Security compliance Operating security programs ISO 27001

ISO 27001 controls

In a world of increasingly frequent cyberattacks, companies need to be sure their vendors take information security seriously. Many turn to ISO 27001 certification (rather than SOC 2) to decide if a potential business partner can protect sensitive data. The difference between SOC 2 and ISO 27001 is that SOC 2 focuses primarily on proving the existence of security controls, while ISO 27001 certification shows that an organization has a strong information security management system (ISMS) to ensure that sensitive data is accurate and protected from unauthorized access.

What are ISO 27001 clauses? 

ISO 27001 defines 11 clauses (0–10) that provide guidance for aspects of your ISMS ranging from documentation to policies. Seven clauses contain mandatory requirements of ISO 27001 certification.

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10:Improvement

What are ISO 27001 controls?

Before we get into the specifics of ISO 27001 controls, it’s important to have a strong working definition of what a security control is in general. Put simply, controls are actions that mitigate security risks. They are typically defined by three main factors:

  • Who performs an activity
  • The nature of the action
  • How often the action happens

You can learn more about how controls work within compliance frameworks in our blog “What is a control?

Now on to the ISO 27001 specifics! There are currently 114 ISO 27001 controls that are specific to the ISO 27001 framework and address specific security risks to ensure that an organization’s ISMS is robust enough to protect sensitive data. With the release of ISO 27002:2022, though, this number is being reduced to 93 controls.

And, you might have noticed that they’re not part of the clauses you learned about in the section above. 

Where is the ISO 27001 controls list? 

To find all of the 114 controls on the ISO 27001 controls list, you’ll need to take a look at ISO 27001 Annex A. 

Annex A is a list of all of the ISO 27001 controls. The ISO 27001 controls list contained in Annex A consists of 114 controls divided into 14 categories, or domains, that apply to almost every aspect of an operation:

  • Information security policies 
  • Organization of information security 
  • Human resources security 
  • Asset management 
  • Access control 
  • Cryptography 
  • Physical and environmental security 
  • Operational security 
  • Communications security 
  • System acquisition, development and maintenance 
  • Supplier relationships  
  • Information security incident management  
  • Information security aspects of business continuity management  
  • Compliance   

The ISO 27001 controls in Annex A have multiple objectives that pertain to everything from providing management with direction, making individual responsibilities clear, properly protecting information assets, and ensuring only appropriate access to sensitive data.

Annex A is basically a list of controls that can be used to reach ISO 27001 compliance. For guidance on how to implement those controls, you’ll want to turn to ISO 27002.

How does Strike Graph make it easy for organizations to demonstrate the ISO 27001 controls?

Achieving compliance in the face of 7 actionable clauses, 14 domains and 114 controls can seem daunting. But, ISO 27001 certification doesn’t have to be difficult.

Strike Graph’s extensive library of controls is pre-mapped to the ISO 27001 framework — both the existing 114 controls and the newly released 93 controls. This means you don’t have to start from scratch. Our security compliance platform walks you step-by-step through an initial risk assessment to identify your security gaps, then suggests pre-mapped controls that will mitigate those risks and put you on the path to ISO 27001 certification.



  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?