ISO 27001:2022 Annex A Controls Explained

ISO 27001:2022 Annex A Controls Explained

Table of Contents

Example H2

Feeling overwhelmed by information security standards?

You’re not alone.

For many, ISO 27001 Annex A feels like a maze of controls and guidelines that’s hard to navigate.

But it doesn’t have to be that way.

Whether you’re a business leader or a technologist, understanding Annex A is the first step to protecting your organisation and building trust with your clients.

This post will simplify everything.

You’ll learn what Annex A controls are, how they work, and how to apply them to your business.

By the end, you’ll have the clarity and confidence to turn security into a strength, not a headache.

Ready to dive in?

Let’s get started!

What Are ISO 27001 Annex A Controls?

Before we dive into the ISO 27001 Annex A Controls, it's probably worth pausing for a moment to discuss what we mean by Control.

A control is a safeguard or countermeasure designed to treat risk. This could include:

  • Reducing the number of vulnerabilities,
  • Addressing threats to the organisation, or
  • Ensuring compliance with security requirements

Controls can take various forms, including policies, processes, technical tools, and physical measures.

Broadly speaking, there are 3 types of control:

  1. Preventive Controls: Stop risks before they materialize (e.g., firewalls, access controls).
  2. Detective Controls: Identify threats as they occur (e.g., intrusion detection systems, monitoring).
  3. Corrective Controls: Address and remediate incidents (e.g., backups, incident response plans).

Ultimately, the objective of a Control is to mitigate risk in one or more of the following ways:

  • Reduce Likelihood: Minimize the chance of threats occurring.
  • Limit Impact: Contain and reduce the damage caused by incidents.
  • Ensure Compliance: Align with regulatory and certification requirements, such as ISO 27001.

By strategically implementing controls, organizations can proactively manage risks, safeguard critical assets, and build trust with stakeholders.

Now let's focus on ISO 27001 Annex A.

ISO 27001 Annex A is set of common controls that are considered generally accepted good practice by the International Standards Organisation.

They are intended to address the most commonly found, universal security risks that most (if not all) organisations face - regardless of geography, industry, technology and organisation size.

How Many ISO 27001 Annex A Are There?

ISO 27001:2022 has 93 controls.

The latest update, ISO 27001:2022, simplifies this by grouping the controls into four main themes:

  • Section 5: People (8 controls)
  • Section 6: Organizational (37 controls)
  • Section 7: Physical (14 controls)
  • Section 8: Technological (34 controls)

Each theme focuses on key areas of security, such as managing access or implementing physical protections.

These themes are further broken down into domains, each containing specific controls—actions, policies, or mechanisms designed to address unique security needs.

For instance, the Organizational theme includes domains like Access Control and Asset Management. These domains contain controls such as reviewing user permissions and defining asset ownership.

By consolidating categories into themes, the updated standard reduces redundancies and makes it easier to assign responsibility.

For example, IT teams typically handle technological controls, while organisational teams manage broader operational processes.

What's New In ISO 27001:2022 Annex A?

In November 2022, the International Standards Organisation released ISO 27001:2022 - the first major revision of ISO 27001 since 2013.

Key points to note:

  • The structure of ISO 27001:2022 remains the same (i.e. Mandatory Clauses and Annex A Controls.)
  • The Annex A Controls have been re-organised into 4 thematic groups (as opposed to the 14 categories that existed in ISO 27001:2013)
  • Control Attributes have been introduced to create greater context and allow you to filter, sort or present controls in different ways for different audiences.
  • Some of the existing Annex A Controls have been renamed and/or merged to reduce the number of Controls (reduction from 114 to 93), and
  • There are 11 new Annex A Controls that need to be considered

What Are The New ISO 27001 Annex A Controls?

There are 11 new controls that have been added to the ISO 27001 document.

