What kinds of audit evidence will your Certification Body be seeking to confirm your compliance with the requirements of Annex A?
Using ISO 27001 controls outlined on Annex A alone to address security vulnerabilities is never enough!
What is ISO 27001 Annex A About?
Let’s begin with what ISO 27001 Annex A is about. The purpose of Annex A controls is to ensure that a comprehensive set of controls are in place to manage information security risks. And we place great emphasis on this in all our ISO 27001 training courses because the application of these Controls is fundamental to compliance with the Standard's requirements.
As the vulnerabilities and threats to information security vary from one organization to another, the vulnerabilities included in Annex A should be treated as a 'fallback' position.
External auditors will not be satisfied with information security controls that address Annex A vulnerabilities alone. Without additional vulnerabilities particular to your organization (and consideration having been taken of the several sectoral Codes of Practice that may apply, e.g. ISO 27018 regarding personally identifiable information), external auditors will likely believe that no real risk assessment was done.
This may give them the impression that you've gone through the motions of preparing information security management system documentation to give the appearance of meeting requirements.
In this circumstance, you've little chance of being recommended for Certification to ISO 27001.
How to Provide Evidence to Prove ISO 27001 Annex A Compliance
The external auditors will look for a variety of evidence of effective implementation of controls and precautions related to applicable ISO 27001 Annex A vulnerabilities. They would also look for other vulnerabilities specific to, and identified by, the organization.
Here are some examples of ways you can prove compliance with ISO 27001 Annex A:
1. Conduct Observation
This is the best quality of audit evidence. Verifying and recording in Audit Workbook that:
- a locked door is locked,
- people do sign confidentiality agreements,
- the asset register exists and contains assets observed,
- system settings are adequate, etc.).
2. Keep Records of Performance
Evidence can be gathered from seeing the results of the performance of a Control. Having sight of and recording in Audit Workbook:
- printouts of access rights given to people signed by the correct authorizing official,
- records of incident resolution,
- processing authorities signed by the correct authorizing official,
- minutes of management (or other) meetings.
3. Perform Direct Testing
Evidence can be the result of direct testing (or re-performance) of controls by the auditor. For example:
- attempts to perform tasks said to be prohibited by the controls,
- determination whether software to protect against malicious code is installed and up-to-date on machines,
- access rights granted (with the permission of management/authorities).
View ISO 27001 Lead Auditor Course (incl. Annex A Workbook)
4. Conduct Interviews
This is arguably the most important form of evidence. Many organizations operate on the basis that, if IT vulnerabilities are controlled, the organization is protected. This is folly. We're not talking about cyber security. It's more than that. We're talking about information security!
We know that all the technological precautions in the world are essentially useless unless the people involved fully play their part. People are always the weakest link in the chain; just read about major information security breaches and you will see that time after time it is the failure of the people involved (actively or passively) that permitted the incident to occur.
Interview-type evidence can be gathered by:
- interviewing staff at all levels and functions about applicable processes and controls
- and then determining whether this is factually correct.
- interviewing persons doing work under the organization’s control about applicable processes (especially outsourced processes) and controls
- and then determining whether this is factually correct.
- interviewing contractors and sub-contractors (both management and staff) about applicable processes and controls
- And then determining whether this is factually correct.
How Annex A of ISO 27001 Affects Your Internal Audit Programme
Too often, Audit Programmes for organizations seeking certification to ISO 27001 ignore Annex A or schedule a cursory audit of the requirements here.
Remember Annex A is not ‘Informative’; it is ‘Normative’, that is, a mandatory part of the Standard.
It is essential that a sufficient number of internal audits be planned to cover all applicable vulnerabilities (upward of a hundred are common) and evidence of the types given above to be collected and documented. Otherwise, you have little chance of a successful Certification Audit. Good luck.
Select the best ISO 27001 Course
We have five ISO 27001 Courses to choose from, including Extension and Conversion Courses. Click the button to compare the options available.
(From Annex D ISO/IEC 27006:2015/Amd 1:2020)
ISO 27001 course image map. Click on the course you are interested in to learn more about it or see our ISO 27001 overview page to see the full suite.
Note: This post was first published in October 2019; revised and updated in October 2021.
- ISO 27001:2022 - facts about the new version
- Free ISO 27001 Implementation Handbook (100+ pages)
- ISO 27001 Implementation in 31 Steps
- Navigating the fifty-six ISO 27000 Series of Standards
- Information Security Standards other than ISO 27001
deGRANDSON Global is an ISO Certified Educational Organization
In October 2021 we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.