UnixTime

Research Note

ISO 27002 Annex A Control Interpretation Map

This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.

Use this note when you need to answer:

  • what the control means in practice;
  • what implementation guidance should be considered;
  • what evidence proves operation;
  • what risk logic explains why the control exists.

Current A.5 interpretation map

Control ISO 27001 question ISO 27002 interpretation focus ISO 27005 risk logic Evidence anchor
A.5.1 Policies for Information Security Are policies defined and maintained? Policy structure, communication, review Governance reduces inconsistent behavior Policy Register
A.5.2 Information Security Roles and Responsibilities Are responsibilities assigned? Role clarity and accountability Risk/control ownership Control Owner Register
A.5.3 Segregation of Duties Are conflicting duties separated? Preventing unchecked authority Fraud/error/abuse likelihood reduction Segregation of Duties Matrix
A.5.4 Management Responsibilities Do managers require security behavior? Management enforcement Human and culture risk treatment Management Security Responsibilities Checklist
A.5.5 Contact with Authorities Are authority contacts maintained? Liaison and escalation Legal/incident/continuity response Authority Contact Register
A.5.6 Contact with Special Interest Groups Are specialist groups used? External knowledge flow Better risk awareness Special Interest Group Participation Register
A.5.7 Threat Intelligence Is threat intelligence collected and used? Contextualized intelligence and action Risk identification and review Threat Intelligence Register
A.5.8 Information Security in Project Management Is security built into projects? Project governance and lifecycle Project/change risk treatment Project Security Requirements Register
A.5.9 Inventory of Information and Other Associated Assets Are assets known and owned? Inventory, ownership, classification Asset-based risk identification Information and Associated Asset Inventory
A.5.10 Acceptable Use of Information and Other Associated Assets Are use rules defined? Handling and acceptable behavior Misuse/mishandling reduction Acceptable Use and Information Handling Rules
A.5.11 Return of Assets Are assets returned or removed? Leaver/mover/contractor return Loss and lingering access risk Asset Return Checklist
A.5.12 Classification of Information Is information classified? Protection need and handling levels Impact analysis and proportional treatment Information Classification and Handling Matrix
A.5.13 Labelling of Information Are labels applied? Making classification actionable Handling error reduction Information Classification and Handling Matrix
A.5.14 Information Transfer Are transfers controlled? Rules, channels, agreements Leakage/interception/misdirection risk Information Transfer Rules Matrix
A.5.15 Access Control Are access rules defined? Business need and least privilege Unauthorized access reduction Access Control Matrix
A.5.16 Identity Management Are identities managed? Identity lifecycle and uniqueness Orphan/unaccountable identity risk Identity Lifecycle Register
A.5.17 Authentication Information Are secrets protected? Credential handling and reset Credential compromise risk Authentication Information Handling Standard
A.5.18 Access Rights Are rights provisioned/reviewed/removed? Actual access vs authorized need Excessive/stale access risk Access Rights Request and Review Register
A.5.19 Information Security in Supplier Relationships Are supplier risks managed? Supplier process and tiering Third-party exposure risk Supplier Security Register
A.5.20 Addressing Information Security Within Supplier Agreements Are security terms agreed? Contractual requirements Contractual control gap risk Supplier Security Agreement Requirements Checklist
A.5.21 Managing Information Security in the ICT Supply Chain Is ICT supply-chain risk managed? Inherited supplier dependency Supply-chain risk ICT Supply Chain Risk Register
A.5.22 Monitoring, Review and Change Management of Supplier Services Are suppliers monitored after go-live? Review, change, incidents, nonconformity Supplier drift and reassessment Supplier Service Review and Change Log
