ISO 27001:2013 provides guidance for the implementation of a standardised risk management process to enable organisations to effectively identify, assess, and manage the information security risks they face. ISO 27001 is a series of standards with increasing levels of detail and scope. Annex A is the basic, entry-level ISO 27001 standard that all organizations implementing ISO 27001 are required to follow.
The term Security Control has a specific meaning in the context of information security management: it refers to the management measures that need to be taken to reduce risks effectively, and thereby protect networks, IT systems, information assets and other resources. ISO 27001 is based on a common vocabulary and was designed to provide a comprehensive structure for organizations to develop their own effective information security management system.
Annex A of ISO 27001 is the one that defines what security controls should be used to manage risks associated with information security (the other annexes will be responsible for your physical and environmental security). The objective of this article is not to explain all the risk management basics explained in ISO 27001, but to simply list the most important and useful controls.