Information Security

ISO 27001 Annex A Controls Explained: All 93 Controls

Standarity Editorial Team·ISO 27001 Lead Implementers
··10 min read

ISO 27001 Annex A controls are the reference set of information security safeguards that an organisation can select from when treating its risks. In the ISO/IEC 27001:2022 revision, Annex A lists 93 controls, reduced from the 114 controls in the 2013 version and reorganised into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technological (34 controls). These controls mirror ISO/IEC 27002:2022, which provides the detailed implementation guidance behind each one, so Annex A is best read as a concise catalogue and ISO 27002 as the manual (ISMS.online, 2024).

It is important to understand that Annex A is a menu, not a mandate. The mandatory requirements of an information security management system live in clauses 4 to 10 of the main standard, as we explain in our overview of what-is-iso-27001. Annex A supports clause 6.1.3, where you compare the controls you have chosen to treat risk against this reference list to make sure you have not overlooked anything obvious. Every control you include, exclude and justify is then recorded in your Statement of Applicability.

The four themes of ISO 27001:2022 Annex A

The 2022 revision collapsed the old 14 clause-based domains into four intuitive themes. This makes the control set easier to assign to owners, because most people can quickly see whether a control is about the organisation, its people, its physical environment or its technology. The counts break down as follows (DataGuard, 2024):

  • Organizational controls (Annex A 5.1 to 5.37): 37 controls covering policies, roles, supplier relationships, threat intelligence and incident management.
  • People controls (Annex A 6.1 to 6.8): 8 controls covering screening, terms of employment, awareness, disciplinary process and remote working.
  • Physical controls (Annex A 7.1 to 7.14): 14 controls covering secure areas, equipment protection, physical monitoring and storage media.
  • Technological controls (Annex A 8.1 to 8.34): 34 controls covering access rights, cryptography, logging, secure development and network security.

Each control also carries a set of attributes, sometimes displayed as hashtags, such as control type, information security properties (confidentiality, integrity, availability), cybersecurity concepts, operational capabilities and security domains. These attributes are optional but useful, because they let you filter and view the controls in ways that suit your organisation, for example grouping every control that supports detection or every control tied to identity and access management.

Organizational controls (Annex A 5)

With 37 controls, the Organizational theme is the largest and the one most implementers underestimate. It is where governance lives: information security policies, roles and responsibilities, segregation of duties, contact with authorities, and the full lifecycle of supplier and cloud relationships. It also houses classification of information, identity management, access control policy, and the entire incident management and business continuity cluster. Because these controls are largely documentation and process rather than tooling, they tend to dominate the early months of an implementation. Our deep dive into iso-27001-2022-controls-organizational-focus walks through the highest-effort controls in this theme and how auditors expect to see them evidenced.

People and Physical controls (Annex A 6 and 7)

The People theme is the smallest, with only 8 controls, but its impact is disproportionate because human behaviour drives most incidents. It covers pre-employment screening, terms and conditions of employment, information security awareness and training, the disciplinary process, responsibilities after termination or change of employment, confidentiality and non-disclosure agreements, and remote working. These controls are mostly owned jointly by HR and security, which is why coordination matters more here than technology.

The Physical theme contains 14 controls focused on protecting facilities, equipment and media from theft, tampering, environmental damage and unauthorised entry. It spans physical security perimeters, entry controls, protection against physical and environmental threats, working in secure areas, clear desk and clear screen, equipment siting and protection, secure disposal or reuse of equipment, cabling security and supporting utilities. Even cloud-first organisations cannot ignore this theme entirely, because offices, laptops and any on-premise infrastructure still need physical safeguards.

Technological controls (Annex A 8)

The Technological theme is the second largest with 34 controls and the one most people picture when they think of security. It covers user endpoint devices, privileged access rights, information access restriction, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, backup, redundancy, logging and monitoring, clock synchronisation, use of privileged utility programs, installation of software, network security, web filtering, cryptography, and the full secure development lifecycle including secure coding and separation of environments. Many of these map directly to controls your engineering and platform teams already run, so the work is often about formalising and evidencing what exists rather than building from scratch.