A.5.23 Information Security for Use of Cloud Services Are cloud services acquired, used, managed, and exited securely? Cloud-specific supplier, shared responsibility, data location, and exit guidance Cloud dependency, configuration, jurisdiction, and exit risk Cloud Service Register
A.5.24 Information Security Incident Management Planning and Preparation Is incident management planned and communicated before incidents occur? Incident process, roles, reporting, recovery, and lessons learned Incident impact reduction, risk monitoring, and corrective action Incident Management Plan
A.5.25 Assessment and Decision on Information Security Events Are events assessed and classified consistently? Event triage criteria, categories, decision records, escalation timing Event-to-incident decision quality and timely escalation Event Triage and Incident Classification Register
A.5.26 Response to Information Security Incidents Are incidents handled according to documented procedures? Response playbooks, action logs, roles, management decisions, closure Incident impact reduction and response accountability Incident Response Record
A.5.27 Learning from Information Security Incidents Are incident lessons used to improve controls? Post-incident review, corrective action, training/control updates Control improvement and recurrence reduction Incident Lessons Learned Register
A.5.28 Collection of Evidence Is evidence collected and preserved properly? Evidence procedure, custody logs, restricted storage, forensic copies Investigation quality and legal defensibility Evidence Collection and Chain of Custody Log
A.5.29 Information Security During Disruption Does security remain appropriate during disruption? Security continuity objectives, BIA security requirements, crisis roles, supplier security Security continuity and crisis control preservation Information Security Continuity Requirements
A.5.30 ICT Readiness for Business Continuity Can ICT recover according to continuity objectives? ICT continuity requirements, RTO/RPO, playbooks, tests, supplier continuity Availability and recovery risk treatment ICT Continuity Requirements and Test Record
A.5.31 Legal, Statutory, Regulatory and Contractual Requirements Are applicable obligations known, owned, current, and mapped to controls? Requirements register, control mapping, legal advice, crypto assessment, change traceability Compliance risk treatment and obligation traceability Legal and Contractual Requirements Register
A.5.32 Intellectual Property Rights Are IP rights and licence restrictions protected in practice? IP procedures, software inventory, licence checks, source-code/library/AI review Legal and contractual risk from unauthorized use or copying Intellectual Property Rights Register
A.5.33 Protection of Records Are required records protected through retention? Records inventory, retention schedule, access control, archive/readability checks, disposal evidence Integrity, availability, confidentiality, and retention compliance Records Retention and Protection Register
A.5.34 Privacy and Protection of PII Are privacy and PII requirements identified and met? PII inventory, requirements matrix, access review, training, breach readiness Privacy compliance and personal-data protection risk PII Inventory and Privacy Requirements Matrix
A.5.35 Independent Review of Information Security Is security management and implementation independently reviewed? Review schedule, independence basis, report, findings, corrective action, management reporting Assurance and improvement risk treatment Independent Information Security Review Plan and Report
A.5.36 Compliance with Policies, Rules and Standards for Information Security Is compliance with policies and standards regularly reviewed? Manager reviews, technical checks, authorized tools, findings, retest evidence Policy drift and technical nonconformity risk treatment Policy and Technical Compliance Review Register
A.5.37 Documented Operating Procedures Are operating procedures documented, controlled, and available? Procedure register, version control, approvals, operator awareness, supplier procedures Operational consistency and error reduction Operating Procedure Register

