

ISO27001 – Control 5.11 – Return of Assets

By |2024-06-14T14:34:48+01:00June 16th, 2024|Information Security, ISO 27001 Controls, ISO27001 Certification, ISO27001 Implementation|

ISO27001 - Control 5.11 - Return of Assets Control Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement. What this means When a member of staff, contractor or supplier reaches the end of their employment or contract period, there should be a process in place to ensure that all the organisations assets are returned. This includes devices such as laptops and mobile phones as well as business paperwork (held [...]

Read More
 0

ISO27001 – Control 5.10 – Acceptable use of information and other associated assets

By |2024-05-31T16:10:27+01:00June 3rd, 2024|Information Security, ISO 27001 Controls, ISO27001 Certification, ISO27001 Implementation|

ISO27001 - Control 5.10 - Acceptable use of information and other associated assets Control Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. What this means This is all about ensuring that information and associated assets are appropriately protected, used and handled. You should have a procedure which documents the rules for acceptable use and the protection of assets. The organisation should identify the staff and external party users using or having access to the [...]

Read More
 0

© Copyright | All Rights Reserved | Audit & Risk Professionals Llp | Registered in England and Wales, Company Number: OC393687. Registered Address: 2 Masefield Ave, Borehamwood, HERTS, WD6 2HQ | Privacy Policy |

Go to Top