Control sets
You will need to make a decision on what set of controls is most appropriate to use within your organisation. From this set of controls, you will select those controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
- ISO/IEC 27001:2013 Annex A
- CIS Critical Security Controls
There may be control sets specific for your country. The UK specifies five controls for basic cyber hygiene in the Cyber Essentials standard, and controls/objectives for operators of essential services under the NIS Directive are published by NCSC.
Domains and activities may also have their own control sets: scientific collaboration environments have https://www.eugridpma.org/sci/, telecommunications sector ISO/IEC 27011, and cloud computing ISO/IEC 27017
ISO/IEC 27001:2013 allows you to select controls from any source, but you must justify the exclusion of any controls from Annex A which you have chosen not to implement, to ensure that no necessary controls are overlooked.
Most organisations will chose Annex A as their normal set of controls, with additional controls chosen for particular business requirements.
Prioritisation/Triage
When first starting out, or setting up an ISMS, the number of controls you need to implement may be overwhelming. It might be advisable to focus on the controls necessary to address the most important risks, or provide the greatest reduction in risk, and then come back to other controls at a later stage. It is not necessary to get things complete or perfect at the outset - this is what continual improvement is for.
Presentation / A framework for linking controls to risk
ISO/IEC 27001:2013 Annex A can be overwhelming both ourselves as information security practitioners but also to our colleagues. It can appear to be a very technical and bureaucratic listing of things that must be done with no relationship with the organisation's objectives, activities, and risks. You should think about how you present controls within your organisation. It could be a idea to group your selected controls by
- Activities: running a data centre, operating a network, administering a server
- Risks: fire, theft, hacking, malware
- Business units: financial, human resources, operations
It is helpful to get input from a wide variety of sources at all levels within your organisation who can present different perspectives and expertise on the choice and implementation of controls. It can be too easy just to focus on the inputs of more technical colleagues.
Effectiveness
Your selection of controls must be practical for your organisation and staff to implement and understand, otherwise they will not be effective. You should think about how you will monitor and measure the controls as set out in section 9 of the standard.
Training/Awareness
It is sensible to provide training to those responsible for implementing, managing, or monitoring controls. This training should cover the reasons why the controls are implemented, how they are intended to reduce risk, and the different ways in which the control can be implemented. It is also a useful means to get feedback on the suitability of controls. Also consider making this training available to your internal auditors.
Selection
All controls must be selected for a reason. The core reason in ISO 27001 is to address a specific risk. The control must do something to reduce this risk.
Controls may also be selected because a customer has asked you to implement it, or because a law or regulation requires it. You should try to understand these external factors in Section 4 of the standard. Selected controls should be implemented in a lawful manner.
This section should have a reference to ISO 27001 chapter 6: planning.
There is a strong relation with the ISO 27001 Statement of Applicability, and the risk based selection of controls. You can use ISO 27002 and its chapters for grouping controls or you can use other groupings that are better suited to your business processes.