BlogISO 27001
January 8, 2025

The 4 categories of ISO 27001 controls

Written by
Danielle Mason, Compliance Analyst, BD Emerson
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Information security is no longer optional; it’s critical to running a successful, resilient business. ISO 27001, the international standard for information security management systems (ISMS), provides a structured approach to safeguarding data. Central to this framework are the 93 controls in Annex A, which are divided into four categories: organizational, people, physical, and technological. 

This article will break down these categories, explain their significance, and help you understand how to implement their controls effectively for your unique business needs.

Understanding the four themes of ISO 27001 controls

1. Organizational controls

Organizational controls focus on governance, policies, and risk management. These are the foundations of a robust ISMS. Examples include defining security roles and responsibilities, conducting risk assessments, and establishing clear information security policies.

Why are these controls critical?

  • They ensure leadership involvement and accountability in securing data
  • They provide a clear framework for decision-making and resource allocation

For example, having a formal policy for data classification ensures that sensitive data is identified and protected appropriately, reducing the risk of breaches. Organizational controls also facilitate compliance with regulations like GDPR or SOC 2, often requiring documented policies and processes.

2. People controls

Even with the best technology in place, people remain one of the most significant risks in information security. This category addresses human factors through measures like background checks, security awareness training, and defined responsibilities during and after employment.

Why focus on people?

  • According to industry reports, human error accounts for over 80% of data breaches
  • Social engineering attacks, such as phishing, exploit untrained employees

People controls can mitigate these risks by fostering a culture of security awareness. For instance, regular training sessions can teach employees to recognize phishing attempts, while clear exit procedures ensure departing staff no longer have access to sensitive systems or data.

3. Physical controls

Physical security often gets overlooked when most business operations have become digital, but it remains vital to protecting information. Physical controls include securing buildings, restricting access to sensitive areas, and monitoring facilities for unauthorized entry.

Why are physical controls essential?

Imagine a server room without proper access restrictions—anyone could walk in and tamper with equipment or steal data. Physical controls prevent such scenarios by ensuring only authorized personnel can access critical areas. Examples include surveillance cameras, biometric locks, and clear desk policies to prevent sensitive documents from being unattended.

4. Technological controls

Technological controls are the tools and systems that protect your digital infrastructure. These include encryption, firewalls, antivirus software, and access management systems.

Why are these controls indispensable?
The digital landscape is fraught with threats like malware, ransomware, and data exfiltration. Technological controls act as a first line of defense, safeguarding both your systems and data.

For example, implementing multi-factor authentication ensures that even if passwords are compromised, unauthorized access is still prevented. Encryption protects sensitive data during transfer or storage, making it unreadable to unauthorized parties.

Bridging the gaps with solutions

Implementing and managing these controls can feel overwhelming, especially for organizations new to ISO 27001. However, Vanta simplifies the process by:

  • Providing tools to map controls to risks and business processes
  • Offering templates for policies and procedures aligned with ISO 27001
  • Automating compliance checks and audits to save time and reduce errors

By using a centralized solution, organizations can streamline their ISMS implementation and focus on what matters most: safeguarding their assets and meeting compliance requirements.

Want to learn more about how to implement ISO 27001 controls effectively? Discover how BD Emerson’s information security experts can help your organization get ISO 27001 audit-ready. Schedule a consultation today! 

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
Company news
How MSPs unlock growth with Vanta’s Service Partner Program
Security
How Mirai Security makes enterprise-level security accessible with Vanta
Security
Pre-product security takes priority at Push
Security
How Cognisys beats growth goals with Vanta
Company news
How MSPs unlock growth with Vanta’s Service Partner Program
Security
How Mirai Security makes enterprise-level security accessible with Vanta
Security
Pre-product security takes priority at Push
Security
How Cognisys beats growth goals with Vanta

Table of contents

No titles!

Share this article

Share this article

Related Resources

No items found.

Related Resources

ISO 27001
Blog
ISO 27001 for healthcare companies: Benefits and implementation steps

Discover the specifics of ISO 27001 for healthcare organizations. See why you should adopt it and how to do it without wasting time and resources.

ISO 27001
Events
Live Demo: Automating Compliance for ISO 27001, CPS234, and More

Discover how automation can transform your compliance efforts into a streamlined, efficient process. Join the live demo on May 14th to see it in action and get your compliance questions answered.

ISO 27001
Events
Live Demo: Simplify ISO 27001 and SOC 2 compliance with Vanta

See how Vanta automates up to 90% of your ISO 27001 and SOC 2 compliance work, saving you time and reducing manual effort.

ISO 27001
Events
Live Demo: Automate ISO 27001 and SOC 2 compliance with Vanta

See how Vanta simplifies compliance, accelerates workflows, and helps you prove your commitment to security—no matter where you are in your GRC journey.

What are the ISO 27001:2022 controls?
ISO 27001
Blog
What are the ISO 27001:2022 controls?

Explore the requirements of the ISO 27001:2022 controls and understand how they differ from the 2013 version.

ISO 27001
Blog
6 key steps to ISO 42001 certification explained

Discover how to meet the standard’s requirements efficiently.

ISO 27001
Events
Live Demo: How to streamline ISO 27001 and SOC 2 compliance with automation

Watch Vanta’s 45-minute demo to see how our platform automates up to 90% of the work for achieving ISO 27001 and SOC 2 compliance, helping you streamline security and move towards continuous compliance.

ISO 27001
Events
ISO 27001 vs SOC 2: Which standard is right for my startup?

Attaining security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001
Events
ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

Iso 27001 compliance checklist.
ISO 27001
Blog
The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

What has changed and what does it mean for your business?.
ISO 27001
Events
ISO 27001:2022 What's changed and what it means for your business

In late 2022, ISO 27001 rolled out changes to the Annex A controls, minor updates to the clause language, modernized controls, as well as 12 new controls. Whether you have ISO 27001 and want to learn more about these updates, or are pursuing ISO for the first time, this on-demand webinar is for you. Join Matt Cooper, Senior Manager of Privacy, Risk, and Compliance at Vanta, and Steve Conley, IT Audit Director at Insight Assurance, to dive in.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products