ISO 27001
7 min read
ISO 27001 Annex A Controls Explained: All 93 Controls Grouped by Theme
ISO 27001:2022 Annex A contains 93 controls organized into four themes, a significant restructuring from the 2013 version which had 114 controls across 14 domains. These controls represent the reference set of information security measures that organizations select from based on their risk assessment results. Understanding the full landscape of Annex A controls is essential for building a comprehensive Statement of Applicability and implementing an effective Information Security Management System.
Table of Contents
Annex A Structure: From 14 Domains to 4 Themes
The 2022 revision of ISO 27001 fundamentally restructured Annex A from 14 control domains into four streamlined themes. The Organizational theme (A.5) contains 37 controls addressing information security policies, roles and responsibilities, threat intelligence, asset management, access control, supplier relationships, and compliance. The People theme (A.6) contains 8 controls covering screening, employment terms, awareness and training, disciplinary processes, post-employment responsibilities, confidentiality agreements, and remote working. The Physical theme (A.7) contains 14 controls addressing physical security perimeters, entry controls, securing offices and facilities, physical security monitoring, protection against environmental threats, working in secure areas, clear desk and screen, equipment siting, secure disposal, and utility support. The Technological theme (A.8) contains 34 controls covering user endpoint devices, privileged access, information access restriction, source code security, authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring, web filtering, cryptography, secure development lifecycle, and network security. This reorganization makes the control set more intuitive and better aligned with how organizations typically structure their security teams and responsibilities.
- ISO 27001:2022 reorganized controls from 14 domains into 4 themes with 93 total controls
- Organizational (A.5): 37 controls for policies, access, assets, and supplier management
- People (A.6): 8 controls for HR security from hiring through termination
- Physical (A.7): 14 controls for facilities, equipment, and environmental protection
- Technological (A.8): 34 controls for endpoint, network, application, and data security
Organizational Controls (A.5): Governance and Management
The 37 organizational controls form the largest group and establish the governance framework for information security. A.5.1 through A.5.4 cover information security policies, management responsibilities, segregation of duties, and management review. A.5.5 and A.5.6 address contact with authorities and special interest groups, ensuring the organization stays connected with external security resources. A.5.7 introduces threat intelligence as a new control, requiring organizations to collect and analyze information about threats relevant to their operations. A.5.8 through A.5.14 cover project management integration, asset inventory, acceptable use, asset return, information classification, labeling, and information transfer. Access control is addressed in A.5.15 through A.5.18, covering access policy, identity management, authentication, and access rights. A.5.19 through A.5.22 address supplier relationship security, including information security in supplier agreements, managing the ICT supply chain, and monitoring supplier services. A.5.23 through A.5.28 cover cloud services security, incident management planning, assessment and decision-making, response, learning from incidents, and evidence collection. A.5.29 through A.5.31 address business continuity, ICT readiness, and legal requirements. A.5.32 through A.5.37 cover intellectual property, records protection, privacy, independent review, compliance with policies, and documented operating procedures.
- Threat intelligence (A.5.7) is a new control requiring analysis of relevant security threats
- Access control covers policy, identity management, authentication, and access rights management
- Supplier security includes ICT supply chain management and monitoring of services
- Incident management spans planning, response, learning, and evidence collection
- Business continuity and legal compliance controls ensure operational resilience
People Controls (A.6): Human Resource Security
The eight people controls address the human element of information security throughout the employment lifecycle. A.6.1 requires screening of all candidates for employment, including background verification checks proportionate to the business requirements, classification of information to be accessed, and perceived risks. A.6.2 mandates that employment terms and conditions state the employee's and the organization's responsibilities for information security, including obligations that extend beyond employment termination. A.6.3 addresses information security awareness, education, and training, requiring all personnel and relevant contractors to receive appropriate awareness education and training, with regular updates as relevant to their job function. This is a critical control because human error remains one of the primary causes of security incidents. A.6.4 covers the disciplinary process, requiring a formal and communicated process to take action against personnel who have committed an information security violation. A.6.5 addresses responsibilities after termination or change of employment, ensuring that information security duties that remain valid after employment are defined, communicated, and enforced. A.6.6 covers confidentiality or non-disclosure agreements, requiring that these reflect the organization's needs for protection of information. A.6.7 addresses remote working, requiring security measures for remote access that have become especially relevant since the shift to distributed work environments. A.6.8 covers information security event reporting, requiring all personnel to report observed or suspected security events through appropriate channels.
