Telephone: 01908 041464 | Email:

14 controls points in the Statement of Applicability

Sunday 21st April 2019

14 key controls for Information Security

ISO 27001, the international standard for Information Security sets out requirements for managing the system in the same way as the other ISO management standards; namely Clauses 4-10 which cover planning, operations, checking and improvement. In addition, and different to the other standards, ISO 27001 requires that each organsiation compiles a Statement of Applicability against 14 key control points. These control points, which are defined in the Appendix of the ISO standard should be used against the risk assessment processes and provide a thorough and comprehensive diagnostic of the risk treatments that should be adopted by the organisation.

The majority of the control points are broken down into further sub-controls, each with their own clear objective. Guidance with the ISO 27001 family of Standards provides an insight into the types of actions that would be expected by the Organisation if the control is applicable. The 14 controls points are:

Control Point Description
Information Security Policies to ensure Information Security policies are in place and kept up to date through an effective review process
Organisation of Information Security to ensure roles and responsibilities are clear for Information Security management, and policies are clear for secure use of mobile devices and teleworking.  
Human Resource Security to ensure information security processes are in place to manage information security issues related to personnel from a period prior to employment right through to post employment.
Asset Management to ensure that responsibilities for Asset management (both electronic and physical assets, datasets and their classification, and processes for media handling.
Access Control to ensure that policies are in place to manage users, user access to data and information is controlled, including log-in and password controls
Cryptography Controls to ensure that effective use of cryptography is in place
Physical and Environmental Security to ensure that physical access to information assets is controlled in order to prevent damage and interference. This includes secure access policies and also the selection and management of physical assets.
Operations Security to ensure that secure operations are in place, including the provision of malware protection, backups, relevant logging and monitoring of data events, and the management of vulnerabilities where they exist.
Communications Security to ensure that network security and secure transfer of information internally and externally where required.
System acquisition, development and maintenance to ensure that information security is an integral part of any software or systems that are adopted or developed by the organisation. This also covers those systems that transfer information assets across public networks.
Supplier Relationships to ensure that any information assets accessible by suppliers is protected; this includes data that might be accidentally seen as well as data used by suppliers. It is important for this area of the Standard to consider suppliers that might access and see data, such as cleaning and maintenance staff, as well as outsourced IT providers.
Incident management Controls to ensure that effective processes are in place to manage any information security incidents such as breaches, weaknesses or other activities that could compromise information security.
Business Continuity to ensure that in the event of disruption, that Information Security is embedded so that information assets remain secure. This might also include provision for redundancies, so that servers can failover.
Compliance to ensure that all applicable legal, statutory, regulatory or other obligations applicable to Information Security are complied with. This could include ensuring the companies own intellectual property rights are protected.

Related Articles

Comparing Cyber Essentials to ISO 27001
Use 27001 to meet the Hiscox recommendations
How GDPR is protecting Personal Data

Adam Faiers - Director

Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.

Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.

Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.

We hope this article has been helpful

If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:


Tel: 01908 255 525