Definition

Internal control

Internal control is the set of mechanisms ensuring objective achievement, information reliability and regulatory adherence.

Internal control comprises policies, procedures and organizational structures providing reasonable assurance regarding operational, reporting and compliance objectives. In ISO context, controls are mechanisms to meet requirements and manage risks. ISO 27001 defines 93 controls in Annex A.

Key aspects

Preventive, detective and corrective

Preventive controls avoid risk, detective controls identify when it occurs, corrective controls remedy impact.

Operating effectiveness

Designing controls is not enough; they must operate effectively. Internal audits verify their functioning.

Documentation

Must be documented, assigned to owners and periodically reviewed to ensure currency.

Frequently asked questions

The 93 Annex A controls are information security internal controls. The statement of applicability documents which are implemented.

Through internal audits, control testing, performance indicators and management review.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Internal control

Key aspects

Preventive, detective and corrective

Operating effectiveness

Documentation

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Internal control

Key aspects

Preventive, detective and corrective

Operating effectiveness

Documentation

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Internal control

Key aspects

Preventive, detective and corrective

Operating effectiveness

Documentation

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Internal control

Key aspects

Preventive, detective and corrective

Operating effectiveness

Documentation

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?