These include:

  • ISO 27001 Annex A 5.7 - Threat intelligence: A new organisational control that requires organisations to have appropriate policies and processes in place for the collection and analysis of threat intelligence.
  • ISO 27001 Annex A 5.23 - Information security for use of cloud services: Another organisational control relating to the management of information security for the use of cloud services.
  • ISO 27001 Annex A 5.30 - ICT readiness for business continuity: Requires organisations to create an ICT continuity plan to maintain operational resilience in the event of a outage.
  • ISO 27001 Annex A 7.4 - Physical security monitoring: Requires organisations to have appropriate measures in place to detect and respond to intrusions of your physical security controls.
  • ISO 27001 Annex A 8.9 - Configuration management: requires companies to establish policies, processes and procedures for managing the configuration of assets across their entire network.
  • ISO 27001 Annex A 8.10 - Information deletion: Requires organisations to have appropriate guidance on how to manage the deletion of information to comply with laws and regulations .
  • ISO 27001 Annex A 8.11 - Data masking: Requires organisations to establish appropriate data masking techniques for protecting personal identifiable information (PII).
  • ISO 27001 Annex A 8.12 - Data leakage prevention: Requires companies to implement technical measures that to prevent the leakage of data from your organisation.
  • ISO 27001 Annex A 8.16 - Monitoring activities: Requires organisations to implement appropriate monitoring activities that identify anomalous behaviour, address security events and enable incident response.
  • ISO 27001 Annex A 8.23 - Web filtering: Requires organisation to implement appropriate web filtering mechanisms that enforce access controls and control access to external websites.
  • ISO 27001 Annex A 8.28 - Secure Coding: Requires organisations to adopt secure coding principles that ensure secure software development and prevent vulnerabilities being introduced through poor coding practices.

What Are ISO 27001 Annex A Control Attributes?

In addition to the new Control Groups, ISO 27001:2022 also introduces a new set of Control Attributes.

According to ISO/IEC 27002:2022:

"The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences."

The five attributes are:

  • Control type: preventative, detective, corrective  
  • Operational capabilities: governance, asset management, information protection, human resource security, etc.
  • Security domains: governance and ecosystem, protection, defense, resilience
  • Cybersecurity concepts: identify, protect, detect, respond, recover
  • Information security properties: confidentiality, integrity, availability

These five attributes are designed to help organisations classify and organise controls in a way that aligns with their unique security requirements.

By grouping controls based on attributes, businesses can create a customised approach that makes implementation more intuitive and effective. This flexibility allows organisations to focus on what matters most to their security goals while simplifying how they manage and prioritise controls.

The introduction of control attributes offers a practical way to streamline security efforts and make the standard easier to use in day-to-day operations.

Let's explore each of these attributes in a bit more depth.

ISO 27001 Annex A Control Types

Controls are categorised by their primary function—preventing incidents, detecting threats, or correcting issues after they happen.

  • Preventive controls focus on stopping problems before they occur. Examples include access management policies and encryption protocols, which prevent unauthorised access or risky actions. Supporting documentation often includes authentication procedures and encryption guidelines.
  • Detective controls aim to identify potential threats. These may involve tools like log monitoring, intrusion detection system (IDS) alerts, or analysing network traffic for unusual activity.
  • Corrective controls address and resolve issues after they’ve been identified. These could include incident response plans and processes to remediate security breaches. Supporting evidence might include detailed incident reports or records of the steps taken during a security event.

Each type of control plays a vital role in creating a well-rounded approach to managing security risks.

ISO 27001 Annex A Operational Capabilities

The Operational Capabilities attribute highlights your organisation's ability to manage assets, personnel, and information security policies effectively.

Operational capabilities looks at security through the lens of the practitioner and provides a model for mapping risks and controls to key aspects of your business.

The 14 Operational Capabilities include:

  1. Application Security
  2. Asset Management
  3. Continuity
  4. Governance
  5. Human Resource Security
  6. Identity and Access Management
  7. Information Protection
  8. Information Security Assurance
  9. Information Security Event Management
  10. Legal and Compliance
  11. Physical Security
  12. Supplier Relationship Security
  13. System and Network Security
  14. Threat and Vulnerability Management

To bring this to life, let's look at some practical examples:

  • Asset management controls focus on tracking and securing both digital and physical resources. This includes maintaining asset inventories and usage logs to confirm all assets are accounted for and managed properly. Regular reviews of asset status, lifecycle management, and disposal processes are also key components.
  • Information protection controls rely on measures such as data classification policies and access permissions logs to ensure sensitive data is safeguarded.
  • When it comes to human resources, security-focused practices include keeping records like training logs, confidentiality agreements, and background checks. These demonstrate a commitment to fostering a workforce that prioritises security in daily operations.

