What kinds of audit evidence will your Certification Body be seeking to confirm your compliance with the requirements of Annex A?
Using ISO 27001 controls outlined in Annex A alone to address security vulnerabilities is never enough!
What is ISO 27001 Annex A About?
Let’s begin with what ISO 27001 Annex A is about. The purpose of Annex A controls is to ensure that a comprehensive set of controls are in place to manage information security risks. And we place great emphasis on this in all our ISO 27001 training courses because the application of these Controls is fundamental to compliance with the Standard's requirements.
As the vulnerabilities and threats to information security vary from one organization to another, the vulnerabilities included in Annex A should be treated as a 'fallback' position.
External auditors will not be satisfied with information security controls that address Annex A vulnerabilities alone. Without additional vulnerabilities particular to your organization (and consideration having been taken of the several sectoral Codes of Practice that may apply, e.g., ISO 27018 regarding personally identifiable information), external auditors will likely believe that no real risk assessment was done.
This may give them the impression that you've gone through the motions of preparing information security management system documentation to give the appearance of meeting requirements.
In this circumstance, you've little chance of being recommended for Certification to ISO 27001.
The external auditors will look for a variety of evidence of effective implementation of controls and precautions related to applicable ISO 27001 Annex A vulnerabilities. They would also look for other vulnerabilities specific to and identified by the organization.
Here are some examples of ways you can prove compliance with ISO 27001 Annex A:
This is the best quality of audit evidence. Verifying and recording in the Audit Workbook that:
Evidence can be gathered from seeing the results of the performance of a Control. Having sight of and recording in Audit Workbook:
Evidence can be the result of direct testing (or re-performance) of controls by the auditor. For example:
This is arguably the most important form of evidence. Many organizations operate on the basis that if IT vulnerabilities are controlled, the organization is protected. This is folly. We're not talking about cyber security. It's more than that. We're talking about information security!
We know that all the technological precautions in the world are essentially useless unless the people involved fully play their part. People are always the weakest link in the chain; just read about major information security breaches, and you will see that time after time, it is the failure of the people involved (actively or passively) that permitted the incident to occur.
Interview-type evidence can be gathered by:
Too often, Audit Programmes for organizations seeking certification to ISO 27001 ignore Annex A or schedule a cursory audit of the requirements here.
Remember Annex A is not ‘Informative’; it is ‘Normative’, that is, a mandatory part of the Standard.
It is essential that a sufficient number of internal audits be planned to cover all applicable vulnerabilities (upward of a hundred are common) and evidence of the types given above to be collected and documented. Otherwise, you have little chance of a successful Certification Audit. Good luck.
We have five ISO 27001 Courses to choose from, including Extension and Conversion Courses. Click the button to compare the options available.
(From Annex D ISO/IEC 27006:2015/Amd 1:2020)
ISO 27001 course image map. Click on the course you are interested in to learn more about it, or see our ISO 27001 overview page to see the full suite.
Note: This post was first published in October 2019; revised and updated in October 2021.
In
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.