MENU
TH EN
Home / Knowledge : Administration & Management

ISO/IEC 27001 Controls Handbook 1

Title Thumbnail & Hero Image: ISO27001 Version 2022 Banner, source: questinc.com, access date: Nov.17, 2025.
ISO/IEC 27001 Controls Handbook 1

First revision: Nov.17, 2025
Last change: Dec.15, 2025
Searched, gathered, rearranged, translated, and compiled by Apirak Kanchanakongkha.
1.
Page 1
1. Information security

There are 93 controls - The Ninety-Three Broadly Formulated Controls.
  • IEC - International Electrotechnical Commission, IEC standards are international guidelines developed by the International Electrotechnical Commission to ensure safety, performance, and interoperability of electrical and electronic systems.

1.
2.
Page 2
2. ISO/IEC 27001 - Management system

1.
Page 3
3. ISO/IEC 27001 - Annex A
ANNEX A
Pick up your ISO/IEC 27001 standard and go to Annex A. This annex contains ninety-three controls you can apply to treat information security risks.
       In principle, Annex A could have been left out of the Standard for the implementation of a management system for information security. The appendix is only included in the Standard so that, after choosing your own measures, you can verify that no necessary controls have been omitted (see ISMS Clauses 6.1.3).
       The Standard wants to prevent you from overlooking something and has placed ninety-three commonly used controls in an appendix. The ISO/IEC organization describes these Annex A controls as [5]:
              A generic mixture of organizational, people, physical, and technological information security controls derived from internationally recognized best practices.
       Now read the text directly under the title Annex A. It starts with the statement that the Annex A controls are "directly derived from and aligned with those listed in ISO/IEC 27002."
       The reason the numbering of the controls in Annex A of the ISO/IEC 27001 standard starts at five rather than 1 is that these controls come from the ISO/IEC 27002 standards and are covered from Chapter 5 onwards. See the adjacent image for an overview of the relationships between the various ISO/IEC documents.
       There is an important difference between the ninety-three controls listed in the ISO/IEC 27002 standard and the ninety-three controls listed in Annex A of the ISO/IEC 27001 standard. For all controls in the ISO/IEC 27001 standard, the on-binding "should" has been replaced by the mandatory "shall." The following example shows this difference:
Example
 ISO/IEC 27002-8.15: Logging  ISO/IEC 27001-8.15: Logging
 Logs that record activities, exceptions, faults, and other relevant events SHOULD be produced, stored, protected, and analyzed.  Logs that record activities, exceptions, faults, and other relevant events SHALL be produced, stored, protected, and analyzed.
By making the controls normative, the ISO/IEC 27001 standard forces you to make a statement about which Annex A controls do or do not apply to your organization. You must record this statement in a formal document: the Statement of Applicability. More on that later, first something else.
1.
COHERENCE BETWEEN CONTROLS AND RISKS
Take the standard ISO/IEC 27001 and read the short text under the heading "Annex A again." The last part of this text says that all Annex A controls "are to be used in context with 6.1.3." What does this mean?
1.
2.
Page 4

Relationships between ISO/IEC documents, developed on Dec.8, 2025.
 
1.
Page 5
In the Standard, go to ISMS Clause 6.1.3. As you can see, this clause is about information security risk treatment. So, the ninety-three Annex A controls are all intended for treating your information security risks. In other words, there must be a logical coherence between your risks and the use of the Annex A controls.
       The mandatory coherence between controls and risks prompts the following question: Does a list of ninety-three controls mean that you must have identified at least ninety-three information security risks? No, this is not the case. Usually, several controls can be used simultaneously for the treatment of one risk.
Example
       An organization wants to reduce the risk of ransomware affecting the availability of information. The risk is addressed through the following controls: awareness, education, and training (6.3); controls against malware (8.7); and backup of information (8.13).       
       Likewise, several risks can sometimes benefit from the same control. For example, the control "awareness, education, and training" (6.3) can often be used to treat multiple risks. In short, there is no one-to-one relationship between risks and controls.
       Do you need to apply all counts? No, that is not necessary. If you cannot apply an Annex A control to treat your risks, you may exclude this control in your Statement of Applicability.
1.
STATEMENT OF APPLICABILITY (SoA)
ISMS Clause 6.1.3 requires you to produce a statement of applicability (SoA). This is a document that must contain the following information:
  • The necessary controls. List in your SoA ninety-three Annex A controls, as well as a description of any other controls you have applied.
  • A justification for their inclusion. For each control applied, provide a brief explanation of why you applied it.
  • Whether the necessary controls are implemented or not. For each control applied, make it clear whether it is currently implemented.
  • The justification for excluding any of the Annex A controls. For each Annex A control that you have not applied, provide a short explanation of why this is the case.
       To ensure that the ISO/IEC 27001 standard is applied correctly, the ISO/IEC organization has published the supporting standard ISO/IEC 27003 [6]. This standard says the following about excluding controls:
          Any control within Annex A that does not contribute to modifying risk should be excluded from the SoA, and justification for the exclusion should be given.
       So the justification for excluding a control must somehow make it clear why the control cannot contribute to changing your information security risks.
  • More information about defining and using a Statement of Applicability can be found in the ISO 27001 ISMS Handbook [20]
1.
2.
Page 6

1.
 
