ISO 27001:2022 Annex A Controls Explained

‍Struggling to make sense of ISO 27001:2022 Annex A controls?

You're not alone.

With its complex jargon and detailed requirements, it’s easy to feel overwhelmed.

But here’s the good news: this blog post breaks everything down for you.

Whether you’re building an information security management system or preparing for certification, you’ll find practical explanations and actionable insights here.

What can you expect? A clear, no-nonsense guide to Annex A controls—what they are, why they matter, and how to implement them.

By the end, you’ll feel confident navigating ISO 27001:2022 and applying its principles to your organisation.

Ready to make ISO 27001 manageable? Keep reading!

‍

What Are ISO 27001 Annex A Controls?

Before we dive into the ISO 27001 Annex A Controls, it's probably worth pausing for a moment to discuss what we mean by Control.

A control is a safeguard or countermeasure designed to treat risk. This could include:

• Reducing the number of vulnerabilities,
• Addressing threats to the organisation, or
• Ensuring compliance with security requirements

Controls can take various forms, including policies, processes, technical tools, and physical measures.

Broadly speaking, there are 3 types of control:

1. Preventive Controls: Stop risks before they materialize (e.g., firewalls, access controls).
2. Detective Controls: Identify threats as they occur (e.g., intrusion detection systems, monitoring).
3. Corrective Controls: Address and remediate incidents (e.g., backups, incident response plans).

Ultimately, the objective of a Control is to mitigate risk in one or more of the following ways:

• Reduce Likelihood: Minimize the chance of threats occurring.
• Limit Impact: Contain and reduce the damage caused by incidents.
• Ensure Compliance: Align with regulatory and certification requirements, such as ISO 27001.

By strategically implementing controls, organisations can proactively manage risks, safeguard critical assets, and build trust with stakeholders.

‍

Now let's focus on ISO 27001 Annex A.

ISO 27001 Annex A is set of common controls that are considered generally accepted good practice by the International Standards Organisation.

They are intended to address the most commonly found, universal security risks that most (if not all) organisations face - regardless of geography, industry, technology and organisation size.

‍

How Many ISO 27001 Annex A Are There?

ISO 27001:2022 has 93 controls, organised into four thematc groups:

• ‍Annex A.5 - Organizational (37 controls)
• Annex A.6 - People (8 controls)
• Annex A.7 - Physical (14 controls)
• Annex A.8 - Technological (34 controls)

Each theme focuses on key areas of security, such as managing access or implementing physical protections.

These themes are further broken down into domains, each containing specific controls—actions, policies, or mechanisms designed to address unique security needs.

For instance, the Organizational theme includes domains like Access Control and Asset Management. Whereas, the Technological theme - as you'd expect - focuses on specific technical controls such as Secure Authentication, Software Development Lifecycle and Vulnerability Management.

By consolidating categories into themes, the updated standard reduces redundancies and makes it easier to assign clear responsibility.

For example:

• IT teams typically handle Technological controls.
• Individuals responsible for HR and/or legal matters are more likely to handle People controls
• Individuals responsible Facilities are more likely to to handle Physical controls
• Organisational controls are more cross-cutting and therefore will like to be handled by different teams across the organisation.

‍

What's New In ISO 27001:2022 Annex A?

In November 2022, the International Standards Organisation released ISO 27001:2022 - the first major revision since 2013.

Key points to note:

• The structure of ISO 27001:2022 remains the same (i.e. Mandatory Clauses and Annex A Controls.)
• The Annex A Controls have been re-organised into 4 thematic groups (as opposed to the 14 categories that existed in ISO 27001:2013)
• Control Attributes have been introduced to provide greater context and allow you to filter, sort or present controls in different ways for different audiences.
• Some of the existing Annex A Controls have been renamed and/or merged to reduce the number of Controls (reduction from 114 to 93), and
• There are 11 new Annex A Controls that need to be considered

‍

What Are The New ISO 27001 Annex A Controls?

There are 11 new controls that have been added to the ISO 27001 document.

