What Is Control in the ISO 27001 Cyber Security Standard?

Summary

The article explains how to approach security controls for the ISO 27001 cyber security management standard. It explains what control is, the different type of controls, and how to implement them.

There’s no denying that obtaining the ISO 27001 cyber security management system certification has a plethora of benefits. However, you can only enjoy those benefits after understanding the standard, following its guidance, and meeting its requirements.

Organizations that are still new to the world of regulations and quality assurance often find it challenging to break down the ISO 27001 requirements because of its terminologies. Control is one of those terminologies that confuse individuals.

Today’s article explains controls, their variants, and how to implement them.

So, if your organization is planning to obtain the ISO 27001 or other ISO certification, keep reading!

What is Control in the ISO 27001 Cyber Security Standard?

A control is nothing but a tool to treat risk. You can use it to reduce the impact of a threat or its likelihood of occurring. Furthermore, you can implement multiple controls to address a single risk or one to treat several risks.

Typically, controls are selected based on the outcome of a risk assessment or external or internal requirements. Some controls apply to an entire organization, such as an authentication scheme, while others are for specific matters, like password lifespan.

To minimize the risk of redundancy, experts advise organizations to consider their business and compliance requirements before designing and implementing controls.

Different Types of Controls

Experts divide controls into three groups.

• Preventative or deterrent (e.g., training, pre-employment screening, secure media disposal),
• Detective (e.g., intrusion detection system),
• Reactive (e.g., back-ups or burglar alarms).

Additionally, the controls you implement for the ISO 22000 cyber security management can be technical or non-technical.

Non-technical controls usually require more changes in processes and the involvement of different departments. On the positive side, non-technical controls are often more cost-effective than technical controls.

Therefore, when considering implementing technical controls, experts suggest asking if that’s your best option or if there are non-technical controls that can be more effective.

Implementing Controls for ISO 22000 Cyber Security Management

To ensure the effectiveness of a control, you must define and execute it adequately and in the correct context.

You shall create a control after consulting with affected parties. It should be proportionate, tested, designed to address risks, and supported by the top management.

Furthermore, when implementing controls, you must ensure all the impacted or relevant stakeholders understand their role, what to do with it, and how to support it during the transitional period.

Moreover, you shall effectively manage the implemented controls, detect noncompliance, follow up with corrective actions, report everything, and tackle persistent issues.

Controls are a part of your 22000 cyber security management system. You shall manage them like any other business activity in ways that you find most effective.

ISO/IEC 27001 Statement of Applicability

The Statement of Applicability is one of the ISO 22000 cyber security requirements. It’s a document that includes a list of all the controls an organization selects to implement from and outside of Annex A or ISO/IEC 27002.

You shall justify why you selected some controls for implementation while rejecting others.

The primary purpose of this document is to ensure you don’t miss out on anything. However, it does not mean including all the controls mentioned in ISO/IEC 27002 is mandatory. You shall only implement the ones that apply to your organization.

Assessing and Making Changes in Controls

Changes in business operations and processes can alter your risk levels and introduce new sources of risks or influential external factors. It, in turn, may require you to make changes in the control.
If you happen to make those changes, ISO 22000 certification experts suggest first assessing the potential impact.

It will help you identify the changes that are not feasible.

Based on the outcome of the assessment, you can determine whether the change will be the correct step. Once you have made the decision, develop plans to implement, remove, or alter the changes.

Documenting Controls for ISO 22000 Cyber Security Certification

Create a list of all the controls you want to implement based on the ISO 22000 requirements and the results of risk assessments. Consider recording the source of each control.

This way, when you make changes in the control drivers, you can easily integrate those changes into technical measures and policies. It will also make it easier for you to explain the reasons for implementing those controls.

Wrapping Up

The controls you implement for the ISO 27001 cyber security management standard should be traceable to the risks or requirements they aim to address. They should help you reduce or address incidents and be a part of your ISMS instead of replacing them.