Guide for ISO 27001 Annex A Controls in AmpliFlow

Welcome to our guide for implementing ISO 27001 Annex A controls with AmpliFlow as part of your ISO certification project.

This guide helps you get started with our module for ISO 27001 controls and ensures that the process runs smoothly and efficiently.

Basic understanding

ISO 27001 Annex A contains 93 security controls that protect your information. These controls act as security rules for your business - just as you have fire alarms to protect the building, you need these controls to protect your information.

Why is this important to you?

For you as an employee: You will receive clear guidelines on how to handle information safely in your daily work.

For your team: You get common procedures that make everyone work in the same way with information security.

For the company: You receive ISO 27001 certification, which shows customers that you take information security seriously, which is often required for large contracts.

Read our article "What are the controls in ISO 27001 Annex A?" to know more.

How should it be done?

Much of the work has already been prepared through our examples of all 93 controls from ISO 27001 Annex A as well as implementation guides for each control.

What you need to do now is:

1. Assign permissions to those who will work with the control register
2. Go through each check and update the information to match your business
3. Assess relevance for each check (almost always YES)
4. Assess fulfillment - do you already comply with the check or not
5. Implement controls you do not fulfill by using our implementation checklists
6. Customize the sample texts to your business
7. Go through and check off the control points in the implementation checklist
8. Link to the published documentation It shows you how you meet the controls
9. Link to tools which you use to fulfill the controls
10. If you work with a consultant from AmpliFlow, let them know that the work is ready for review

Tips for successful implementation

• Ensure that everyone working with ISO 27001 controls understands what information security means and why the work is done
• Start with controls you already meet - this gives you fast progress and motivation
• Prioritize controls that are critical to your business or that customers often ask for
• If work is divided, be clear about the division of responsibilities and set deadlines
• Set a clear schedule and schedule any reconciliation meetings now
• Involve the right people - different controls require different expertise (IT, HR, law, operations)
• Document everything you do - the certification body wants to see evidence that you are actually carrying out what you say
• Keep in mind that this isn't just paperwork - every check you implement makes your business safer
• Communicate the results to relevant internal teams and stakeholders

Explanation of the respective column

Area: Shows which area the control belongs to, e.g. “Organizational controls”, “People controls” or “Technical controls”. This will help you understand what kind of action is required and who should be responsible.

Requirement section reference: Specifies the exact reference to the control in ISO 27001 Annex A, such as “5.1" or “8.8". This reference is used in your SoA.

Control: The exact control text from ISO 27001 Annex A describing what is required.

Requirement explanation: Provides a detailed explanation of the control, why it is important, how it relates to other controls and which industry standards are relevant. This information will help you understand the context and implement the control correctly. This column is not printed in the SoA but is for your internal understanding only.

Assessed as relevant: Here you indicate whether the control is relevant to your business or not. Almost all controls are relevant to all organisations - it is very rare to be able to regard controls as not relevant.

If No - justification: If you judge that a control is not relevant (which is unusual), you need to justify why with a detailed explanation. This justification is carefully reviewed by the certification body and must be well-founded.

Do we fulfill the requirement: Select whether you meet the control today or not. This provides a quick overview of your current status and shows what needs to be implemented.

Implementation guide: A step-by-step guide of what concretely needs to be done to fulfill the control. Use this as a work list for the implementation - check off each item when it is finished. This information is not printed in the SoA but is only for your internal work.

Example description of how we fulfill the requirement: Proposal for detailed text describing how you comply with the control. This text is intended to help you work with the specific requirement in isolation. When everything is ready, the text can be left or moved to, for example, AmpliFlow pages to make it available to the rest of the organization. This column is not printed in the SoA.

Example of how we fulfill the requirement (SoA): Suggested generic text describing that you are complying with the control. This text is largely a mirror of the ISO text itself - if the control says “you shall” then this one says “we do”. It doesn't say how you do it, just that you do it. This text is intended for your SoA and should be comprehensive and generic.

Link to documentation: Add a link to where your detailed documentation is located showing exactly how you are complying with the control. Note that it should be one (1) link to enforce good structure - if you have multiple documents, create a collection point for these. This information is not printed in the SoA but is only for your internal work.

Link to tool: Add one (1) link to the tool or system that you use to fulfill the control. If multiple tools are used, this should be a link to documentation about all the different tools used. This information is not printed in the SoA but is only for your internal work.

Important to understand: Difference between SoA and internal documentation

SoA (Statement of Applicability) should be:

• Overall and generic
• Focused on WHAT you do, not HOW in detail
• Free from sensitive technical details or specific system names

Internal documentation should be:

• Detailed and specific
• Contain precise step-by-step instructions
• Include technical details, system names and configurations
• Useful for your staff in their daily work

Why this division? The SoA is reviewed by external auditors during the certification audit, but it is primarily you yourself who will use it regularly to demonstrate to customers, partners and other stakeholders that you comply with ISO 27001 requirements. The SoA document is your “calling card” for information security. By keeping it generic, you protect sensitive information while demonstrating that you comply. You keep the detailed documentation in-house to ensure that the work is actually carried out correctly.

What columns are printed in the SoA?

The following columns are included in your SoA:

• Area
• Requirement section reference
• Control
• Assessed as relevant
• If No - justification
• Do we fulfill the requirement
• Example of how we fulfill the requirement (SoA)

The following columns are for your internal work only and are NOT printed in the SoA:

• Requirement explanation
• Implementation guide
• Example description of how we fulfill the requirement
• Link to documentation
• Link to tool

By following this guide, you will have a smooth and efficient experience with the ISO 27001 implementation in AmpliFlow. If you have any questions or need further support, please contact our support.

Contact:

• Website: www.ampliflow.se/support
• E-mail: info@ampliflow.se