These include:

• ‍ISO 27001 Annex A 5.7 - Threat intelligence: A new organisational control that requires organisations to have appropriate policies and processes in place for the collection and analysis of threat intelligence.
• ‍ISO 27001 Annex A 5.23 - Information security for use of cloud services: Another organisational control relating to the management of information security for the use of cloud services.
• ‍ISO 27001 Annex A 5.30 - ICT readiness for business continuity: Requires organisations to create an ICT continuity plan to maintain operational resilience in the event of a outage.
• ‍ISO 27001 Annex A 7.4 - Physical security monitoring: Requires organisations to have appropriate measures in place to detect and respond to intrusions of your physical security controls.
• ‍ISO 27001 Annex A 8.9 - Configuration management: requires companies to establish policies, processes and procedures for managing the configuration of assets across their entire network.
• ‍ISO 27001 Annex A 8.10 - Information deletion: Requires organisations to have appropriate guidance on how to manage the deletion of information to comply with laws and regulations .
• ‍ISO 27001 Annex A 8.11 - Data masking: Requires organisations to establish appropriate data masking techniques for protecting personal identifiable information (PII).
• ‍ISO 27001 Annex A 8.12 - Data leakage prevention: Requires companies to implement technical measures that to prevent the leakage of data from your organisation.
• ‍ISO 27001 Annex A 8.16 - Monitoring activities: Requires organisations to implement appropriate monitoring activities that identify anomalous behaviour, address security events and enable incident response.
• ‍ISO 27001 Annex A 8.23 - Web filtering: Requires organisation to implement appropriate web filtering mechanisms that enforce access controls and control access to external websites.
• ‍ISO 27001 Annex A 8.28 - Secure Coding: Requires organisations to adopt secure coding principles that ensure secure software development and prevent vulnerabilities being introduced through poor coding practices.

‍

‍

What Are ISO 27001 Annex A Control Attributes?

In addition to the new Control Groups, ISO 27001:2022 also introduces a new set of Control Attributes.

According to ISO/IEC 27002:2022:

‍

"The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences." Source: ISO/IEC 27001:2022

‍

The five attributes are:

• Control type: preventative, detective, corrective  

• Operational capabilities: governance, asset management, information protection, human resource security, etc.

• Security domains: governance and ecosystem, protection, defense, resilience

• Cybersecurity concepts: identify, protect, detect, respond, recover

• Information security properties: confidentiality, integrity, availability

These five attributes are designed to help organisations classify and organise controls in a way that aligns with their unique security requirements.

By grouping controls based on attributes, businesses can create a customised approach that makes implementation more intuitive and effective. This flexibility allows organisations to focus on what matters most to their security goals while simplifying how they manage and prioritise controls.

The introduction of control attributes offers a practical way to streamline security efforts and make the standard easier to use in day-to-day operations.

Let's explore each of these attributes in a bit more depth.

‍

ISO 27001 Annex A Control Types

Controls are categorised by their primary function—preventing incidents, detecting threats, or correcting issues after they happen.

• ‍Preventive controls focus on stopping problems before they occur. Examples include access management policies and encryption protocols, which prevent unauthorised access or risky actions. Supporting documentation often includes authentication procedures and encryption guidelines.
• ‍Detective controls aim to identify potential threats. These may involve tools like log monitoring, intrusion detection system (IDS) alerts, or analysing network traffic for unusual activity.
• ‍Corrective controls address and resolve issues after they’ve been identified. These could include incident response plans and processes to remediate security breaches. Supporting evidence might include detailed incident reports or records of the steps taken during a security event.

Each type of control plays a vital role in creating a well-rounded approach to managing security risks.

‍

ISO 27001 Annex A Operational Capabilities

The Operational Capabilities attribute highlights your organisation's ability to manage assets, personnel, and information security policies effectively.

Operational capabilities looks at security through the lens of the practitioner and provides a model for mapping risks and controls to key aspects of your business.

The 14 Operational Capabilities include:

1. Application Security
2. Asset Management
3. Continuity
4. Governance
5. Human Resource Security
6. Identity and Access Management
7. Information Protection
8. Information Security Assurance
9. Information Security Event Management
10. Legal and Compliance
11. Physical Security
12. Supplier Relationship Security
13. System and Network Security
14. Threat and Vulnerability Management

To bring this to life, let's look at some practical examples:

• ‍Asset management controls focus on tracking and securing both digital and physical resources. This includes maintaining asset inventories and usage logs to confirm all assets are accounted for and managed properly. Regular reviews of asset status, lifecycle management, and disposal processes are also key components.
• ‍Information protection controls rely on measures such as data classification policies and access permissions logs to ensure sensitive data is safeguarded.
• When it comes to human resources, security-focused practices include keeping records like training logs, confidentiality agreements, and background checks. These demonstrate a commitment to fostering a workforce that prioritises security in daily operations.

‍

ISO 27001 Annex A Security Domains

Security Domains in ISO 27001 organise controls into four key areas: governance and ecosystem, protection, defence, and resilience. Each domain focuses on broader security objectives to help your organisation manage risks effectively.