ISO 27001 Annex A Security Domains

Security Domains in ISO 27001 organise controls into four key areas: governance and ecosystem, protection, defence, and resilience. Each domain focuses on broader security objectives to help your organisation manage risks effectively.

  • Governance and ecosystem controls establish the foundation for security responsibilities. This includes policies for managing third-party partnerships and maintaining records of security assessments to ensure accountability and oversight.
  • Protection controls focus on safeguarding data and systems. Examples include encryption standards and firewall configurations, which show the steps taken to prevent unauthorised access.
  • Defence-focused controls use tools to monitor and respond to threats. These might include intrusion detection logs or reports from threat intelligence systems to identify and manage risks in real time.
  • Resilience controls help your organisation recover from disruptions. This often involves maintaining business continuity and disaster recovery plans, along with testing results to show readiness for unexpected events.

ISO 27001 Annex A Cybersecurity Concepts

The Cybersecurity Concepts attribute, outlined in ISO/IEC TS 27110, organises controls based on the steps needed to manage cybersecurity risks effectively.

Aligned with the NIST Cybersecurity Framework, the ISO 27001 Cybersecurity Concepts are:

  • Identify:  Controls focus on uncovering risks, using tools like risk assessment reports and vulnerability scan results to highlight potential threats.
  • Protection: Controls aim to prevent issues before they happen. Examples include access management policies and secure development practices, which safeguard critical resources.
  • Detect: Controls monitor for anomalies and alert you to potential security incidents. These include monitoring protocols and alert systems designed to catch problems early.
  • Respond: Controls come into play during a security event. Incident response logs document actions taken to mitigate damage and resolve issues.
  • Recover: Controls ensure your organisation can bounce back after a disruption. This might involve disaster recovery plans and system restoration logs to get operations back on track quickly.

ISO 27001 Annex A Information Security Properties

Information Security attributes are built around three core principles: confidentiality, integrity, and availability (often referred to as CIA).

These principles guide how organisations protect and manage their information.

  • Confidentiality controls ensure sensitive data is only accessible to authorised individuals. Examples include access restrictions and vendor agreements with confidentiality clauses that protect information from unauthorised access.
  • Integrity controls focus on maintaining the accuracy and consistency of data. Tools like data validation reports and integrity-check mechanisms help ensure information remains unaltered and trustworthy.
  • Availability controls ensure systems and data are accessible when needed. This is demonstrated through system uptime reports and backup records, showing that your organisation is prepared to provide timely access even during disruptions.

Together, these attributes provide a balanced approach to safeguarding information and ensuring it serves its intended purpose without compromise.

ISO 27001 Annex A.5 Organisational Controls Explained

Section Image

Organisational controls are all about how the organisation operates.

They focus on policies, processes, and overall governance of information security.

These controls are crucial for setting a strong foundation.

In a world where data breaches and cyber threats are increasingly prevalent, having robust organisational controls is not just a best practice; it is a necessity.

By implementing these controls, organisations can ensure that their information security measures are not only effective but also aligned with their overall business objectives.

Establishing clear roles and responsibilities helps create accountability. This means everyone knows their part in protecting sensitive information.

Furthermore, it fosters a culture of security awareness within the organisation.

Regular training sessions and workshops can be instrumental in keeping staff informed about the latest security threats and the importance of adhering to established protocols.

By engaging employees in this manner, organisations can cultivate a proactive approach to information security, where everyone feels empowered to contribute to the safeguarding of data.

Moreover, effective communication channels must be established to facilitate the flow of information regarding security policies and incidents.

This includes not only internal communication but also external communication with stakeholders, suppliers, and customers.

Transparency in how security is managed can enhance trust and confidence in the organisation, which is particularly vital in sectors where data protection is paramount.

Regular audits and reviews of organisational controls can also help identify areas for improvement, ensuring that the organisation remains agile and responsive to the ever-evolving landscape of information security threats.

