ISO 27001 Controls List

In today’s cyber-conscious world, businesses of all sizes are under increasing pressure to safeguard information assets. The ISO 27001 controls list is a structured way for organisations to implement robust security controls aligned to a globally recognised standard. For companies aiming to demonstrate compliance and build customer trust, these controls are not just a checklist, but an operational necessity.

The ISO 27001 standard is built around an Information Security Management System (ISMS) framework. Within that framework is a set of Annex A controls designed to tackle everything from asset management and human resources security to incident response and supplier relationships. This document explores these controls and what they mean in practice for organisations across the UK.

Understanding the structure of ISO 27001 controls

The ISO 27001:2022 version categorises 93 controls into four distinct themes:

• Organisational controls
• People controls
• Physical controls
• Technological controls

These groupings allow businesses to focus on different operational domains while maintaining consistent protection standards. Each control can be adapted to the context of the organisation, whether it’s a small business managing local risks or a large enterprise handling international data flows.

Key organisational controls explained

Organisational controls refer to the policies, procedures, and processes that define how security is managed throughout the business.

• Information Security Policies: Establishing formal, approved, and regularly reviewed information security policies.
• Roles and Responsibilities: Defining clear lines of accountability for information security.
• Risk Management: Creating and maintaining a structured process to assess and treat risks.
• Business Continuity Planning: Ensuring plans are in place to recover from incidents with minimal disruption.
• Compliance with Legal and Contractual Requirements: Staying aligned with GDPR, regulatory, and customer expectations.

This category also ties directly into several elements of What are the key requirements for achieving Cyber Essentials certification?. Specifically, it echoes the need for documented policies and risk management routines.

People controls and employee awareness

People are often the weakest link in cyber security. These controls aim to reduce risk via training, awareness, and secure HR practices.

• Background Screening: Conducting appropriate checks during recruitment.
• Terms of Employment: Including security expectations in employment contracts.
• Security Training: Ongoing programmes that support secure behaviour at work.
• Disciplinary Process: Addressing any breaches of security policy.

Controls like these strongly support initiatives aligned with How can I prepare my small business for Cyber Essentials assessment?, particularly in educating staff on threats like phishing and social engineering.

Physical security measures

Physical security often gets overlooked in cyber compliance conversations but plays a critical role.

• Secure Areas: Limiting access to areas where sensitive data or infrastructure resides.
• Entry Controls: Logging and restricting physical access.
• Equipment Security: Preventing unauthorised removal or misuse of assets.
• Secure Disposal: Ensuring storage media is wiped or destroyed.

While these may seem rudimentary, they underpin broader cyber hygiene practices and support control requirements that contribute to both ISO and Cyber Essentials readiness.

Technological controls at the core

The largest group of ISO 27001 controls falls under this theme. They focus on safeguarding digital infrastructure and include:

• Access Control: Ensuring only authorised users gain access to information.
• Cryptography: Applying encryption to protect data at rest and in transit.
• Malware Protection: Preventing, detecting, and responding to malicious code.
• Logging and Monitoring: Collecting logs and monitoring them for anomalies.
• System Configuration: Ensuring secure default settings are maintained.

These areas naturally correlate with What software solutions support compliance with Cyber Essentials standards?. Businesses can utilise endpoint protection tools, firewalls, SIEM systems, and patch management tools to cover these bases.

Risk assessments and treatment plans

Risk assessment is a core ISO 27001 requirement. Controls require businesses to:

• Identify assets and associated risks
• Evaluate impact and likelihood
• Define risk appetite
• Select appropriate controls
• Maintain a treatment plan

These activities mirror preparatory steps for Cyber Essentials too, especially in supporting businesses answering How can I prepare my small business for Cyber Essentials assessment?

Supplier security and third-party risk

The ISO 27001 framework includes controls for supplier relationships, echoing wider regulatory expectations for supply chain security.

• Supplier Agreements: Mandating security obligations in contracts.
• Monitoring Supplier Performance: Regularly reviewing security posture.
• Third-Party Access: Controlling and recording access given to suppliers.

This is an area of increasing scrutiny across the UK and is often raised during audits, including those aligned to Cyber Essentials and IASME Cyber Assurance.

Control customisation and the Statement of Applicability (SoA)

No organisation implements every ISO 27001 control identically. Instead, the SoA outlines:

• Which controls are applicable
• Why each control is included or excluded
• How each is implemented

This makes ISO 27001 extremely flexible, supporting businesses of every scale, and aligns with small-business considerations such as Which UK-based firms offer Cyber Essentials consultancy services?

Certification audits and continual improvement

To achieve certification, organisations must:

• Implement applicable controls
• Prove their effectiveness
• Complete internal audits
• Conduct management reviews
• Address nonconformities

This process shares similarities with the steps outlined in Can I renew my Cyber Essentials certification through an online service?, especially in terms of preparing documents and evidence.

How Cyber Essentials and ISO 27001 work together

Although Cyber Essentials and ISO 27001 are separate certifications, they complement each other. Cyber Essentials focuses on five core technical controls:

1. Firewalls
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

These overlap with many ISO 27001 technological controls and are often the starting point for businesses aiming for broader certification. Organisations can seek support from providers listed under Which companies provide Cyber Essentials certification services in the UK? to help them step into more comprehensive schemes.

Summary for SMEs considering implementation

For small businesses wondering how to balance control implementation with available resources:

• Start with a gap analysis
• Adopt the most critical controls first
• Use templates and automation tools
• Engage external consultants
• Build awareness internally

If you’re asking Which UK-based firms offer Cyber Essentials consultancy services?, many also assist with ISO 27001 documentation, control design, and audit prep.

By leveraging both the Cyber Essentials scheme and the full ISO 27001 controls list, organisations can protect their data, reassure clients, and meet evolving regulatory demands.

UK Cyber Security Group Ltd is here to help

For more information, please do get in touch.

Please check out our Free Cyber Insurance

Other blog posts, Your Cyber Essentials Questions Answered, Cyber Hygiene 101: Essential Habits for Safe Online Activities,

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.