ISO 27001 Annex A Simplified

Welcome to the definitive guide to the ISO/IEC 27001:2022 Annex A Controls. Whether your are a beginner or a seasoned practitioner, this guide covers everything you need to know.

The ISO27001:2022 Annex A Explained

ISO 27001 Annex A is made up of 93 information security controls, organised into four categories.

‍

This can be overwhelming, even for the most seasoned practitioner.

‍

To help you on your ISO 27001 journey, I have developed this definitive reference guide to each of the ISO 27001 Annex A Controls.

‍

For each of Control, I will walk you through:

What it is
What it means
Practical, real world examples on how to implement it
Show you how to comply with it
Share common mistakes and things to avoid
Share insights on how to drive continuous improvement

You will learn exactly what you need to know and what you need to do to drive success in the world of ISO 27001.

ISO27001:2022 Annex A Organisational Controls Explained

‍

‍

ISO27001:2022 Annex A 5.1 by GRC Mana

ISO27001 Annex A 5.1 Policies for information security

ISO27001:2022 Annex A 5.2 by GRC Mana

ISO27001 Annex A 5.2 Information security roles and responsibilities

ISO27001:2022 Annex A 5.3 by GRC Mana

ISO27001 Annex A 5.3 Segregation of duties

ISO27001:2022 Annex A 5.4 by GRC Mana

ISO27001 Annex A 5.4 Management responsibilities

ISO27001:2022 Annex A 5.5 by GRC Mana

ISO27001 Annex A 5.5 Contact with authorities

ISO27001:2022 Annex A 5.6 by GRC Mana

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001:2022 Annex A 5.7 by GRC Mana

ISO27001 Annex A 5.7 Threat intelligence

ISO27001:2022 Annex A 5.8 by GRC Mana

ISO27001 Annex A 5.8 Information security in project management

ISO27001:2022 Annex A 5.9 by GRC Mana

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001:2022 Annex A 5.10 by GRC Mana

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001:2022 Annex A 5.11 by GRC Mana

ISO27001 Annex A 5.11 Return of assets

ISO27001:2022 Annex A 5.12 by GRC Mana

ISO27001 Annex A 5.12 Classification of information

ISO27001:2022 Annex A 5.13by GRC Mana

ISO27001 Annex A 5.13 Labelling of information

ISO27001:2022 Annex A 5.14 by GRC Mana

ISO27001 Annex A 5.14 Information transfer

ISO27001:2022 Annex A 5.15 by GRC Mana

ISO27001 Annex A 5.15 Access control

ISO27001:2022 Annex A 5.16 by GRC Mana

ISO27001 Annex A 5.16 Identity management

ISO27001:2022 Annex A 5.17 by GRC Mana

ISO27001 Annex A 5.17 Authentication information

ISO27001:2022 Annex A 5.18 by GRC Mana

ISO27001 Annex A 5.18 Access rights

ISO27001:2022 Annex A 5.19 by GRC Mana

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001:2022 Annex A 5.20 by GRC Mana

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001:2022 Annex A 5.21 by GRC Mana

ISO27001 Annex A 5.21 Managing information security in the information and communication technology (ICT) supply chain

ISO27001:2022 Annex A 5.22 by GRC Mana

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001:2022 Annex A 5.23 by GRC Mana

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001:2022 Annex A 5.24 by GRC Mana

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001:2022 Annex A 5.25 by GRC Mana

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001:2022 Annex A 5.26 by GRC Mana

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001:2022 Annex A 5.27 by GRC Mana

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001:2022 Annex A 5.28 by GRC Mana

ISO27001 Annex A 5.28 Collection of evidence

ISO27001:2022 Annex A 5.29 by GRC Mana

ISO27001 Annex A 5.29 Information security during disruption

ISO27001:2022 Annex A 5.30 by GRC Mana

ISO27001 Annex A 5.30 ICT readiness for business continuity

ISO27001:2022 Annex A 5.31 by GRC Mana

ISO27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements

ISO27001:2022 Annex A 5.32 by GRC Mana

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001:2022 Annex A 5.33 by GRC Mana

ISO27001 Annex A 5.33 Protection of records

ISO27001:2022 Annex A 5.34 by GRC Mana

ISO27001 Annex A 5.34 Privacy and protection of personal identifiable information (PII)

ISO27001:2022 Annex A 5.35 by GRC Mana

ISO27001 Annex A 5.35 Independent review of information security

ISO27001:2022 Annex A 5.36 by GRC Mana

ISO27001 Annex A 5.36 Compliance with policies, rules and standards for information security

ISO27001:2022 Annex A 5.37 by GRC Mana

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001:2022 Annex A People Controls Explained

‍

ISO27001:2022 Annex A 6.1 by GRC Mana

ISO27001 Annex A 6.1 Screening

ISO27001:2022 Annex A 6.2 by GRC Mana

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001:2022 Annex A 6.3 by GRC Mana

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001:2022 Annex A 6.4 by GRC Mana

ISO27001 Annex A 6.4 Disciplinary process

ISO27001:2022 Annex A 6.5 by GRC Mana

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001:2022 Annex A 6.6 by GRC Mana

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001:2022 Annex A 6.7 by GRC Mana

ISO27001 Annex A 6.7 Remote working

ISO27001:2022 Annex A 6.8 by GRC Mana

ISO27001 Annex A 6.8 Information security event reporting

ISO27001:2022 Annex A Physical Controls Explained

‍

ISO27001:2022 Annex A 7.1 by GRC Mana

ISO27001 Annex A 7.1 Physical security perimeters

ISO27001:2022 Annex A 7.2 by GRC Mana

ISO27001 Annex A 7.2 Physical entry

ISO27001:2022 Annex A 7.3 by GRC Mana

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001:2022 Annex A 7.4 by GRC Mana