What Are The ISO 27001 Annex A.5 Organisational Controls?

| Control Name | Reference Guide | | --- | --- | | 5.1 Policies for information security | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-1-information-security-policy) | | 5.2 Information security roles and responsibilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-2-information-security-roles-and-responsibilities) | | 5.3 Segregation of duties | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-3-segregation-of-duties) | | 5.4 Management responsibilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-4-management-responsibilities) | | 5.5 Contact with authorities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-5-contact-with-authorities) | | 5.6 Contact with special interest groups | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-6-contact-with-special-interest-groups) | | 5.7 Threat intelligence | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-7-threat-intelligence) | | 5.8 Information security in project management | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-8-information-security-in-project-management) | | 5.9 Inventory of information and other associated assets | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-9-inventory-of-information-and-other-associated-assets) | | 5.10 Acceptable use of information and other associated assets | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-10-acceptable-use-of-information-and-other-associated-assets) | | 5.11 Return of assets | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-11-return-of-assets) | | 5.12 Classification of information | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-12-classification-of-information) | | 5.13 Labelling of information | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-13-labelling-of-information) | | 5.14 Information transfer | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-14-information-transfer) | | 5.15 Access control | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-15-access-control) | | 5.16 Identity management | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-16-identity-management) | | 5.17 Authentication information | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-17-authentication-information) | | 5.18 Access rights | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-18-access-rights) | | 5.19 Information security in supplier relationships | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-19-information-security-in-supplier-relationships) | | 5.20 Addressing information security within supplier agreements | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-20-addressing-information-security-within-supplier-agreements) | | 5.21 Managing information security in the ICT supply chain | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-21-information-security-in-the-supply-chain) | | 5.22 Monitoring, review and change management of supplier services | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-22-change-management-of-supplier-services) | | 5.23 Information security for use of cloud services | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-23-information-security-for-use-of-cloud-services) | | 5.24 Information security incident management planning and preparation | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-24-information-security-incident-management-planning-and-preparation) | | 5.25 Assessment and decision on information security events | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-25-assessment-and-decision-on-information-security-events) | | 5.26 Response to information security incidents | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-26-response-to-information-security-incidents) | | 5.27 Learning from information security incidents | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-27-learning-from-information-security-incidents) | | 5.28 Collection of evidence | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-28-collection-of-evidence) | | 5.29 Information security during disruption | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-29-information-security-during-disruption) | | 5.30 ICT readiness for business continuity | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-30-ict-readiness-for-business-continuity) | | 5.31 Legal, statutory, regulatory and contractual requirements | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-31-legal-statutory-regulatory-and-contractual-requirements) | | 5.32 Intellectual property rights | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-32-intellectual-property-rights) | | 5.33 Protection of records | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-33-protection-of-records) | | 5.34 Privacy and protection of personal identifiable information (PII) | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-34-privacy-and-protection-of-pii) | | 5.35 Independent review of information security | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-35-independent-review-of-information-security) | | 5.36 Compliance with policies, rules and standards for information security | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-36-compliance-with-policies-rules-and-standards-for-information-security) | | 5.37 Documented operating procedures | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-5-37-documented-operating-procedures) |

ISO 27001 Annex A.6 People Controls Explained

Let’s talk about people controls.

They’re essential because no organization can function without its people.

Training employees on security awareness isn’t just helpful—it’s transformative.

When employees know the right policies and practices, they can actively protect information. Suddenly, every team member becomes a frontline defender against threats.

A strong training program does more than teach skills.

It creates a culture of security. Regular workshops and quick refreshers keep these ideas fresh, making security something employees think about every day.

When people are aware, they’re more likely to report suspicious activity or potential breaches.

It’s not just about following rules; it’s about creating an environment where everyone feels responsible for keeping things secure.

Tailored training takes this to the next level. Different roles face different risks, so the training should reflect that.

For example, finance teams might focus on spotting phishing attempts, while IT staff need to understand data protection and incident response.

By customizing the learning to meet specific challenges, organizations can give employees the tools they need to succeed.

Investing in your people like this doesn’t just protect your organization—it empowers your teams.

When employees feel equipped and trusted, they’re not just following protocols; they’re actively safeguarding the future of the business.