Current A.6 interpretation map

Control ISO 27001 question ISO 27002 interpretation focus ISO 27005 risk logic Evidence anchor
A.6.1 Screening Are background verification checks performed before joining and ongoing where justified? Identity, CV, qualification, reference, gap, proportionality, legal limits, retention, and data protection Personnel trust, insider misuse, fraud, unauthorized disclosure, and excessive PII collection risk Personnel Screening Register
A.6.2 Terms and Conditions of Employment Do employment and contractual agreements state information security responsibilities? Security and legal responsibilities, confidentiality, remote/customer-site work, post-employment duties, personnel data handling, and updates when roles change Responsibility ambiguity, contractual noncompliance, confidentiality breach, and weak enforceability risk Security Terms and Conditions Checklist
A.6.3 Information Security Awareness Education and Training Do personnel and relevant interested parties receive appropriate awareness, education, training, and updates? Baseline awareness, specialist training, role fit, timing before access, content currency, records, and effectiveness metrics Human error, social engineering, competence, policy nonconformity, and control-operation risk Security Awareness and Training Plan
A.6.4 Disciplinary Process Is there a formal and communicated process for information security policy violations? Disciplinary criteria, evidence threshold, fair treatment, proportionality, communication, and closure Policy non-compliance, deterrence, insider behavior, and security culture risk Policy Violation and Disciplinary Action Register
A.6.5 Responsibilities After Termination or Change of Employment Are continuing duties and access/asset changes after termination or role change defined and enforced? Leaver/mover notification, access removal, asset return, urgent cases, continuing confidentiality/legal duties Stale access, excessive privilege, asset loss, confidentiality breach, and SoD risk Leaver and Role Change Security Checklist
A.6.6 Confidentiality or Non-Disclosure Agreements Are confidentiality/NDA requirements identified, documented, reviewed, and signed? Requirement analysis, agreement type, signing before access, legal enforceability, register, and review cycle Unauthorized disclosure, weak legal protection, contractual confidentiality, and third-party risk Confidentiality Agreement Register
A.6.7 Remote Working Are security measures implemented when personnel work remotely? Authorization, remote location, secure connection, endpoint, physical controls, data limits, asset register, non-work use Off-premises information exposure, endpoint loss, insecure network, unauthorized viewing, and remote access risk Remote Working Authorization Register
A.6.8 Information Security Event Reporting Can personnel report observed or suspected events through timely appropriate channels? Event definition, reporting channels, forms, no-blame culture, user awareness, triage linkage, external notification criteria Delayed detection, under-reporting, incident escalation, risk-data distortion, and missed notification risk Information Security Event Reporting Channel Register

