ISO 27001:2022 Annex A Controls

To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

To establish accountability for information security activities and ensure clear ownership of security responsibilities.

To reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.

To ensure information security policies and procedures are implemented through clear management direction and support.

To maintain appropriate communication channels with relevant authorities for security incident reporting and regulatory compliance.

To stay informed about security threats, vulnerabilities, and best practices through engagement with the security community.

To enable proactive identification and response to relevant information security threats.

To ensure information security requirements are identified and addressed throughout the project lifecycle.

To identify organizational assets and define appropriate protection responsibilities to ensure they receive an appropriate level of protection.

To ensure that information and assets are used in accordance with organizational policies and legal requirements.

To ensure organizational assets are returned and access rights are revoked when personnel or external parties leave the organization.

To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

To ensure that information is clearly marked with its classification to enable appropriate handling and protection.

To maintain the security of information transferred within an organization and with external parties.

To limit access to information and information processing facilities to authorized users only.

To ensure that only authorized users have access to systems and services, and to prevent unauthorized access.

To ensure the secure management of authentication credentials throughout their lifecycle.

To ensure authorized user access and prevent unauthorized access to systems and services.

To ensure protection of the organization's information that is accessible by suppliers.

To ensure suppliers understand and meet the organization's information security expectations.

To address information security risks within the ICT supply chain.

To ensure suppliers continue to meet security requirements throughout the relationship.

To ensure cloud services meet the organization's information security requirements.

To ensure a quick, effective, and orderly response to information security incidents.

To ensure consistent evaluation and appropriate response to security events.

To minimize the impact of information security incidents through effective response.

To continuously improve information security through lessons learned from incidents.

To ensure evidence is properly handled for potential legal or disciplinary proceedings.

To ensure availability of information security controls during adverse conditions.

To ensure availability of ICT systems during and after disruptions.

To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.

To ensure compliance with intellectual property laws and protect organizational intellectual property.

To protect important organizational records in accordance with legal, regulatory and business requirements.

To ensure privacy and protection of personal information as required by law and organizational policy.

To provide assurance that information security practices are effective and aligned with organizational needs.

To ensure conformity with organizational information security policies and standards.

To ensure correct and secure operation of information processing facilities.

To ensure that personnel are suitable for their roles and understand their responsibilities.

To ensure personnel understand and accept their information security responsibilities.

To ensure personnel are aware of and can fulfill their information security responsibilities.

To ensure there are consequences for information security policy violations.

To protect the organization's interests after termination or change of employment.

To maintain confidentiality of organizational information through legal agreements.

To ensure information security when personnel work from remote locations.

To ensure timely awareness of security events and enable appropriate response.

To prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities.

To allow only authorized personnel to access secure areas.

To prevent unauthorized physical access and protect against environmental threats.

To detect and respond to unauthorized access attempts.

To protect against damage from physical and environmental threats.

To prevent unauthorized access to information in secure areas.

To reduce the risks of unauthorized access to information.

To reduce the risks from environmental threats and unauthorized access to equipment.

To prevent loss, damage, theft or compromise of assets off-premises.

To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

To ensure availability and integrity of information processing facilities.

To prevent damage to cables and protect against interference and interception.

To ensure continued availability and integrity of information processing facilities.

To prevent leakage of information through disposal or reuse of equipment.

To ensure security of information accessed through user endpoint devices.

To prevent unauthorized access and compromise of systems through misuse of privileged access rights.

To ensure authorized access and prevent unauthorized access to information.

To prevent unauthorized access to source code and maintain integrity of code.

To ensure the authenticity of users and protect against unauthorized access.

To ensure systems perform adequately and ensure required system availability.

To ensure that information and information processing facilities are protected against malware.

To prevent exploitation of technical vulnerabilities.

To establish and maintain secure configurations of systems.

To prevent unnecessary retention of information and reduce exposure to unauthorized disclosure.

To limit exposure of sensitive data while maintaining usability for testing and development.

To detect and prevent unauthorized transmission of sensitive information.

To protect against loss of data and ensure business continuity.

To ensure availability of critical systems through redundancy.

To record events and generate evidence for investigation and monitoring.

To detect anomalous behavior and potential security incidents.

To ensure accuracy of logs and support forensic investigation and audit.

To prevent misuse of privileged utilities that could bypass security controls.

To prevent unauthorized software installation and maintain system integrity.

To ensure the protection of information in networks and supporting information processing facilities.

To ensure the security of network services and the information they carry.

To separate networks into security zones based on risk and trust levels.

To manage access to external websites and reduce security risks.

To ensure proper and effective use of cryptography to protect confidentiality, authenticity and integrity of information.

To ensure that information security is designed and implemented within the development lifecycle of systems.

To ensure security is built into applications from requirements through implementation.

To ensure systems are designed with security in mind using established security principles.

To prevent security vulnerabilities in application code.

To identify and address security vulnerabilities before production deployment.

To ensure outsourced development meets security requirements and follows secure practices.

To reduce the risks of unauthorized access or changes to the production environment.

To ensure changes are made in a controlled manner with minimal disruption and risk.

To ensure test data does not contain production data that could be exposed.

To minimize disruption to business processes from audit activities.