1 - I would like to know more about the Controls, are there any categories for controls ??
The 114 controls from ISO 27001 Annex A are organized into 14 sections (domains):
A.5 Information security policies – controls on how the policies are written and reviewed
A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the employment
A.8 Asset management – controls related to inventory of assets and acceptable use; also for information classification and media handling
A.9 Access control – controls for the management of access rights of users, systems, and applications, and for the management of user responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, Clear Desk, and Clear Screen Policy, etc.
A.12 Operational security – lots of controls related to the management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
A.14 System acquisition, development, and maintenance – controls defining security requirements, and security in development and support processes
A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
A.17 Information security aspects of business continuity management – control requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
2 - Important controls / not so important controls ??
Please note that controls' importance will depend on the results of risk assessment and applicable legal requirements, so before getting this information you should avoid trying to give some importance degree to controls, because you risk super estimating or underestimating controls, and this can negatively impact your risk management process.
This article will provide you a further explanation about selecting controls: