Your glossary for risk and compliance
Helpful definitions of all of the terms you need to know to better manage risk and compliance.
Terms27001 Annex A controls Access control Access control policies Access Control System ACSC annual cyber threat report ACSC cyber security ACSC cyber threat report Active Attack Activity Monitors AFSL Authorised Representative AICPA APRA APRA Security ASIC Asset inventory Asset Labeling Asset Security Attack Surface Attack Vector Attestation of Compliance (AOC) Attribute Attribute-Based Access Control (ABAC) Audit Management Software BS 10012 Buffer Overflow Business Continuity Business Continuity Management (BCM) Business Continuity Plan (BCP) Business Impact Analysis (BIA) Business Resilience Ciphertext Cloud Control Matrix (CCM) Cloud Controls Matrix (CCM) domains Cloud Infrastructure Cloud security COBIT Framework COBIT Framework Goals COBIT Framework Principles Common Vulnerabilities and Exposures(CVE) Common Vulnerability Scoring System (CVSS) Communication and consultation Communication security Compliance Automation Compliance automation software Compliance Due Diligence Compliance Issue Compliance Management Compliance management system (CMS) Compliance Manager/Officer Compliance Risk Compliance risk management Computer Security Threats Configuration Management Database (CMDB) Consequence Context Control CPS 234 Crimeware Cross Site Request Forgery (CSRF) Cryptography in ISO CSIO Cyber Security Cyber Essentials Cyber Insurance Cyber Resiliency Cyber Risk Consultant Cyber Risk Management Frameworks Cyber Safety Cyber security asset management (CSAM) Cyber security awareness Cyber security awareness training Cyber security credentials Cyber security framework NIST Cyber security gamification Cyber security incident Cyber security incident report Cyber security incident response plan Cyber security incidents Cyber security management Cyber Security Report Cyber security reports Cyber security risk appetite Cyber terrorism Cyber-Risk Quantification Cybersecurity Asset Management Cybersecurity consultants Cybersecurity frameworks Cybersecurity Maturity Model Certification (CMMC) Cybersecurity Mesh Cybersecurity Mesh Architecture Dark Data Data Access Management Data Asset Data breach Data Breach Preventions Data Controller Data Democratization Data Exfiltration Data Integrity Data Leak Data Mining Data Owner Data protection impact assessment (DPIA) Data Wiping Database Audit and Protection (DAP) Defence in Depth Difference between Cyber Safety and Cyber Security Discretionary Access Control (DAC) Discretionary Access Control (DAC) attributes DMARC security Domain Name System (DNS) DoS Attack DPIS Stages DREAD Model Dynamic Security Management Email Encryption Email security Email Security Solutions end point security Endpoint cyber security Enterprise Architecture Enterprise Risk Management (ERM) software Essential 8 Maturity Model Essential eight Cyber mitigation strategies Executive Order Exploit FedRAMP Financial Risk Financial Risk Management Focused Risk Assessment Forensics Framework Fraud Management Gartner and the Magic Quadrant GDPR GDPR compliance GDPR data governance GDPR requirements GDPR risk assessment Global Regulatory Management Governance Risk & Compliance (GRC) GRC elements GRC Implementation GRC Tools Hacker HIPAA HIPAA vs. PCI DSS Compliance HITRUST How long will it take to get ISO 27001? How many controls are there in ISO 27001? Hybrid Data Center ICT supply chain risk management IDPS Immediate Response Strategies Implementation ISO 27003 Implementing ISO 27001 Importance of ISO 27005 Incident Incident Lifecycle Incident management Incident Management Framework Incident Response Incident Response Plan Incident Response Tools Information Asset Information asset definition ISO 27001 Information classification policy ISO 27001 Information Governance Information Management System Information security Information security Information security assessment Information Security Awaness Information security controls Information Security Governance Information Security Governance benefits Information Security Management System (ISMS) Information Security Policy (ISP) Information security risk acceptance Information security risk communication Information Security Risk Management Information security risk monitoring and review Information security risk treatment Inherent Risk Insider Threat Actors Instant Communications Security And Compliance Integrated Management System Integrated Risk Management (IRM) Internal Environment Internet of Things (IoT) Intrusion detection systems (IDS) Intrusion Prevention Systems (IPS) IRAP Assessors IRAP certification ISO ISO / IEC 27004:2016 advantages ISO 27001 2005 ISO 27001 and NIST 800-53 ISO 27001 Annex A ISO 27001 as an Individual ISO 27001 Audit ISO 27001 back up policy ISO 27001 benefits ISO 27001 certification requirements ISO 27001 certified ISO 27001 controls ISO 27001 cost ISO 27001 domains ISO 27001 gap analysis ISO 27001 lead auditor ISO 27001 lead implementer ISO 27001 mandatory clauses ISO 27001 or ISO 27018 ISO 27001 password policy ISO 27001 penetration testing ISO 27001 requirement checklist ISO 27001 risk assessment ISO 27001 risk register ISO 27001 scope ISO 27001 secure development policy ISO 