What Are The ISO 27001 Annex A.6 People Controls?

| Control Name | Reference Guide | | --- | --- | | 6.1 Screening | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-1-screening) | | 6.2 Terms and conditions of employment | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-2-terms-and-conditions-of-employment) | | 6.3 Information security awareness, education and training | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-3-information-security-awareness-education-and-training) | | 6.4 Disciplinary process | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-4-disciplinary-process) | | 6.5 Responsibilities after termination or change of employment | [Learn More >](iso-27001-annex-a-6-5-responsibilities-after-termination-or-change-of-employment) | | 6.6 Confidentiality or non-disclosure agreements | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-6-confidentiality-or-non-disclosure-agreements) | | 6.7 Remote working | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-7-remote-working) | | 6.8 Information security event reporting | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-6-8-information-security-event-reporting) |

ISO 27001 Annex A.7 Physical Controls Explained

Physical controls are all about keeping your stuff safe.

They make sure buildings, equipment, and other valuables are protected from unwanted guests. Think locks, cameras, and security guards.

These are the unsung heroes that quietly do their job, stopping trouble before it has a chance to show up.

Of course, we’re not living in the stone age.

Many organizations are stepping up their game with advanced tech.

Biometric systems, like fingerprint or facial scanners, make it nearly impossible for the wrong people to slip through.

Plus, they’re pretty handy for employees—no more fumbling for ID cards.

Then there’s AI-powered smart surveillance.

These systems don’t just watch; they think. They can spot suspicious behaviour and sound the alarm before anyone even notices something’s off.

But here’s the thing: fancy tools won’t get you far without the people to back them up.

Employees need to know the drill—what to watch for, when to speak up, and why it all matters.

A little training goes a long way in turning your team into a first line of defence.

When you mix cutting-edge tech with a team that’s alert and ready, you get a security system that works.

It’s not just about keeping bad guys out; it’s about building confidence that your organization is prepared for anything.

What Are The ISO 27001 Annex A.7 Physical Controls?

| Control Name | Reference Guide | | --- | --- | | 7.1 Physical security perimeters | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-1-physical-security-perimeters) | | 7.2 Physical entry | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-2-physical-entry) | | 7.3 Securing offices, rooms and facilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-3-securing-offices-rooms-and-facilities) | | 7.4 Physical security monitoring | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-4-physical-security-monitoring) | | 7.5 Protecting against physical and environmental threats | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-5-protecting-against-physical-and-environmental-threats) | | 7.6 Working in secure areas | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-6-working-in-secure-areas) | | 7.7 Clear desk and clear screen | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-7-clear-desk-and-clear-screen) | | 7.8 Equipment siting and protection | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-8-equipment-siting-and-protection) | | 7.9 Security of assets off-premises | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-9-security-of-assets-off-premises) | | 7.10 Storage media | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-10-storage-media) | | 7.11 Supporting utilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-11-supporting-utilities) | | 7.12 Cabling security | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-12-cabling-security) | | 7.13 Equipment maintenance | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-13-equipment-maintenance) | | 7.14 Secure disposal or re-use of equipment | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-7-14-secure-disposal-or-re-use-of-equipment) |

ISO 27001 Annex A.8 Technological Controls Explained

Technological controls are the tech side of security.

They include firewalls, anti-virus software, and encryption tools. These tools protect data at rest and in transit.

Investing in the right technology is like getting an upgrade for your security system.

It helps organisations stay one step ahead of potential threats.

What Are The ISO 27001 Annex A.8 Technological Controls?