• ‍Governance and ecosystem controls establish the foundation for security responsibilities. This includes policies for managing third-party partnerships and maintaining records of security assessments to ensure accountability and oversight.
• ‍Protection controls focus on safeguarding data and systems. Examples include encryption standards and firewall configurations, which show the steps taken to prevent unauthorised access.
• ‍Defence-focused controls use tools to monitor and respond to threats. These might include intrusion detection logs or reports from threat intelligence systems to identify and manage risks in real time.
• ‍Resilience controls help your organisation recover from disruptions. This often involves maintaining business continuity and disaster recovery plans, along with testing results to show readiness for unexpected events.

‍

ISO 27001 Annex A Cybersecurity Concepts

The Cybersecurity Concepts attribute, outlined in ISO/IEC TS 27110, organises controls based on the steps needed to manage cybersecurity risks effectively.

Aligned with the NIST Cybersecurity Framework, the ISO 27001 Cybersecurity Concepts are:

• Identify:  Controls focus on uncovering risks, using tools like risk assessment reports and vulnerability scan results to highlight potential threats.
• ‍Protection: Controls aim to prevent issues before they happen. Examples include access management policies and secure development practices, which safeguard critical resources.
• ‍Detect: Controls monitor for anomalies and alert you to potential security incidents. These include monitoring protocols and alert systems designed to catch problems early.
• ‍Respond: Controls come into play during a security event. Incident response logs document actions taken to mitigate damage and resolve issues.
• ‍Recover: Controls ensure your organisation can bounce back after a disruption. This might involve disaster recovery plans and system restoration logs to get operations back on track quickly.

‍

ISO 27001 Annex A Information Security Properties

Information Security attributes are built around three core principles: confidentiality, integrity, and availability (often referred to as CIA).

These principles guide how organisations protect and manage their information.

• ‍Confidentiality controls ensure sensitive data is only accessible to authorised individuals. Examples include access restrictions and vendor agreements with confidentiality clauses that protect information from unauthorised access.
• ‍Integrity controls focus on maintaining the accuracy and consistency of data. Tools like data validation reports and integrity-check mechanisms help ensure information remains unaltered and trustworthy.
• ‍Availability controls ensure systems and data are accessible when needed. This is demonstrated through system uptime reports and backup records, showing that your organisation is prepared to provide timely access even during disruptions.

Together, these attributes provide a balanced approach to safeguarding information and ensuring it serves its intended purpose without compromise.

‍

ISO 27001 Annex A.5 Organisational Controls Explained

‍

When it comes to information security, strong organisational foundations are critical. That’s where ISO 27001:2022 Annex A.5 steps in.

Among its updated controls, the spotlight on organisational controls offers a blueprint for aligning security measures with your organisation's structure, strategy, and operations.

Here’s why these controls matter:

1. Defining Responsibilities: Organisational controls ensure that everyone—management, teams, and external stakeholders—knows their role in safeguarding information.
2. Minimising Risk: These controls address everything from establishing clear security policies to managing relationships with suppliers. The goal? Reducing vulnerabilities at an organisational level.
3. Driving Accountability: By embedding security into leadership and governance practices, these controls foster a culture of accountability.

Organisational controls cover areas like:

• Establishing robust information security policies.
• Managing roles and responsibilities to prevent conflicts or overlaps.
• Ensuring continuous compliance with legal, contractual, and regulatory obligations.

These aren’t just theoretical ideals—they’re actionable measures designed to integrate seamlessly into your day-to-day operations, ensuring security isn’t an afterthought but a core part of how you do business.

Ready to see how these principles come to life?

Check out the table below for a detailed breakdown of each organisational control. Click on any link to dive deeper into specific areas and discover practical steps for implementation.

‍

‍

‍

ISO 27001 Annex A.6 People Controls Explained

When it comes to securing information, technology isn’t enough—people are just as crucial.

That’s why Annex A of ISO 27001:2022 dedicates an entire section to people controls, focusing on empowering individuals to act as the first line of defence against security threats.

Here’s why these controls matter:

1. Promoting Awareness: People controls ensure everyone in your organisation understands their role in protecting sensitive information.
2. Reducing Human Risk: From training to screening processes, these measures minimise the risks posed by human error, negligence, or insider threats.
3. Building a Security Culture: By embedding security into daily operations and behaviours, people controls foster a culture where security is second nature.

People controls focus on:

• Conducting background screening to ensure personnel are suitable for their roles.
• Providing security awareness and training tailored to organisational needs.
• Managing remote working securely, ensuring risks are minimised even outside the office.

