14 Domains of ISO 27001
ISO 27001 require company to implement applicable controls within 14 domains.
There are 114 controls under 14 domains.
- Information security policies – controls on how the policies are written and reviewed
- Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
- Human resources security – controls prior to employment, during, and after the employment
- Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling
- Access control – controls for the Access Control Policy, user access management, system and application access control, and user responsibilities
- Cryptography – controls related to encryption and key management
- Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk and Clear Screen Policy, etc.
- Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
- Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
- System acquisition, development and maintenance – controls defining security requirements and security in development and support processes
- Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
- Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
- Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
- Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security