The Annex A of the ISO 27001 is also known as the Statement of Applicability (SOA). Because each organization differs, each organization must write its SOA. The Annex A of the ISO 27001 starts from A5-A18. These contain the information security operations controls which are important for managing and improving information security.
Annex A5 Information Security Polices
This deals with the management of direction and support of an organization’s need for information security while staying under laws and regulations. The organization must define and approve policies. There should be a review of the policies to ensure continuing stability, adequacy, and effectiveness of the information security management system (ISMS).
Annex A6 Organization of Information Security
Information security roles and responsibilities deal with reducing the possibilities of unauthorized or unintentional modification of information. There has to be segregation of duties and understanding the needs of a special group. Mobile devices and teleworking policies of annex 5 cover defense-in-depth, BYOD. Also how information is accessed, processed, and stored at teleworking sites.
Annex A7 Human Resource Security
This is responsible for actions before employment. It is further broken down into 5.
- Screening. There has to be a background check on all candidates before employment. For contractors, a check has to be made if their organization complies with ISO/IEC 27001 standard.
- Terms and conditions of employment. The organization must make clear that complying with the Data Protection Act 2018 is honored by all.
- During employment. Strict adherence to information security policies, and continuous training. The organization ensures that staff and contractors do their job well and adhere to policy changes.
- Disciplinary process. The organization must have a disciplinary process for those not following the policies.
- Termination or change of employment. This is protecting the interest of the company. Employees are legally obliged to keep the information belonging to the organization confidential in case of a change of roles or termination of a contract.
Annex A8 Asset Management
All assets linked with information and information processing facilities must be properly managed. Ownership of assets must be established and documented in case of termination of employment or contract, third parties are obliged to return all information assets belonging to the organization.
Annex A9 Access Control
For all assets under the scope of ISMS, an access control policy must be established, review regularly taking into account the need of the business. User responsibility objective holds users accountable for protecting their authentication. Information access restriction ensures that password management, information, and application system functions are tied into the access control policy.
Annex A10 Cryptography
Cryptographic technologies must be selected and managed properly to avoid creating vulnerabilities. There should be a legal requirement around encryption. Policy creation regarding key creation, distribution, changes, back-up, and storage should be in place.
Annex A11 Physical and Environmental Security
Only authorized people can view/access information, unauthorized access should be reported. Procedures should be in place to check-in and out tools inside of secure areas. Delivery and loading areas within the organization must be controlled and secure if possible to isolate them from information processing. For cloud/digital workplaces, they may be excluded from the statement of applicability (SOA).
Annex A12 Operations Security
Operation security deals with procedures and responsibilities to ensure proper and secure operations of information processing facilities. The testing and operational environment of the organization should be separated to avoid unauthorized access. Measures should be in place to detect, prevent, and control malware attacks. Regular backup of data is needed. Carrying out a table-top exercise to ensure that restoration will be successful when done or when required. Recording of events and keeping evidence for future needs and legal proceedings.
Annex A13 Communication Security
It covers network security management and ensuring the protection of information and information processing systems in networks. There should be segregation of network where ever possible to allow information classification. Protocols should be in place that covers information transfer both internal and external.
Annex A14 System Acquisition, Development and Maintenance
Annex 14 ensures that information security is implemented across the entire life cycle of the information system. The risk assessment must be carried out to understand the risk involved. The organization ensures that test data is carefully selected, protected, and controlled.
Annex A15 Supplier Relationship
Deals with information security of valuable assets which are accessible to or affected by a supplier. The supplier service delivery management ensures that the level of information and service delivery is in line with supplier agreement. Organizations conduct regular monitoring reviews and audits of supplier service delivery.
Annex A16 Information Security Incident Management
Annex 16 is about information security incidents, events, and weaknesses. There should be channels for reporting incidents and events as soon as possible. Implementation controls for the identification, collection, acquisition, and preservation of information used for evidence.
Annex A17 Information Security Aspect of Business Continuity Management
Deals with information security continuity. This is embedded in the organization’s business continuity management system. The organization determines its requirement for information security in adverse situations. There have to be procedures well documented that establish, document processes and controls to the required level of continuity during a catastrophic failure or drastic situation. The controls must be tested, reviewed, and evaluated regularly to ensure they are maintained against changes in the business, technologies, and risk levels.
Annex A18 Compliance
Annex 18 main objective is to avoid breaches of legal, statutory regulatory, or contractual obligation about information security. The organization has to keep up to date with documentations on legislation and regulation that affects its business objectives. There should be the protection of intellectual property rights owned by the organization and the prevention of misuse or breach.