What are the Security Domains of ISO 27001?

By Glendin Franklin-Browne | September 10, 2021

iStock-1227582427ISO 27001 is an internationally recognised standard that sets the requirements for a best-practice information security management system (ISMS).

As we have previously discussed in detail in our previous blog, "What is the ISO 27001 Information Security Standard?", the standard guides organisations, regardless of size or industry, on how to build, manage, and protect vulnerable corporate data and information against various risks.


How do Security Domains form part of ISO 27001?

The Compliance Council explains that "ISO 27001 provides organisations with 10 clauses that serve as information security management system requirements and a section titled Annex A that outlines 114 controls that should be considered".

The 114 controls are then divided across 14 security domains, which provide the best practices for an information security management system (ISMS). These security domains help organisations perform a gap analysis to identify any areas of risk in their ISMS, as well as specify appropriate controls to address them. 

While ISO 27001 is the most widely known ISMS standard, it is important to note that specific organisations (such as providers of employment skills training and disability employment services) may be required by the Australian Government to submit additional controls in order to gain certification.


In this article, we take a look at the 14 security domains specific to ISO 27001.

The Compliance Council details the Security Domains as below:

Security Domain

Security categories and control objectives

A.5 Information security policies

A.5.1 Management direction for information security

Objective: To provide management direction and support for information security under business requirements and relevant laws and regulations.

A.6 Organisation of information security

A.6.1 Internal organisation

Objective: To establish a management framework to initiate and control the implementation of the operation of information security within the organisation.

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

A.7 Human resource security

A.7.1 Prior to employment

Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.2 During employment

Objective: To ensure that employees and contractors are aware of fulfilling their information security responsibilities.

A.7.3 Termination and change of employment

Objective: To protect the organisation's interests as part of the process of changing or terminating employment.

A.8 Asset management

A.8.1 Responsibility for assets

Objective: To identify organisational assets and define appropriate protection responsibilities.

A.8.2 Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organisation.


A.8.3 Media handling

Objective: To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

A.9 Access control

A.9.1 Business requirements of access control

Objective: To limit access to information and information processing facilities.

A.9.2 User access management

Objective: To ensure authorised user access and to prevent unauthorised access to systems and services.

A.9.3 User responsibilities

Objective: To make users accountable for safeguarding their authentication information.

A.9.4 System and application access control

Objective: To prevent unauthorised access to systems and applications.

A.10 Cryptography

A.10.1 Cryptographic controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

A.11 Physical and environment security

A.11.1 Secure areas

Objective: To prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.

A.11.2 Equipment

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

A.12 Operations Security

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities

A.12.2 Protection from malware

Objective: To ensure that information and information processing facilities are protected against malware.

A.12.3 Backup

Objective: To protect against loss of data

A.12.4 Logging and monitoring

Objective: To record events and generate evidence

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities

A.12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

A.13 Communications security

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information processing facilities.

A.13.2 Information transfer

Objective: To maintain the security of information transferred within an organisation and with any external entity.

A.14 System acquisition, development and maintenance

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems that provides services over public networks.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.3 Test data

Objective: To ensure the protection of data used for testing.

A.15 Supplier relationships

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organisation's assets that are accessible by suppliers.

A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.16 Information security incident management

A.16.1 Management of information security incidents and improvements

Objectives: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.17 Information security aspects of business continuity management

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organisations business continuity management systems.

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organisational policies and procedures.



How can Diamond IT assist your ISO 27001 accreditation process?

Our team of Business Technology Consultants have partnered with organisations across a range of sectors to ensure their ISO 27001 preparedness. The 14 security domains can seem daunting, however, our team of experts are here to guide you through the ISO 27001 certification process. Contact us today on 1300 307 907. 



New call-to-action

TAGS: Business Value, News and General, Business Technology Consulting,

About Glendin Franklin-Browne
Glendin Franklin-Browne

Glendin Franklin-Browne is Diamond IT's Business Technology Consulting Manager, and a practical cybersecurity specialist who is passionate about partnering with businesses to elevate their technology and cybersecurity strategy. With a diverse career in the technology industry spanning more than 25 years, Glendin is passionate about working with forward-thinking business leaders to create strategic technology roadmaps, improve cybersecurity posture and increase productivity.