Curious to learn more?

Browse the table below to explore each people control in detail. Simply follow the links to uncover insights and practical guidance for applying these controls in your organisation.

‍

‍

‍

ISO 27001 Annex A.7 Physical Controls Explained

Information security doesn’t stop at firewalls and passwords—it extends to the physical world too.

‍Annex A of ISO 27001:2022 highlights the importance of physical controls, focusing on securing the spaces where information is accessed, stored, and processed.

After all, even the best digital defences can be undone if someone gains unauthorised physical access.

Here’s why these controls matter:

1. Safeguarding Access: Physical controls ensure that only authorised individuals can access sensitive areas and resources.
2. Mitigating Environmental Risks: These measures protect against threats like natural disasters, power failures, and physical breaches.
3. Supporting Operational Continuity: By securing facilities and equipment, physical controls help maintain business operations during unexpected events.

Physical controls focus on:

• Defining physical security perimeters to protect critical areas.
• Implementing secure entry systems to control access.
• Managing secure disposal or reuse of equipment, ensuring no sensitive data is left behind.

Want to see these measures in action?

Explore the table below to discover each physical control in detail. Click on the links for in-depth insights and step-by-step guidance to strengthen your organisation’s physical security.

‍

‍

‍

ISO 27001 Annex A.8 Technological Controls Explained

Technology is at the heart of how we work, communicate, and grow our businesses.

But with that reliance comes risk. Annex A of ISO 27001:2022 focuses on technological controls, which are designed to protect your organisation’s digital systems and data.

These controls ensure your technology doesn’t just enable your operations—it safeguards them too.

Here’s why these controls matter:

1. Enhancing Digital Defences: Technological controls provide the safeguards necessary to prevent, detect, and respond to cyber threats.
2. Maintaining System Integrity: These measures ensure systems, applications, and data remain secure and uncompromised.
3. Supporting Operational Resilience: By embedding security into IT operations, these controls help protect your organisation from disruptions caused by technology failures or attacks.

Technological controls focus on:

• Implementing access restrictions to sensitive information and systems.
• Ensuring secure configuration of hardware, software, and networks.
• Managing technical vulnerabilities to reduce exposure to cyber risks.

Ready to explore these in more detail?

Use the table below to learn about each technological control. Click on the links for practical guidance on how to apply them and protect your organisation’s most valuable digital assets.

‍

‍

‍

ISO 27001 Annex A Frequently Asked Questions

‍

How Many ISO 27001 Annex A Controls Are There?

ISO 27001:2022 Annex A includes 93 controls, divided into four thematic groups - Organisational, People, Physical and Technological.

Whilst this might sound like a lot. But don’t panic!

First off, these 93 controls cover a wide range of security measures to address various risks that may impact your business. Not all of them will apply to your business.

Second of all, ISO 27001:2022 trimmed things down. The older version had 114 controls, divided into 14 categories. This new version makes ISO 27001 simpler to manage.

‍

How Many New Controls Are in ISO 27001:2022?

With ISO 27001:2022 comes 11 new controls.

There are 3 new Organisational Controls:

• ISO 27001:2022 Annex A 5.7 - Threat intelligence
• ISO 27001:2022 Annex A 5.23 - Information security for use of cloud services
• ISO 27001:2022 Annex A 5.30 - ICT readiness for business continuity

Followed by 1 new Physical Control:

• ISO 27001:2022 Annex A 7.4 - Physical security monitoring

Finally, we have 7 new Technological Controls:

• ISO 27001:2022 Annex A 8.9 - Configuration management
• ISO 27001:2022 Annex A 8.10 - Information deletion
• ISO 27001:2022 Annex A 8.11 - Data masking
• ISO 27001:2022 Annex A 8.12 - Data leakage prevention
• ISO 27001:2022 Annex A 8.16 - Monitoring activities
• ISO 27001:2022 Annex A 8.23 - Web filtering
• ISO 27001:2022 Annex A 8.28 - Secure Coding

‍

Do I Have to Implement All ISO 27001 Annex A Controls?

Nope. Not all controls are mandatory.

ISO 27001 is NOT a one-size-fits-all thing.

It's about designing, implementing and continuously improving an ISMS that is:

1. In the context of your organisation and,
2. Addresses the risks that you face.

Here's the deal.

ISO 27001 requires you to select controls to address risks identified in your risk assessment.

Annex A Controls are designed to treat specific security risks relevant to your operations.

