ISO 27001 Controls Expert

Expert in implementing and auditing ISO 27001 Information Security Management System controls.

Control Categories Overview

ISO 27001:2022 Annex A Structure

Category Controls Focus Area

A.5 Organizational 37 controls Policies, roles, responsibilities

A.6 People 8 controls HR security, awareness

A.7 Physical 14 controls Physical and environmental

A.8 Technological 34 controls Technical security measures

Risk-Based Approach

• Controls selection based on risk assessment outcomes

• Statement of Applicability (SoA) documents rationale

• Controls can be implemented, not applicable, or excluded with justification

• Continuous improvement through PDCA cycle

Control Implementation Framework

Control Assessment Template

control_assessment: control_id: "A.8.24" control_name: "Use of Cryptography" category: "Technological Controls" objective: "Ensure proper and effective use of cryptography to protect confidentiality, authenticity and integrity of information"

current_state: implementation_status: "Partial" existing_controls: - "TLS 1.2 for web traffic" - "AES-256 for database encryption" gaps: - "No key management policy" - "Legacy systems using TLS 1.0" - "Inconsistent encryption at rest"

risk_assessment: likelihood: "Medium" impact: "High" risk_level: "High" risk_treatment: "Mitigate"

implementation_plan: actions: - description: "Develop cryptography policy" owner: "Security Manager" deadline: "2024-03-01" status: "In Progress"

  - description: "Upgrade all systems to TLS 1.3"
    owner: "IT Infrastructure"
    deadline: "2024-04-15"
    status: "Planned"

  - description: "Implement key management solution"
    owner: "Security Operations"
    deadline: "2024-05-01"
    status: "Planned"

evidence_required: - "Cryptography policy document" - "TLS configuration audit report" - "Key management procedures" - "Encryption inventory"

success_metrics: - "100% systems using TLS 1.2+" - "All sensitive data encrypted at rest" - "Key rotation performed quarterly"

Key Control Areas

A.5 Organizational Controls

A.5.1_Policies_for_Information_Security: requirement: "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated and acknowledged"

implementation: policies_required: - "Information Security Policy (overarching)" - "Acceptable Use Policy" - "Access Control Policy" - "Data Classification Policy" - "Incident Response Policy" - "Business Continuity Policy" - "Cryptography Policy"

policy_structure:
  - "Purpose and scope"
  - "Roles and responsibilities"
  - "Policy statements"
  - "Compliance requirements"
  - "Review and update procedures"

review_cycle: "Annual minimum, or upon significant changes"

evidence: - "Approved policy documents" - "Communication records" - "Acknowledgment signatures/records" - "Review meeting minutes"

A.5.15_Access_Control: requirement: "Rules to control physical and logical access to information and other associated assets shall be established and implemented"

implementation: principles: - "Need-to-know basis" - "Least privilege" - "Segregation of duties" - "Role-based access control"

processes:
  access_request:
    - "Formal request submission"
    - "Manager approval"
    - "Security review for sensitive access"
    - "Provisioning within SLA"

  access_review:
    frequency: "Quarterly for privileged, annual for standard"
    scope: "All access rights"
    output: "Remediation of inappropriate access"

  access_revocation:
    triggers:
      - "Employment termination"
      - "Role change"
      - "Extended leave"
    sla: "Same day for terminations"

evidence: - "Access control policy" - "Access request forms/tickets" - "Approval records" - "Access review reports" - "Revocation procedures"

A.8 Technological Controls

A.8.9_Configuration_Management: requirement: "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed"

implementation: baseline_configurations: servers: - "Hardened OS images" - "Disabled unnecessary services" - "Security patches current" - "Logging enabled"

  network_devices:
    - "Encrypted management protocols"
    - "Access lists configured"
    - "Logging to SIEM"
    - "Firmware current"

  endpoints:
    - "Endpoint protection installed"
    - "Disk encryption enabled"
    - "Auto-updates enabled"
    - "Local firewall active"

change_management:
  - "Configuration change requests"
  - "Security impact assessment"
  - "Testing before deployment"
  - "Rollback procedures"

monitoring:
  - "Configuration drift detection"
  - "Automated compliance scanning"
  - "Alert on unauthorized changes"

tools: - "Ansible/Terraform for IaC" - "CIS Benchmarks" - "Qualys/Nessus for scanning" - "SIEM for change detection"

A.8.24_Use_of_Cryptography: requirement: "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented"

implementation: encryption_standards: data_at_rest: algorithm: "AES-256" scope: "All sensitive data" key_storage: "HSM or secure vault"

  data_in_transit:
    protocol: "TLS 1.3 (minimum 1.2)"
    cipher_suites: "ECDHE with AES-GCM"
    certificate_management: "Automated renewal"

  hashing:
    passwords: "bcrypt/Argon2"
    integrity: "SHA-256 or higher"
    prohibited: "MD5, SHA-1"

key_management:
  generation: "Cryptographically secure RNG"
  storage: "HSM for production keys"
  rotation:
    symmetric: "Annual or per policy"
    asymmetric: "Per certificate validity"
  destruction: "Secure deletion with audit trail"

prohibited_algorithms: - "DES, 3DES" - "RC4" - "MD5 for security purposes" - "SHA-1 for signatures" - "TLS 1.0, 1.1"

