Key control activities

Answer: First of all it is important to understand that ISO 27001 controls go beyond activities in processes and procedures. They are safeguards to protect information that can be implemented as policies, procedures, physical mechanisms or technologies.

Considering that, ISO 27001 requires, as part of the information security risk treatment (clause 6.1.3.b), that controls necessary to implement the information security in the ISMS scope shall be determined. The need to identify and implement security controls for process/procedures will depend on the results of risk assessment. Since the risk assessment and risk treatment are mandatory requirements for ISO 27001 this is certainly something auditors will look for.

These articles will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://adv isera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/