If an Annex A Control does not address a specific risk  you face and/or is not relevant to the context of your organisation; then you do NOT need to implement it.

What is mandatory is your Statement of Applicability (or SOA). This document details which controls are relevant and which are not. This should also include justification as to why a control has NOT been implemented.

In short:

• Identify your business risks.
• Select appropriate Annex A Controls to address the business risks you've identified.
• Use the Statement of Applicability (SoA) to document which controls apply and why.
• Skip the ones irrelevant to your business.

‍

Can I Integrate ISO 27001 Annex A With Other Standards (e.g. NIST, CIS, PCI DSS)

Absolutely. In fact, its actively encouraged.

Remember, ISO 27001 is not about box ticking or badge collecting.

It's about designing, implementing and continuously improving an ISMS that is:

1. In the context of your organisation and,
2. Addresses the risks that you face.

The mandatory clauses define the requirements of an ISO 27001 compliant ISMS, whereas the Annex A Controls are about treating risk.

Let's explore some examples:

‍

Example #1 - My organisation processes credit card data

Let's say you've evaluated the context of your organisation and determined that PCI DSS is in scope because you process credit card data.

There are controls in ISO 27001 that will definitely support PCI DSS. However, PCI DSS is very prescriptive and has specific controls outside the scope of ISO 27001.

In this instance, you should:

1. Map PCI DSS controls to relevant ISO 27001 Clauses and Annex A Controls
2. Identify any gaps
3. Implement appropriate measures to ensure you comply with both Standards
4. Update your Statement of Applicability to include the additional PCI DSS controls

By following this 4 step approach, you create a more unified, integrated approach to improving your security and achieving compliance in a sustainable way.

‍

Example #2 - My organisation is cloud-native

ISO 27001:2022 has definitely become more "cloud-aware" with controls such as ISO 27001 Annex A 5.23 Information security for use of cloud services. As well, as also including cloud-related commentary into other domains such as:

• Application security,
• Access control,
• Supply chain

But what it will not do is provide explicit guidance on how to secure specific cloud workloads.

Now, you might think this is a bad thing; but I'd be inclined to disagree.

ISO 27001 is an organisation-wide framework that helps you design, implement and continuously improve an ISMS.

You can use ISO 27001 to establish a baseline of your ISMS and incorporate more specialised Standards that help address cloud-specific risks such as the CSA CCM or CIS Benchmarks.

In this instance, you should:

1. Map CSA CCM or CIS Benchmark controls to relevant ISO 27001 Clauses and Annex A Controls
2. Identify any gaps
3. Implement appropriate measures to ensure you comply with both Standards
4. Update your Statement of Applicability to include the additional controls

By following this 4 step approach, you can extend your ISO 27001 capabilities to the cloud and create a more unified, integrated approach to improving your security.

‍

What Are the Objectives of ISO 27001 Annex A Controls?

The controls in Annex A help you protect your business and keep your data safe.

Each one has a specific purpose.

For example,  ISO 27001 Annex A 6.1 Screening, aims to ensure appropriate background checks for employees to reduce insider threats and align with regulatory requirements.

These controls focus on finding risks and fixing weak spots.

They guide you on things like who can access your systems, keeping cloud data secure, and handling problems if something goes wrong.

The goal is simple: protect your data, build trust, and keep your business strong.

By following these steps, you can stay ahead of threats and focus on what matters most.

‍

‍

What’s the Difference Between Annex A and ISO 27002?

ISO 27001 helps organisations create a structured system to protect their information.

It’s called a management standard because it defines the requirements for building and running an information security management system (ISMS). It gives you the framework to handle everything from responsibilities to setting goals and running audits.

ISO 27002, though, is all about the details. It doesn’t focus on the big picture or system management. Instead, it provides practical advice and techniques to help you apply specific security controls.

Another big difference? You can get ISO 27001 certified through an audit. That’s not an option with ISO 27002—it’s a guide, not a certification.

The two also vary in depth. ISO 27001 covers what you need to do to create and maintain an ISMS, but it stays high-level. ISO 27002 gets into the nitty-gritty, walking you through the how-to for every control.

‍

Pro Tip: Use ISO 27002 to make ISO 27001 Annex A Controls actionable.

‍

Conclusion

ISO 27001 Annex A is your roadmap to stronger security.

It’s not about doing everything—it’s about doing the right things for your business.

Focus on what matters, tackle your risks, and build trust with your clients.

Want more tips like this to simplify information security?

Subscribe to the GRCMana newsletter today and get clear, actionable advice straight to your inbox.