- Pre-employment screening must be proportionate to data classification and perceived risks
- Employment terms must include information security responsibilities extending beyond termination
- Security awareness training must be appropriate to job function with regular updates
- Remote working controls have become critical since the shift to distributed work environments
- All personnel must have channels to report observed or suspected security events
Physical Controls (A.7): Facilities and Equipment
The 14 physical controls protect the organization's premises, equipment, and operating environment. A.7.1 defines physical security perimeters to protect areas containing information and information processing facilities. A.7.2 covers physical entry controls, ensuring secure areas are protected by appropriate entry controls and access points. A.7.3 addresses securing offices, rooms, and facilities, requiring physical security measures designed and applied to protect them. A.7.4 introduces physical security monitoring as a new control, requiring premises to be continuously monitored for unauthorized physical access. A.7.5 addresses protection against physical and environmental threats such as natural disasters, fire, flood, and malicious attacks on infrastructure. A.7.6 covers working in secure areas with specific security measures to prevent unauthorized observation or interference with information processing. A.7.7 addresses clear desk and clear screen, requiring rules for papers, removable storage media, and information processing facilities. A.7.8 through A.7.10 cover equipment siting and protection, security of assets off-premises, and storage media management. A.7.11 addresses supporting utilities (power, telecommunications) to prevent loss or disruption. A.7.12 covers cabling security to protect power and telecommunications cabling from interception or damage. A.7.13 addresses equipment maintenance, and A.7.14 covers secure disposal or re-use of equipment to ensure all sensitive data is removed before disposal.
- Physical security monitoring (A.7.4) is a new control requiring continuous monitoring for unauthorized access
- Environmental threat protection covers natural disasters, fire, flood, and malicious physical attacks
- Clear desk and screen policies reduce risk of unauthorized information access
- Supporting utilities must be protected to prevent processing disruption
- Secure disposal or re-use requires verified removal of all sensitive data from equipment
Technological Controls (A.8): Technical Security Measures
The 34 technological controls cover the technical implementation of information security. A.8.1 and A.8.2 address user endpoint devices and privileged access rights, requiring protection of devices and restriction of elevated access. A.8.3 through A.8.5 cover information access restriction, source code security, and secure authentication. A.8.6 addresses capacity management, and A.8.7 covers protection against malware. A.8.8 introduces technical vulnerability management, requiring timely identification and remediation of technical vulnerabilities. A.8.9 introduces configuration management as a new control, requiring that configurations of hardware, software, services, and networks are established, documented, implemented, monitored, and reviewed. A.8.10 addresses information deletion, and A.8.11 introduces data masking as a new control. A.8.12 introduces data leakage prevention as a new control, requiring measures to prevent unauthorized disclosure of sensitive information. A.8.13 and A.8.14 cover information backup and redundancy of information processing facilities. A.8.15 addresses logging, and A.8.16 introduces monitoring activities as a separate new control requiring networks, systems, and applications to be monitored for anomalous behavior. A.8.17 covers clock synchronization, A.8.18 introduces use of privileged utility programs. A.8.19 through A.8.22 address software installation, network security, network services security, and web filtering (new control). A.8.23 through A.8.25 cover network segregation, use of cryptography, and secure development lifecycle. A.8.26 through A.8.28 address application security requirements, secure system architecture, and secure coding. A.8.29 through A.8.34 cover security testing, outsourced development, separation of environments, change management, test information, and protection of information systems during audit testing.