The 11 new controls introduced in ISO 27001:2022

While the total number of controls fell, the 2022 revision added 11 entirely new controls to reflect cloud adoption, threat intelligence and modern development practices. Existing controls were also merged and renamed, which is why 114 became 93 without losing coverage. The new controls are (Advisera, 2024):

  • Threat intelligence (5.7): collect and analyse information about security threats to inform defensive action.
  • Information security for use of cloud services (5.23): govern the acquisition, use, management and exit of cloud services.
  • ICT readiness for business continuity (5.30): plan, implement and test ICT to meet continuity objectives.
  • Physical security monitoring (7.4): continuously monitor premises for unauthorised physical access.
  • Configuration management (8.9): define and maintain secure configuration baselines across the lifecycle.
  • Information deletion (8.10): delete data when it is no longer required, supporting data minimisation.
  • Data masking (8.11): limit exposure of sensitive data in processes and non-production environments.
  • Data leakage prevention (8.12): detect and prevent unauthorised extraction of information.
  • Monitoring activities (8.16): monitor networks and systems for anomalous behaviour indicating incidents.
  • Web filtering (8.23): manage access to external websites to reduce exposure to malicious content.
  • Secure coding (8.28): apply secure coding principles throughout software development.

These 11 additions respond directly to digital transformation and tightening privacy regulation. Information deletion and data masking, for example, align closely with data minimisation duties under GDPR and similar laws, which is why many teams treat their ISO 27001 and privacy programmes as one coordinated effort (Advisera, 2024).

How Annex A relates to the SoA and risk treatment

Annex A only becomes actionable through your Statement of Applicability (SoA). The workflow runs in one direction: you identify risks, decide how to treat each one, and select the controls needed. You then check those selected controls against Annex A to confirm you have not missed a necessary safeguard. The SoA records every one of the 93 controls, states whether it is applicable, gives the justification for inclusion or exclusion, and notes its implementation status. This is a certification-mandatory document, and auditors read it as the map of your entire control environment. Our guide to statement-of-applicability-mastery shows how to write justifications that hold up under scrutiny.

A common misconception is that all 93 controls are mandatory. They are not. You may legitimately exclude a control if the associated risk does not apply to you, provided your SoA explains why. What auditors will not accept is an exclusion with no documented rationale, or an inclusion marked applicable with no evidence of implementation.

How to implement Annex A controls step by step

We recommend treating Annex A as the final checklist in a risk-led process rather than the starting point. A practical sequence looks like this:

  • Complete your risk assessment first, so control selection is driven by real risks rather than a wish to tick every box.
  • Map each risk treatment decision to one or more Annex A controls, using ISO 27002:2022 for detailed implementation guidance.
  • Draft the Statement of Applicability, marking each of the 93 controls applicable or not and justifying every decision.
  • Assign an owner and a target maturity to each applicable control so accountability is unambiguous.
  • Implement, then gather evidence — policies, records, logs, screenshots — because auditors verify operation, not intent.
  • Review controls on a defined cycle and after significant change, updating the SoA whenever scope or risk shifts.

When it comes to the audit itself, the four themes give you a natural structure for testing. Our walkthrough of auditing-iso-27001-2022-controls explains how internal and certification auditors sample evidence across each theme, and how to prepare control owners so nothing is a surprise on the day. Approached this way, the 93 controls stop feeling like an intimidating list and become a well-organised toolkit that maps cleanly to how your organisation actually runs.

Frequently Asked Questions

How many controls are in ISO 27001 Annex A?

ISO 27001:2022 Annex A contains 93 controls, down from 114 in the 2013 version. They are grouped into four themes: 37 Organizational, 8 People, 14 Physical and 34 Technological controls.

What are the four themes of ISO 27001:2022 Annex A?

The four themes are Organizational controls (Annex A 5), People controls (Annex A 6), Physical controls (Annex A 7) and Technological controls (Annex A 8). This structure replaced the 14 clause-based domains used in the 2013 version.

What are the 11 new controls in ISO 27001:2022?

The 11 new controls are threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.

Are all 93 Annex A controls mandatory?

No. Annex A is a reference set you select from based on risk. You can exclude a control if the related risk does not apply, as long as your Statement of Applicability documents the justification for that exclusion.

What is the difference between ISO 27001 Annex A and ISO 27002?

Annex A of ISO 27001:2022 lists the 93 controls as a concise catalogue. ISO/IEC 27002:2022 provides the detailed implementation guidance and best practice for each of those same controls, so the two documents are designed to be used together.

How does Annex A relate to the Statement of Applicability?

The Statement of Applicability records every one of the 93 Annex A controls, states whether each is applicable, justifies its inclusion or exclusion, and notes implementation status. It is a certification-mandatory document that links your risk treatment decisions to specific controls.

Explore Courses on Udemy

Intermediate

Auditing ISO 27001:2022 – Organizational Controls

Intermediate

ISO/IEC 27001:2022 Information Security Controls Explained

Intermediate

ISO 27001:2022 Implementation Step by Step with Templates