Current A.7 interpretation map

Control ISO 27001 question ISO 27002 interpretation focus ISO 27005 risk logic Evidence anchor
A.7.1 Physical Security Perimeters Are security perimeters defined and used to protect areas containing information and associated assets? Zone model, physical boundary completeness, shared premises, emergency routes, out-of-hours access, perimeter review Unauthorized physical access, tampering, theft, shared-premises bypass, and zone exposure risk Physical Security Zone Register
A.7.2 Physical Entry Are secure areas protected by appropriate entry controls and access points? Entry authorization, badges, visitor registration/escort, physical access review, delivery/loading controls, despatch records Unauthorized entry, visitor movement, badge/key misuse, loading bay bypass, equipment theft, and tampering risk Secure Area Access Register
A.7.3 Securing Offices Rooms and Facilities Is physical security for offices, rooms, and facilities designed and implemented? Room/facility risk, information concentration, signage, directories, access clues, specialized controls, control fit Room-level exposure, target identification, internal information leakage, centralized repository, and facility design risk Office Room and Facility Security Assessment
A.7.4 Physical Security Monitoring Are premises continuously monitored for unauthorized physical access? Monitoring scope, alarm response, escalation, tests, false alarms, incident linkage, evidence retention Unauthorized access detection, delayed response, theft/tampering, physical incident escalation, and false-alarm risk Physical Security Monitoring Procedure
A.7.5 Protecting Against Physical and Environmental Threats Is protection against physical and environmental threats designed and implemented? Site hazards, neighbor risks, specialist advice, fire/flood/environmental controls, secondary effects, continuity linkage Fire, flood, environmental failure, utility failure, hazardous neighbor, civil unrest, and site outage risk Physical and Environmental Threat Assessment
A.7.6 Working in Secure Areas Are security measures for working in secure areas designed and implemented? Need-to-know, device restrictions, media movement, supervision, dual control, consistent third-party treatment Unauthorized disclosure, recording, copying, media removal, unauthorized modification, and weak supervision risk Secure Area Working Procedure
A.7.7 Clear Desk and Clear Screen Are clear desk and clear screen rules defined and appropriately enforced? Papers, removable media, screens, printers, faxes, auto-lock, observation, awareness, enforcement Unattended information exposure, shoulder surfing, photography, removable media loss, printer/fax exposure, and misfiling risk Clear Desk and Clear Screen Checklist
A.7.8 Equipment Siting and Protection Is equipment securely sited and protected? Equipment location, environmental exposure, access to network devices, screen visibility, interference, remote equipment, staff use rules Equipment damage, unauthorized physical access, unauthorized viewing, environmental exposure, interference, remote equipment, and unmanaged asset risk Equipment Siting and Protection Assessment
A.7.9 Security of Assets Off-Premises Are off-site assets protected? Authorization, off-site custody, mobile/BYOD protection, long-term loan attestation, leaver return, secure erase, risk acceptance Off-site loss/theft, BYOD exposure, weak custody, unreturned assets, cross-border exposure, and unmanaged residual risk Off-Premises Asset Authorization Register
A.7.10 Storage Media Is storage media managed through acquisition, use, transportation, and disposal according to classification and handling rules? Approved media, inventory, classification, movement, secure transport, key separation, disposal, damaged media, destruction records Media loss, unauthorized access, insecure transport, poor disposal, damaged media recovery, malware from unapproved media, and classification handling risk Storage Media Handling Procedure
A.7.11 Supporting Utilities Are information processing facilities protected from failures in supporting utilities? Utility dependencies, power/cooling/telecoms/water/fire protection, UPS/generator capacity, alarms, emergency lighting, provider agreements, BMS security Power failure, cooling failure, telecommunications outage, water/site closure, fire protection failure, emergency lighting failure, BMS compromise, and availability risk Supporting Utility Dependency Register
A.7.12 Cabling Security Are cables protected from interception, interference, or damage? Cable routes, connectors, labels, segregation, locked cabinets, external junctions, tamper/interception risk Cable damage, interception, tampering, interference, inaccurate connection, external junction exposure, and availability risk Cabling Route and Protection Register
A.7.13 Equipment Maintenance Is equipment maintained correctly to protect confidentiality, integrity, and availability? Maintenance schedules, authorized maintainers, fault logs, escorting, information protection, post-maintenance tamper checks Equipment failure, unplanned outage, integrity loss, unauthorized maintenance access, information exposure during repair, and tampering risk Equipment Maintenance Register
A.7.14 Secure Disposal or Re-Use of Equipment Is equipment containing storage media verified before disposal or reuse? Storage identification, sanitization, overwriting, destruction, licensed software removal, repair dispatch, contractor assurance Residual data exposure, licensed software leakage, insecure reuse, insecure repair, contractor disposal risk, hidden storage, and privacy/IP compromise Equipment Disposal and Reuse Register

