Annex A controls in ISO/IEC 27001:2013 and ISO/IEC 27001:2005

ISO/IEC 27001:2013

ISO/IEC 27001:2005

A.5 Security Policy

A.6 Organization

A.7 Asset Management

A.8 Human Resources

A.9 Physical

A.10 Communications

A.11 Access Control

A.12 Acquisition

A.13 Incident

A.14 Business Continuity

A.15 Compliance

A.5.1

Management direction for information security

X

A.6.1

Internal organization

X

X

X

A.6.2

Mobile devices and teleworking

X

A.7.1

Prior to employment

X

A.7.2

During employment

X

A.7.3

Termination and change of employment

X

A.8.1

Responsibility for assets

X

X

A.8.2

Information classification

X

X

A.8.3

Media handling

X

A.9.1

Business requirements of access control

X

A.9.2

User access management

X

X

A.9.3

User responsibilities

X

A.9.4

System and application access control

X

X

A.10.1

Cryptographic controls

X

A.11.1

Secure areas

X

A.11.2

Equipment

X

X

A.12.1

Operational procedures and responsibilities

X

A.12.2

Protection from malware

X

A.12.3

Backup

X

A.12.4

Logging and monitoring

X

A.12.5

Control of operational software

X

A.12.6

Technical vulnerability management

X

A.12.7

Information systems audit considerations

X

A.13.1

Network security management

X

X

A.13.2

Information transfer

X

X

A.14.1

Security requirements of information systems

X

X

A.14.2

Security in development and support processes

X

X

A.14.3

Test data

X

A.15.1

Information security in supplier relationships

X

A.15.2

Supplier service delivery management

X

A.16.1

Management of information security incidents and improvements

X

A.17.1

Information security continuity

X

A.17.2

Redundancies

A.18.1

Compliance with legal and contractual requirements

X

A.18.2

Information security reviews

X

X