| Control Name | Reference Guide | | --- | --- | | 8.1 User end point devices | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-1-user-endpoint-devices) | | 8.2 Privileged access rights | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-2-privileged-access-rights) | | 8.3 Information access restriction | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-3-information-access-restriction) | | 8.4 Access to source code | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-4-access-to-source-code) | | 8.5 Secure authentication | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-5-secure-authentication) | | 8.6 Capacity management | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-6-capacity-management) | | 8.7 Protection against malware | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-7-protection-against-malware) | | 8.8 Management of technical vulnerabilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-8-management-of-technical-vulnerabilities) | | 8.9 Configuration management | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-9-configuration-management) | | 8.10 Information deletion | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-10-information-deletion) | | 8.11 Data masking | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-11-data-masking) | | 8.12 Data leakage prevention | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-12-data-leakage-prevention) | | 8.13 Information backup | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-13-information-backup) | | 8.14 Redundancy of information processing facilities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-14-redundancy-of-information-processing-facilities) | | 8.15 Logging | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-15-logging) | | 8.16 Monitoring activities | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-16-monitoring-activities) | | 8.17 Clock synchronization | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-17-clock-synchronisation) | | 8.18 Use of privileged utility programs | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-18-use-of-privileged-utility-programs) | | 8.19 Installation of software on operational systems | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-19-installation-of-software-on-operational-systems) | | 8.20 Networks security | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-20-network-security) | | 8.21 Security of network services | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-21-security-of-network-services) | | 8.22 Segregation of networks | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-22-segregation-of-networks) | | 8.23 Web filtering | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-23-web-filtering) | | 8.24 Use of cryptography | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-24-use-of-cryptography) | | 8.25 Secure development life cycle | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-25-secure-development-life-cycle) | | 8.26 Application security requirements | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-26-application-security-requirements) | | 8.27 Secure system architecture and engineering principles | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-27-secure-system-architecture-and-engineering-principles) | | 8.28 Secure coding | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-28-secure-coding) | | 8.29 Security testing in development and acceptance | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-29-security-testing-in-development-and-acceptance) | | 8.30 Outsourced development | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-30-outsourced-development) | | 8.31 Separation of development, test and production environments | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-31-separation-of-development-test-and-production-environments) | | 8.32 Change management | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-32-change-management) | | 8.33 Test information | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-33-test-information) | | 8.34 Protection of information systems during audit testing | [Learn More >](https://www.grcmana.io/blog/iso-27001-annex-a-8-34-protection-of-information-systems-during-audit-testing) |

ISO 27001 Annex A Frequently Asked Questions

Section Image

How Many ISO 27001 Annex A Controls Are There?

ISO 27001:2022 Annex A includes 93 controls, divided into four thematic groups - Organisational, People, Physical and Technological.

Whilst this might sound like a lot. But don’t panic!

First off, these 93 controls cover a wide range of security measures to address various risks that may impact your business. Not all of them will apply to your business.

Second of all, ISO 27001:2022 trimmed things down. The older version had 114 controls, divided into 14 categories. This new version makes ISO 27001 simpler to manage.

How Many New Controls Are in ISO 27001:2022?

With ISO 27001:2022 comes 11 new controls.

There are 3 new Organisational Controls:

Followed by 1 new Physical Control:

Finally, we have 7 new Technological Controls:

Do I Have to Implement All ISO 27001 Annex A Controls?

Nope. Not all controls are mandatory.

ISO 27001 is NOT a one-size-fits-all thing.

It's about designing, implementing and continuously improving an ISMS that is:

  1. In the context of your organisation and,
  2. Addresses the risks that you face.

Here's the deal.

ISO 27001 requires you to select controls to address risks identified in your risk assessment.

Annex A Controls are designed to treat specific security risks relevant to your operations.

If an Annex A Control does not address a specific risk that you face and/or is not relevant to the context of your organisation; then you do NOT need to implement it.

The controls that are relevant should be documented in your Statement of Applicability (SOA). This should also include justification as to why a control has NOT been implemented (e.g. Not applicable).

In short:

  • Identify your business risks.
  • Select appropriate Annex A Controls to address the business risks you've identified.
  • Use the Statement of Applicability (SoA) to document which controls apply and why.
  • Skip the ones irrelevant to your business.

Can I Integrate ISO 27001 Annex A With Other Standards (e.g. NIST, CIS, PCI DSS)

Absolutely. In fact, its actively encouraged.

Remember, ISO 27001 is not about box ticking or badge collecting.

It's about designing, implementing and continuously improving an ISMS that is:

  1. In the context of your organisation and,
  2. Addresses the risks that you face.

The mandatory clauses define the requirements of an ISO 27001 compliant ISMS, whereas the Annex A Controls are about treating risk.

Let's explore some examples:

Example #1 - My organisation processes credit card data

Let's say you've evaluated the context of your organisation and determined that PCI DSS is in scope because you process credit card data.

There are aspects of ISO 27001 that will definitely support PCI DSS. However, PCI DSS is very prescriptive.

In this instance, you should:

  1. Map PCI DSS controls to relevant ISO 27001 Clauses and Annex A Controls
  2. Identify any gaps
  3. Implement appropriate measures to ensure you comply with both Standards
  4. Augment your Statement of Applicability to include the additional PCI DSS controls

By following this 4 step approach, you create a more unified, integrated approach to improving your security and achieving compliance in a sustainable way.