Example
Organization ABC has produced the following Statement of Applicability:
1.
   ABC [Statement of Applicability] Version: November 12, 2023
     Control title    Control  Implemented?  Justification inclusion  Justification exclusion
   5.1  Policies for information security  Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to, and acknowledged by relevant personnel and interested parties, and reviewed at planned intervals and upon significant changes.  Yes  Risk #01
 Risk #08
 Risk #09		  x
   5.2  Information security roles and responsibilities  Information security roles and responsibilities shall be defined and allocated according to the organization's need.  Yes  Risk #03
 Risk #44		  x
   Etc.
1.
2.
Page 7
PARTIAL APPLICATION OF AN ANNEX A CONTROL
The supporting ISO/IEC 27003 standard (guidelines for ISMS implementation) says the following about the partial application of an Annex A control [6]:
       Justification for including a control in part relies on the effect of the power in modifying an information security risk. A reference to information security risk assessment results and the information security risk treatment plan should be sufficient, along with the information security risk modification expected by the implementation of necessary controls.
       This handbook discusses an example of partially applying a control when explaining control 8.26. This control concerns both the development of applications and the purchase of applications developed by suppliers. If your organization purchases applications but does not develop applications, you can explain this in your Statement of Applicability (justification for inclusion and exclusion).
1.
CONTROL TAKEN CARE OF BY SUPPLIERS
ISMS Clause 4.3 establishes the scope for your information security management system. Determining the scope makes clear which processes, people, buildings, systems, etc., are relevant to your management system.
       As soon as it is clear which processes fall within the scope of your management system, you can distinguish between processes that you perform entirely yourself and processes that you have (partly) carried out by an external organization. The ISO/IEC organization says [1]:
       An external organization is outside the scope of the management system, even if the outsourced function or process is within its scope.
       Having an outsourced process within the scope of your information security management system means that your organization remains ultimately responsible for that process, including the controls necessary to protect the availability, integrity, and confidentiality of your information.  

Example
       Organization ABC consists of four employees who have developed a web application. Due to cost savings, it was decided not to rent an office building. The four employees work from home or at any other location. The web application is offered to customers as software-as-a-service (SaaS) via the IT platform of a cloud provider.
       Organization ABC does not have an on-site power supply, but it relies on a reliable power supply from the cloud provider. The organization has therefore applied Control 7.11 (supporting utilities). ABC determines that the provider has an adequate and tested emergency power supply.
It is the responsibility of your organization to choose suppliers who have implemented appropriate controls, to ensure appropriate agreements (see 5.20), and to monitor compliance (see 5.22).
1.
2.
 Page 8
ADDITIONAL CONTROLS  
In addition to the ninety-three Annex A controls of the ISO/IEC 27001 standard, you may also add "own controls" to your Statement of Applicability. The ISO/IEC 27007 standard (with guidelines for conducting ISMS audits) say [8]:
       Necessary controls can be ISO/IEC 27001 Annex A controls, but they are not mandatory.
       They can be controls taken from other standards (e.g., ISO.IEC 27017) or other sources, or they can have been specially designed by the organization.
       So, feel free to add your own controls to your Statement of Applicability. If you do, pay attention to the extent to which your own controls overlap with the ninety-three Annex A controls. The ISO/IEC 27007 standard says [8]:
       In some cases, the organization uses a control that is a variation of an Annex A control and excludes the original Annex A control, the rationale for exclusion being that it has been replacedby the organization's variation of the control.
      Your own control may be equivalent to or an extension of an Annex A control. The ISO/IEC 27007 standard says [8]:
       Alternatively, 
      
        










References:
01. from. ISO 27001 - CONTROLS Handbooks - Implementing and auditing 98 controls to reduce information security risks: ORGANIZATIONAL, PEOPLE, TECHNICAL, Cees Van Wens, ISBN 9798861393560, Deseo Publishing, 2023.






 
back
humanexcellence.thailand@gmail.com
© HUEXONLINE.COM. All Rights Reserved.
Visit : 6153892