Current A.8 interpretation map

Control ISO 27001 question ISO 27002 interpretation focus ISO 27005 risk logic Evidence anchor
A.8.1 User End Point Devices Is information stored on, processed by, or accessible through user endpoint devices protected? Endpoint policy, inventory, baseline controls, patching, malware protection, encryption, remote access, BYOD, session timeout, loss/theft reporting Endpoint compromise, lost/stolen device, unmanaged BYOD, weak remote access, patch gap, malware, local data exposure, and unattended session risk Endpoint Device Security Standard
A.8.2 Privileged Access Rights Are privileged access rights restricted and managed? Business justification, approval, separate privileged IDs, logging, review, emergency access, removal, log protection Privilege misuse, shared admin account, unlogged admin activity, emergency access abuse, unauthorized change, and stale privilege risk Privileged Access Register
A.8.3 Information Access Restriction Is access to information and associated assets restricted according to the access control policy? Owner-approved access rules, application/database role consistency, classification alignment, restricted functions, export controls, dynamic privilege sessions Excessive access, shared database bypass, unauthorized extraction, maintenance utility misuse, dynamic privilege abuse, and policy enforcement failure Information Access Rule Matrix
A.8.4 Access to Source Code Is read/write access to source code, development tools, and software libraries appropriately managed? Repository access, branch protection, code review, CI/CD access, dependency trust, source absence from production, integrity verification Source disclosure, malicious code modification, compromised build tools, dependency compromise, and release integrity risk Source Code Access Register
A.8.5 Secure Authentication Are secure authentication technologies and procedures implemented based on access restrictions? Risk-based authentication, MFA factor quality, failed logon controls, safe error messages, recovery controls, compensating controls Credential compromise, brute force, account enumeration, weak authentication, and unauthorized access risk Secure Authentication Standard
A.8.6 Capacity Management Is resource use monitored and adjusted according to current and expected capacity needs? Monitoring scope, thresholds, trend analysis, forecasting, scaling/tuning, cloud limits, staff capacity Availability loss, resource exhaustion, service degradation, and capacity-related security failure risk Capacity Management Plan
A.8.7 Protection Against Malware Is malware protection implemented and supported by user awareness? Malware protection coverage, updates, background/scheduled scanning, layered scanning, infection response, verification, user awareness Malware infection, ransomware, credential theft, malicious downloads, outdated protection, lateral movement, and recovery verification risk Malware Protection Standard
A.8.8 Management of Technical Vulnerabilities Is vulnerability information obtained, exposure evaluated, and appropriate action taken? Vulnerability intelligence, scanning/testing, exposure evaluation, patch/change control, rollback, retesting, exceptions Known vulnerability exploitation, delayed patching, incomplete scanning, failed remediation, and residual vulnerability risk Vulnerability Management Procedure
A.8.9 Configuration Management Are configurations established, documented, implemented, monitored, and reviewed? Baselines, local tailoring, implementation, monitoring, drift handling, exceptions, review Insecure default, misconfiguration, unauthorized change, drift, and stale baseline risk Configuration Baseline Register
A.8.10 Information Deletion Is information deleted when no longer required? Asset inventory, retention rules, deletion methods, cloud/backup deletion, destruction evidence, secure awaiting-destruction storage Over-retention, privacy exposure, residual data recovery, cloud/backup persistence, and disposal risk Information Deletion and Destruction Register
A.8.11 Data Masking Is data masking used according to policy, business requirements, and legislation? Masking, pseudonymisation, tokenisation, anonymisation, full-data access, lookup segregation, re-identification risk Sensitive data overexposure, re-identification, test-data leakage, token lookup compromise, and privacy risk Data Masking Standard
A.8.12 Data Leakage Prevention Are DLP measures applied to systems, networks, and devices processing sensitive information? Sensitive data scope, approved flows, DLP rules, alerts, false positives, transfer authorization, user awareness Unauthorized transfer, exfiltration, unapproved cloud sharing, email leakage, removable media leakage, and false-positive fatigue risk DLP Scope and Rule Register
A.8.13 Information Backup Are backup copies maintained and regularly tested according to backup policy? Backup scope, frequency, protection, job monitoring, restore tests, off-site/immutable storage, archive recovery Data loss, ransomware recovery failure, backup breach, untested restore, and continuity failure risk Backup Policy and Schedule
A.8.14 Redundancy of Information Processing Facilities Is redundancy sufficient to meet availability requirements? Availability requirements, redundancy architecture, risk assessment, dependency coverage, failover testing, recovery records Single point of failure, untested failover, dependency outage, replication exposure, and continuity failure risk Redundancy Requirements and Architecture Register
A.8.15 Logging Are logs produced, stored, protected, and analysed? Loggable events, log content, retention, protection, SIEM/correlation, alert triage, fault trend analysis Undetected misuse, weak accountability, tampered evidence, missed incident, alert fatigue, and investigation failure risk Logging and Monitoring Standard
A.8.16 Monitoring Activities Are networks, systems, and applications monitored for anomalous behaviour and potential incidents evaluated? Risk-based detection use cases, monitoring sources, IDS/IPS/SIEM/EDR rules, thresholds, correlation, alert triage, and out-of-hours escalation Undetected attack, lateral movement, blind spots, alert fatigue, missed incident evaluation, and delayed response risk Monitoring Detection Use Case Register
