ISO-9: Annexe A Controls-1

We have so far discussed ISO 27001-2022 in several articles ISO-1 to 7 and summarised ISO 27701 in article ISO-8. Let us now continue our discussions to cover the 93 controls which are part of Annexe A of ISO 27001-: 2022 and also ISO 27002:2019.

The Annexe contains

a) 37 Controls as “Organizational Controls” from A.5.1 to A.5.37

b) 8 controls as “People’s Controls” from A.6.1 to A.6.8

c) 14 controls as “Physical Controls” from A.7.1 to A.7.14

c) 34 controls as “Technology Controls” from A.8.1 to A.8.34

All these controls are effectively covered under the 50 Model Implementation specifications of PDPSI which adds a few more controls of its own to make it more precise than ISO 20001:2022 even if ISO 27701 is added as a combo.

Let us in this article try to get a bird’s eye view of the “Organizational Controls”.

The first control in this set is the need for development of policies for information security which have to be defined, approved, published, communicated and acknowledged by relevant stake holders. They have to be also reviewed periodically. The objective of the policies is to effectively mitigate the risks in different aspects of business with a focus on the CIA principle.

As a part of the policy or as a supplementary policy there is a need to define the roles and responsibilities of different employees with proper segregation of duties with an enforceable mandate that the policies will be adhered to by all.

The organization shall maintain contract with regulatory authorities such as CERT IN and with relevant industry groups to stay in close touch with industry developments.

For proper risk assessment, a system for gathering threat intelligence and integrating IS in each of the projects is to be ensured.

In order to implement the policies, there has to be an inventory of Information assets with proper labeling and ownership assignment. This will be associated with an acceptable user policy till the ownership of the assets are suitably transferred to another authorized person. Such transfer procedures are also to be suitably documented along with a proper labeling of information.

It is also necessary to have a proper classification of information which determines the access policies. IS related classification is normally associated with the CIA triad and limited to classifications such as “Public”, “Restricted”, “Confidential” etc. If ISO 27701 or privacy related compliance is required like PDPSI, then the classification has to take into account “Personal and Non Personal” , “Sensitive and Non Sensitive” etc. PDPSI therefore follows a more elaborate classification system than ISO 27001/27701 and extends it to “Minor and Non Minor”, “Employee and Non Employee”, “Personal Sensitive”, “Personal Critical” etc.

This classification is associated with the Access Control management with management of full cycle of identities for access. The access control mechanism needs to take care of proper authentication of identities. The entire access rights management system needs to be periodically reviewed.

It is also necessary to ensure that information security in supplier relationships including the cloud services are also properly kept in check through the agreements. The IS needs need to be effectively communicated through the supply chain and monitored regularly for review and change.

There shall be a proper Incident management policy to define incidents and handle them effectively when identified with a proper assessment, reporting and learning out of the incidents.

Where required the need for evidence management during incidents and possible business disruption management with business continuity objective shall be ensured.

It is not possible to disassociate the IS requirements from any legal obligations in applicable law and this has to be adequately addressed. This may not only include the IPR related issues but also regulations related to contracts, data storage, security incident reporting etc.

Control A.5.34 specifically mentions that the organization shall identify and meet requirements regarding the preservation of Privacy and Protection of PII (Personally identifiable Information) according to applicable laws and regulations and contractual requirements. This clause extends ISO 27001:2022 to the privacy requirements without ISO 27701.

The organization shall independently review the IS controls periodically, document the compliance with adopted policies and procedures.

All these requirements covered under A.5.1 to A.5.37 are covered under PDPCSI for Establishing PDPCMS or Personal Data Compliance Management System. PDPCMS focusses on Privacy and hence limits itself to the application of CIA principles only to Personal Data and otherwise looks at the Privacy controls similar to ISO 27701. However the larger version of PDPCSI which is called DPCMSI may cover the non personal data protection compliance separately for which the compliance is checked with provisions of ITA 2000 and not the DPDPB 2023. DPCMSI combines ITA 2000 and DPDPB 2023 and hence covers ISO 27001:2022 even with an expanded coverage of Privacy.

If an auditor is aware of the intent of these frameworks and sincerely applies them to the audit, whether he uses ISO 27001:2022 with ISO 27701 or DPCMS does not matter except for the certification and costs.



About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.