27001 security awarness ISO 27001 security policy ISO 27001 surveillance audit ISO 27001 toolkit ISO 27001 vulnerability management ISO 27001:2013 vs. ISO 27001:2017 ISO 27002 ISO 27002 benefits ISO 27002 framework ISO 27002 importance ISO 27002 scope ISO 27002 security policy ISO 27002 standard focus ISO 27002:2022 ISO 27002:2022 controls ISO 27003 ISO 27003 ISO 27003 and ISO 27001 ISO 27003 and ISO 27002 ISO 27003 benefits ISO 27004 ISO 27005 ISO 27005 and ISRM ISO 27008 ISO 27014 ISO 27102 ISO accreditation ISO activities ISO Audit ISO certification meaning ISO certifications ISO cloud security standard ISO compliance ISO Compliance vs. Certification: What's the Difference? ISO consultants ISO cyber security ISO data center ISO data retention policy ISO data security ISO directives ISO directives part 1 ISO directives part 2 ISO document control ISO external audits ISO framework ISO health ISO information security ISO internal audit ISO rules ISO standard ISO standards for Cybersecurity ISO/IEC 27000 ISO/IEC 27001 Foundation ISO/IEC 27001:2017 ISO/IEC 27003:2017 requirements ISO/IEC 27004 ISO/IEC 27004:2016 clauses ISO/IEC 27005 ISO/iec standards list ISO27001 and ISO27002 IT Audit IT Security Jailbreak Keystroke logging Likelihood Logic Bomb Malware vs. Viruses vs. Worm Mandatory Access Control (MAC) Mitigating Controls for Risk Management Money Laundering Monitoring Network Network Access Control Network Security Network Segmentation Network Segregation NIS Directive NIST NIST 800 171 NIST 800-171 compliance checklist NIST 800-171 controls NIST 800-171 Purpose NIST 800-53 control families NIST 800-53 risk assessment NIST compliance NIST controls NIST Cybersecurity framework v1.1 NIST cybersecurity standards NIST guidelines NIST SP 800-53 NIST SP 800-53 Benefits NIST SP 800-53 enhanced controls NIST SP 800-53 minimum/base controls Non-Repudiation Notifiable data breach OAIC Operational Risk Operational Risk Management (ORM) Operational Risk Management Program Benefits Operational security Operational Technology (OT) Passive Attack Passive Scanning Patch Management PCI DSS PCI DSS Standards Personally Identifiable Information (PII) PIMS Policy management Prioritisation Privilege Escalation Purpose of ISO 27008 Purpose of risk management Quadrant Ransomware Ransomware Protection RCSA Redaction Regulatory Compliance Remediation Reputational Risk Risk Risk analysis Risk Categories Risk Center Risk Financing Risk identification Risk Identification (RI) Risk management Risk management framework Risk management policy Risk management process Risk management standards Risk management system and process Risk Management Tool RIsk Mitigation Risk Mitigation Controls Risk owner Risk profile Risk Reduction Risk Register Risk source Risk treatment Risk Vs. Compliance Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) Benefits Secure Access Service Edge (SASE) security and integrity Security Audit Security Event Security governance Security Incident Security Incident Report Security Indicators Security Management Security Metrics Security Perimeter Security Testing Requirements Segregation of Duties (SOD) Single Loss Expectancy SOA SOC 1 SOC 2 SOC 2 Audit SOC 2 Compliance SOC 2 Controls SOC 2 Standards SOC 2 Trust Principles SOC 3 SOC Reports Spear phishing Spyware Threat SSAE 16 SSAE 18 Stakeholder Statement of Applicability (SoA) Strategic Risk Supplier Risk Management Thin Client Third-party risk management Threat Threat Modeling Threat Modeling Frameworks and Methodologies Triage Types of Insider Threat Actors Vendor Vendor assessment Vendor management policy Vendor Management Policy (VMP) Vendor Risk Management (VRM) Virtual Private Network (VPN) Vulnerability Vulnerability management Vulnerability scanning Wardriving Watering Hole Attack Web Security Threats What are the benefits of compliance process automation? What does APRA do? What is the ASD Essential 8? What is the purpose of NIST 800-53? Who needs ISO 27001? Why Cybersecurity Is Essential in OT and IT? Zero Day
What are the Annex A Controls?
ISO 27001 is an international standard that depicts best practices for an ISMS (information security management system).
The Standard adopts a risk-based strategy for information security. This demands organizations to distinguish information security risks and select fitting controls to handle them. Those controls are framed in Annex An of the Standard.
There are 114 ISO 27001 Annex A controls, partitioned into 14 classifications.
- Annex A.5 Information security policies (2 controls)
- Annex A.6 Organisation of information security (7 controls)
- Annex A.7 Human resource security (6 controls)
- Annex A.8 Asset management (10 controls)
- Annex A.9 Access control (14 controls)
- Annex A.10 Cryptography (2 controls)
- Annex A.11 Physical and environmental security (15 controls)
- Annex A.12 Operations security (14 controls)
- Annex A.13 Communications security (7 controls)
- Annex A.14 System acquisition, development and maintenance (13 controls)
- Annex A.15 Supplier relationships (5 controls)
- Annex A.16 Information security incident management (7 controls)
- Annex A.17 Information security aspects of business continuity management (4 controls)
- Annex A.18 Compliance (8 controls)
Back to glossary search