- Configuration management (A.8.9), data masking (A.8.11), and DLP (A.8.12) are new controls
- Monitoring activities (A.8.16) is now a separate control requiring anomaly detection
- Web filtering (A.8.22) is a new control for managing access to external websites
- Secure development lifecycle covers requirements, architecture, coding, and testing
- Network security includes segregation, services security, and web filtering
Building Your Statement of Applicability
The Statement of Applicability (SoA) is one of the most important documents in your ISMS, linking your risk assessment results to the Annex A controls you have selected or excluded. For each of the 93 controls, the SoA must state whether the control is applicable or not applicable, the justification for inclusion or exclusion, the implementation status, and a reference to relevant policies, procedures, or evidence. Controls cannot be excluded simply because they are inconvenient or expensive to implement. Exclusions must be justified based on the risk assessment results, demonstrating that the risks addressed by the excluded control are either not relevant to the organization or are adequately addressed by other means. Common legitimate exclusions include physical security controls for organizations operating entirely in cloud-hosted environments with no physical infrastructure, or specific controls related to development if the organization does not develop software. When building your SoA, start with your risk assessment results to identify which controls address your identified risks. Then review all 93 controls to identify any that address risks you may not have explicitly identified but are generally applicable to your operations. The SoA should be a living document, updated whenever the risk assessment is updated, new threats are identified, or significant changes occur to the ISMS scope or the organization's operations.
- The SoA must address all 93 controls with inclusion/exclusion justification for each
- Exclusions must be justified by risk assessment results, not by convenience or cost
- Each control entry should reference implementation status and supporting documentation
- The SoA should be maintained as a living document updated with risk assessment changes
- Start with risk assessment results then review all controls for general applicability
Key Takeaways
- ISO 27001:2022 Annex A contains 93 controls organized into Organizational (37), People (8), Physical (14), and Technological (34) themes
- The restructuring from 14 domains to 4 themes makes the control set more intuitive and aligned with organizational structures
- New controls include threat intelligence, physical security monitoring, configuration management, data masking, DLP, monitoring activities, and web filtering
- The Statement of Applicability must address all 93 controls with justified inclusion or exclusion
- Control selection must be driven by risk assessment results, not by template or checkbox approaches
- People controls covering the employment lifecycle remain critical as human error drives many incidents
- Technological controls now explicitly address modern concerns like cloud, remote work, and data leakage
Frequently Asked Questions
How many controls are in ISO 27001:2022 Annex A?
ISO 27001:2022 Annex A contains 93 controls organized into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This is a reduction from 114 controls in 14 domains in the 2013 version, achieved through merging and reorganization.
What are the new controls in ISO 27001:2022?
The 2022 version introduces 11 new controls: threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.22), and secure coding (A.8.28).
Do I need to implement all 93 Annex A controls?
No. Organizations implement controls based on their risk assessment results. However, every control must be addressed in the Statement of Applicability with a justified inclusion or exclusion. Exclusions must be based on the risk assessment demonstrating the control is not relevant, not merely on cost or convenience.
What is the Statement of Applicability?
The Statement of Applicability (SoA) is a mandatory ISMS document that lists all 93 Annex A controls and states whether each is applicable, the justification for inclusion or exclusion, the implementation status, and references to supporting documentation. It links risk assessment results to control selection.
How does ISO 27001:2022 differ from the 2013 version?
The 2022 version restructures controls from 14 domains into 4 themes, reduces the count from 114 to 93 through merging, adds 11 new controls addressing modern concerns, and introduces control attributes (threat type, cybersecurity concept, security property, operational capability, security domain) for easier filtering and classification.
What is the difference between Annex A and ISO 27002?
Annex A in ISO 27001 lists the controls as concise reference points for the ISMS. ISO 27002 provides detailed implementation guidance for each control, including purpose, guidance, and supplementary information. Organizations use Annex A for compliance scoping and ISO 27002 for implementation details.
Generate ISO 27001 policies automatically
PoliWriter creates all the policies you need for ISO 27001 compliance, customized to your organization. AI-powered, audit-ready, hours not months.
Get Started Free