A.8.19 Installation of Software on Operational Systems Is software installation on operational systems securely managed? Installation authority, business approval, testing, change records, rollback, licence/support checks, production code protection Unauthorized software, untested production change, unsupported software, licence exposure, integrity loss, and outage risk Operational Software Installation Procedure
A.8.20 Networks Security Are networks and network devices secured, managed, and controlled? Architecture, zoning, network device hardening, routing, public network protection, virtual/cloud networks, monitoring, changes Unauthorized access, interception, lateral movement, misconfiguration, insecure management path, virtual bypass, and availability risk Network Security Architecture and Zoning Standard
A.8.21 Security of Network Services Are network service security mechanisms, service levels, and requirements identified, implemented, and monitored? Provider network services, security features, SLAs, resilience, failover, monitoring, compensating controls Supplier network service exposure, weak service levels, provider control gap, failover weakness, and availability/security dependency risk Network Service Security Requirements Register
A.8.22 Segregation of Networks Are groups of services, users, and systems segregated in networks? Zone design, inter-zone controls, firewall/routing rules, wireless risk, segmentation testing, exceptions Lateral movement, unauthorized internal access, flat-network exposure, wireless bypass, and cloud segmentation risk Network Zone and Connection Matrix
A.8.23 Web Filtering Is access to external websites managed to reduce malicious content exposure? Filtering policy, categories, coverage, exceptions, bypass prevention, alerts, user awareness Malware download, phishing, command-and-control connection, malicious content exposure, and missed compromise signal risk Web Filtering Policy and Category Matrix
A.8.24 Use of Cryptography Are rules for effective cryptography and key management defined and implemented? Crypto policy, approved algorithms, key lifecycle, CA/certificate control, legal checks, escrow/recovery, third-party key services Key compromise, weak crypto, certificate misuse, legal restriction breach, failed recovery, confidentiality/integrity/authenticity failure risk Cryptographic Controls Policy
A.8.25 Secure Development Life Cycle Are secure development rules established and applied? Secure development policy, training, code review, vulnerability remediation, supplier development, standards review Insecure code, development environment compromise, hidden functionality, supplier development gap, and future production compromise risk Secure Development Policy
A.8.26 Application Security Requirements Are application security requirements identified, specified, and approved? Risk-based requirements, approval, transaction controls, cryptography, network security, testing, acquisition Missing requirements, weak transaction security, insecure acquired application, legal gap, and fraud risk Application Security Requirements Register
A.8.27 Secure System Architecture and Engineering Principles Are secure engineering principles established, maintained, and applied? Secure architecture principles, design reviews, threat modelling, deviations, contractor communication, competence Insecure architecture, weak trust boundaries, retrofitted security, architecture drift, and supplier design risk Secure Architecture Principles Standard
A.8.28 Secure Coding Are secure coding principles applied to software development? Language-specific standards, developer awareness, automated review, manual review, generated code, exceptions Coding vulnerability, hard-coded secret, insecure dependency, unsafe function, generated insecure code, and supplier code risk Secure Coding Standard
A.8.29 Security Testing in Development and Acceptance Are security testing processes defined and implemented in the development lifecycle? Test planning, risk-based testing, acceptance criteria, vulnerability remediation, retesting, operations/user involvement Untested vulnerability, defective input handling, access control failure, unresolved finding, insecure go-live risk Security Test Plan
A.8.30 Outsourced Development Are outsourced development activities directed, monitored, and reviewed? Supplier development requirements, contracts, monitoring, deliverable testing, IP rights, audit/assurance, subcontractors Supplier opacity, insecure outsourced code, hidden functionality, weak supplier assurance, IP dispute, and supply chain risk Outsourced Development Security Requirements Checklist
A.8.31 Separation of Development Test and Production Environments Are development, test, and production environments separated and secured? Environment classes, access separation, network controls, production data in test, CI/CD promotion, shared admin paths Unauthorized production change, test-to-prod compromise, sensitive test data exposure, shared credential, and deployment bypass risk Development Environment Separation Standard
A.8.32 Change Management Are changes to information processing facilities and systems subject to change management procedures? Impact assessment, approval, testing, rollback, release records, emergency changes, documentation updates Unauthorized change, outage, weakened control, failed rollback, configuration drift, and release traceability risk Change Management Procedure
A.8.33 Test Information Is test information appropriately selected, protected, and managed? Synthetic data, live-data authorization, masking, access control, output protection, deletion, privacy requirements Production data leakage, privacy noncompliance, uncontrolled test artifacts, weak deletion, and re-identification risk Test Information Management Register
A.8.34 Protection of Information Systems During Audit Testing Are audit tests and assurance activities on operational systems planned and agreed? Test scope, management approval, tools, access logging, disruption control, result protection, independence Audit-induced outage, uncontrolled tool use, sensitive result exposure, unauthorized access, and weak assurance risk Audit Testing Plan and Authorization Record
  • ISO27001
  • Iso27002
  • Annex a
  • Control guidance
  • Mapping

Note Metadata

Aliases: ISO 27002 Control Interpretation Map

Source: 11 ISO 27002 Knowledge Base/ISO 27002 Annex A Control Interpretation Map.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.