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001:2022 Annex A 7.5 by GRC Mana

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001:2022 Annex A 7.6 by GRC Mana

ISO27001 Annex A 7.6 Working in secure areas

ISO27001:2022 Annex A 7.7 by GRC Mana

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001:2022 Annex A 7.8 by GRC Mana

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001:2022 Annex A 7.9 by GRC Mana

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001:2022 Annex A 7.10 by GRC Mana

ISO27001 Annex A 7.10 Storage media

ISO27001:2022 Annex A 7.11 by GRC Mana

ISO27001 Annex A 7.11 Supporting utilities

ISO27001:2022 Annex A 7.12 by GRC Mana

ISO27001 Annex A 7.12 Cabling security

ISO27001:2022 Annex A 7.13 by GRC Mana

ISO27001 Annex A 7.13 Equipment maintenance

ISO27001:2022 Annex A 7.14 by GRC Mana

ISO27001 Annex A 7.14 Secure disposal or re-use of equipment

ISO27001:2022 Annex A Technological Controls Explained

‍

‍

ISO27001:2022 Annex A 8.1 by GRC Mana

ISO27001 Annex A 8.1 User end point devices

ISO27001:2022 Annex A 8.2 by GRC Mana

ISO27001 Annex A 8.2 Privileged access rights

ISO27001:2022 Annex A 8.3 by GRC Mana

ISO27001 Annex A 8.3 Information access restriction

ISO27001:2022 Annex A 8.4 by GRC Mana

ISO27001 Annex A 8.4 Access to source code

ISO27001:2022 Annex A 8.5 by GRC Mana

ISO27001 Annex A 8.5 Secure authentication

ISO27001:2022 Annex A 8.6 by GRC Mana

ISO27001 Annex A 8.6 Capacity management

ISO27001:2022 Annex A 8.7 by GRC Mana

ISO27001 Annex A 8.7 Protection against malware

ISO27001:2022 Annex A 8.8 by GRC Mana

ISO27001 Annex A 8.8 Management of technical vulnerabilities

ISO27001:2022 Annex A 8.9 by GRC Mana

ISO27001 Annex A 8.9 Configuration management

ISO27001:2022 Annex A 8.10 by GRC Mana

ISO27001 Annex A 8.10 Information deletion

ISO27001:2022 Annex A 8.11 by GRC Mana

ISO27001 Annex A 8.11 Data masking

ISO27001:2022 Annex A 8.12 by GRC Mana

ISO27001 Annex A 8.12 Data leakage prevention

ISO27001:2022 Annex A 8.13 by GRC Mana

ISO27001 Annex A 8.13 Information backup

ISO27001:2022 Annex A 8.14 by GRC Mana

ISO27001 Annex A 8.14 Redundancy of information processing facilities

ISO27001:2022 Annex A 8.15 by GRC Mana

ISO27001 Annex A 8.15 Logging

ISO27001:2022 Annex A 8.16 by GRC Mana

ISO27001 Annex A 8.16 Monitoring activities

ISO27001:2022 Annex A 8.17 by GRC Mana

ISO27001 Annex A 8.17 Clock synchronization

ISO27001:2022 Annex A 8.18 by GRC Mana

ISO27001 Annex A 8.18 Use of privileged utility programs

ISO27001:2022 Annex A 8.19 by GRC Mana

ISO27001 Annex A 8.19 Installation of software on operational systems

ISO27001:2022 Annex A 8.20 by GRC Mana

ISO27001 Annex A 8.20 Networks security

ISO27001:2022 Annex A 8.21 by GRC Mana

ISO27001 Annex A 8.21 Security of network services

ISO27001:2022 Annex A 8.22 by GRC Mana

ISO27001 Annex A 8.22 Segregation of networks

ISO27001:2022 Annex A 8.23 by GRC Mana

ISO27001 Annex A 8.23 Web filtering

ISO27001:2022 Annex A 8.24 by GRC Mana

ISO27001 Annex A 8.24 Use of cryptography

ISO27001:2022 Annex A 8.25 by GRC Mana

ISO27001 Annex A 8.25 Secure development life cycle

ISO27001:2022 Annex A 8.26 by GRC Mana

ISO27001 Annex A 8.26 Application security requirements

ISO27001:2022 Annex A 8.27 by GRC Mana

ISO27001 Annex A 8.27 Secure system architecture and engineering principles

ISO27001:2022 Annex A 8.28 by GRC Mana

ISO27001 Annex A 8.28 Secure coding

ISO27001:2022 Annex A 8.29 by GRC Mana

ISO27001 Annex A 8.29 Security testing in development and acceptance

ISO27001:2022 Annex A 8.30 by GRC Mana

ISO27001 Annex A 8.30 Outsourced development

ISO27001:2022 Annex A 8.31 by GRC Mana

ISO27001 Annex A 8.31 Separation of development, test and production environments

ISO27001:2022 Annex A 8.32 by GRC Mana

ISO27001 Annex A 8.32 Change management

ISO27001:2022 Annex A 8.33 by GRC Mana

ISO27001 Annex A 8.33 Test information

ISO27001:2022 Annex A 8.34 by GRC Mana

ISO27001 Annex A 8.34 Protection of information systems during audit testing