A.8.16_Monitoring_Activities: requirement: "Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken"

implementation: log_sources: - "Authentication systems" - "Firewalls and network devices" - "Servers and endpoints" - "Applications and databases" - "Cloud services"

monitoring_capabilities:
  real_time:
    - "Failed authentication attempts"
    - "Privileged account usage"
    - "Malware detection"
    - "Network anomalies"

  periodic:
    - "Access reviews"
    - "Vulnerability scans"
    - "Configuration compliance"
    - "Log analysis"

alerting:
  critical:
    response_time: "15 minutes"
    examples:
      - "Multiple failed authentications"
      - "Privileged escalation"
      - "Malware detection"
      - "Data exfiltration indicators"

  high:
    response_time: "1 hour"
    examples:
      - "Unusual access patterns"
      - "Policy violations"
      - "Configuration changes"

retention:
  security_logs: "12 months minimum"
  audit_logs: "7 years for compliance"

Statement of Applicability (SoA)

soa_template: document_control: version: "1.0" date: "2024-01-15" owner: "Information Security Manager" approved_by: "CISO" next_review: "2025-01-15"

controls: A.5.1: control_name: "Policies for information security" applicable: true justification: "Required for ISMS governance" implementation_status: "Implemented" implementation_description: "Suite of 12 security policies approved and communicated" evidence_reference: "POL-001 to POL-012"

A.5.2:
  control_name: "Information security roles and responsibilities"
  applicable: true
  justification: "Required for clear accountability"
  implementation_status: "Implemented"
  implementation_description: "RACI matrix and job descriptions updated"
  evidence_reference: "ORG-RACI-001"

A.7.4:
  control_name: "Physical security monitoring"
  applicable: false
  justification: "Fully cloud-based organization, no physical premises to protect"
  residual_risk_acceptance: "Accepted by CISO on 2024-01-10"

summary: total_controls: 93 applicable: 87 not_applicable: 6 implemented: 72 partially_implemented: 12 planned: 3

Audit Preparation

Internal Audit Checklist

audit_checklist: documentation_review: - "ISMS scope and boundaries defined" - "Information security policy approved" - "Risk assessment methodology documented" - "Risk treatment plan current" - "Statement of Applicability complete" - "Policies and procedures accessible"

control_testing: access_control: - "Review user access provisioning process" - "Sample access requests for approval evidence" - "Verify access review completion" - "Test termination access revocation"

change_management:
  - "Review change management procedure"
  - "Sample changes for approval evidence"
  - "Verify testing before production"
  - "Check rollback capability"

incident_management:
  - "Review incident response procedure"
  - "Sample incidents for handling evidence"
  - "Verify root cause analysis"
  - "Check lessons learned implementation"

interviews: - "Management commitment to ISMS" - "Staff awareness of security policies" - "IT understanding of technical controls" - "HR knowledge of people controls"

audit_evidence_requirements: for_each_control: - "Policy/procedure documentation" - "Implementation evidence" - "Operating effectiveness evidence" - "Exception handling records"

Common Non-Conformities

common_findings: major_non_conformities: - finding: "No risk assessment performed" clause: "6.1.2" typical_cause: "Lack of methodology or resources" remediation: "Conduct formal risk assessment"

- finding: "Missing Statement of Applicability"
  clause: "6.1.3 d)"
  typical_cause: "Incomplete documentation"
  remediation: "Create comprehensive SoA"

- finding: "No management review conducted"
  clause: "9.3"
  typical_cause: "Lack of ISMS awareness"
  remediation: "Schedule and conduct management review"

minor_non_conformities: - finding: "Access reviews not performed quarterly" control: "A.5.18" typical_cause: "Process not established" remediation: "Implement automated review process"

- finding: "Incident response plan not tested"
  control: "A.5.24"
  typical_cause: "Resource constraints"
  remediation: "Schedule tabletop exercise"

observations: - finding: "Security awareness training could be more frequent" control: "A.6.3" recommendation: "Increase from annual to quarterly"

- finding: "Vulnerability scan results not trending"
  control: "A.8.8"
  recommendation: "Implement dashboard for metrics"

Continuous Improvement

pdca_cycle: plan: activities: - "Conduct risk assessment" - "Define security objectives" - "Create implementation plan" - "Allocate resources" outputs: - "Risk treatment plan" - "Security objectives" - "Implementation roadmap"

do: activities: - "Implement controls" - "Conduct training" - "Deploy security tools" - "Document procedures" outputs: - "Implemented controls" - "Training records" - "Operational procedures"

check: activities: - "Internal audits" - "Management reviews" - "Monitor KPIs" - "Incident analysis" outputs: - "Audit reports" - "Performance metrics" - "Improvement opportunities"

act: activities: - "Corrective actions" - "Preventive actions" - "Process improvements" - "Control updates" outputs: - "Updated controls" - "Improved processes" - "Enhanced ISMS"

kpis: effectiveness: - "Number of security incidents" - "Mean time to detect/respond" - "Vulnerability remediation time" - "Audit findings closure rate"

compliance: - "Policy acknowledgment rate" - "Training completion rate" - "Access review completion" - "Patch compliance percentage"

maturity: - "Control implementation percentage" - "Process automation level" - "Risk treatment progress"

Лучшие практики

• Risk-based approach — приоритизируйте контроли по уровню риска

• Document everything — evidence критичен для аудита

• Continuous monitoring — не только для сертификации

• Management commitment — без поддержки руководства ISMS не работает

• Regular reviews — ежегодный минимум для всех политик

• Lessons learned — учитесь на инцидентах и аудитах