Example #2 - My organisation is cloud-native

ISO 27001:2022 has definitely become more "cloud-aware" with controls such as ISO 27001 Annex A 5.23 Information security for use of cloud services. As well, as also including cloud-related commentary into other domains such as:

  • Application security,
  • Access control,
  • Supply chain

But what it will not do is provide explicit guidance on how to secure specific cloud workloads.

Now, you might think this is a bad thing; but I'd be inclined to disagree.

ISO 27001 is an organisation-wide framework that helps you design, implement and continuously improve an ISMS.

You can use ISO 27001 to establish a baseline of your ISMS and incorporate more specialised Standards that help address cloud-specific risks such as the CSA CCM or CIS Benchmarks.

In this instance, you should:

  1. Map CSA CCM or CIS Benchmark controls to relevant ISO 27001 Clauses and Annex A Controls
  2. Identify any gaps
  3. Implement appropriate measures to ensure you comply with both Standards
  4. Augment your Statement of Applicability to include the additional controls

By following this 4 step approach, you create a more unified, integrated approach to improving your security and achieving compliance in a sustainable way.

What Are the Objectives of ISO 27001 Annex A Controls?

The controls in Annex A help you protect your business and keep your data safe.

Each one has a specific purpose.

For example,  ISO 27001 Annex A 6.1 Screening, aims to ensure appropriate background checks for employees to reduce insider threats and align with regulatory requirements.

These controls focus on finding risks and fixing weak spots.

They guide you on things like who can access your systems, keeping cloud data secure, and handling problems if something goes wrong.

The goal is simple: protect your data, build trust, and keep your business strong.

By following these steps, you can stay ahead of threats and focus on what matters most.

What’s the Difference Between Annex A and ISO 27002?

ISO 27001 helps organisations create a structured system to protect their information.

It’s called a management standard because it focuses on building and running an information security management system (ISMS). It gives you the framework to handle everything from responsibilities to setting goals and running audits.

ISO 27002, though, is all about the details. It doesn’t focus on the big picture or system management. Instead, it provides practical advice and techniques to help you apply specific security controls.

Another big difference? You can get ISO 27001 certified through an audit. That’s not an option with ISO 27002—it’s a guide, not a certification.

The two also vary in depth. ISO 27001 covers what you need to do to create and maintain an ISMS, but it stays high-level. ISO 27002 gets into the nitty-gritty, walking you through the how-to for every control.

Pro Tip: Use ISO 27002 to make ISO 27001 Annex A Controls actionable.

Conclusion

ISO 27001 Annex A is your roadmap to stronger security.

It’s not about doing everything—it’s about doing the right things for your business.

Focus on what matters, tackle your risks, and build trust with your clients.

Want more tips like this to simplify information security?

Subscribe to the GRCMana newsletter today and get clear, actionable advice straight to your inbox.

P.S. Whenever you're ready, here are 3 ways I can help you:

  1. Subscribe to GRCMANA and each week you will get more tips, strategies and resources that will help you accelerate your GRC career.
  2. Join the Cyber Resilience Network: Join 16,000+ other members in the largest LinkedIn Community dedicated to building cyber resilience in the cloud.
  3. Follow me on LinkedIn for more tools, strategies and insights on how to govern your clod, secure your cloud and defend your cloud.
Harry West
Harry West
Founder
About the author
Harry is a technologist and security leader with 20+ years experience in helping organisations govern their cloud, secure their cloud and defend their cloud.

Latest posts

How To Map SOC 2 to ISO 27001

How To Map SOC 2 to ISO 27001

Read more
How Much Does a SOC 2 Audit Cost?

How Much Does a SOC 2 Audit Cost?

Read more
SOC 2 Audit Exceptions: What are they and how to avoid them

SOC 2 Audit Exceptions: What are they and how to avoid them

Read more
Cybermana logo

Lorem ipsum dolor sit amet consectetur adipiscing elit ullamcorper mi sem porttitor vel ut quis egestas mauris sapien ipsum diam odio curabitur purus dolor sit amet consectur .

grcmana logo

GRCMANA is an online community that offers the latest news, insights and resources to help you unlock your career in the world of Governance, Risk and Compliance.

Copyright © GRCMana