Annex A
Definition
The normative annex to ISO/IEC 27001 that lists 93 information security controls across four themes: organisational (37 controls), people (8), physical (14), and technological (34). The standard requires organisations to reference Annex A when determining controls, but permits exclusions with justification. The full implementation guidance for each control is in ISO/IEC 27002.
Related terms
- Statement of Applicability (SoA)
- A mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification...
- Continual improvement
- The ISO/IEC 27001 requirement (clause 10) that the organisation must actively improve the suitability, adequacy, and effectiveness of the ISMS over time....
- High-Level Structure (HLS)
- The common clause framework mandated by ISO for all management system standards. Clauses 4 through 10 of ISO 27001 follow the same...
- Information Security Management System (ISMS)
- The set of policies, processes, procedures, and controls that an organisation establishes to manage information security risk. ISO 27001 specifies the requirements...
- ISMS scope
- The explicit boundaries of the management system: which organisational units, sites, processes, and information assets are covered. Defined under ISO/IEC 27001 clause...
- ISO/IEC 27002
- A guidance standard (not certifiable) that provides implementation advice for each of the 93 controls in ISO 27001 Annex A. Updated in...
- Management review
- The annual governance meeting required under ISO 17025 Clause 8.9, at which laboratory management reviews the aggregated quality performance data (PT results,...
- Risk owner
- The individual or role accountable for ensuring a risk is treated appropriately and that the treatment remains effective. Owners should control the...
- Risk treatment plan
- A document that records, for each identified risk, the chosen treatment option (accept, avoid, transfer, or reduce), the specific controls selected to...
Explained in these topics
- Designing and Implementing an ISMSThe normative annex to ISO/IEC 27001 that lists 93 information security controls grouped into four themes: organisational (37), people (8), physical (14), and...
- ISO/IEC 27001: Standard Structure and RequirementsThe normative annex to ISO/IEC 27001 that lists 93 information security controls across four themes: organisational (37 controls), people (8), physical (14), a...