ISO 27001

ISO 27001 Annex A Controls

An overview of all 93 Annex A controls in the ISO 27001:2022 standard, organized by their four themes, with guidance on implementation and prioritization.
Browse ISO 27001 topics
ISMS Implementation GuideISO 27001 Annex A ControlsISO 27001 Certification ProcessISO 27001 Risk AssessmentISO 27001 Surveillance AuditsStatement of Applicability (SoA)

ISO 27001 Annex A Controls

Annex A of ISO 27001 is the reference set of information security controls that organizations evaluate and, where applicable, implement within their ISMS. The 2022 revision of the standard restructured these controls significantly, consolidating the previous 114 controls across 14 domains into 93 controls organized under four themes.

Understanding the structure, purpose, and implementation expectations of Annex A is fundamental to building a compliant and effective security program.

What Changed in ISO 27001:2022

The 2022 update replaced the 14-domain structure from the 2013 edition with four broader themes. Eleven new controls were introduced to address modern threats and practices. Several existing controls were merged where overlap existed, and all controls received updated guidance in the companion standard ISO 27002:2022.

Organizations certified under the 2013 version were given a transition period to align with the 2022 structure. New certifications are now assessed against the 2022 edition exclusively.

The Four Themes

1. Organizational Controls (37 Controls)

Organizational controls address the governance, policy, and procedural foundations of information security. They cover the "who decides what" and "how things work" aspects of your ISMS.

Key controls in this theme include:

  • Policies for information security. Establishing and maintaining a set of information security policies approved by management.
  • Roles and responsibilities. Defining and allocating information security responsibilities across the organization.
  • Threat intelligence. Collecting and analyzing information about threats relevant to the organization. This is a new control in 2022.
  • Information security in project management. Integrating security considerations into project management practices regardless of project type.
  • Supplier relationships. Managing security risks introduced by suppliers and third-party service providers.
  • Incident management. Planning, detecting, reporting, and responding to information security incidents.
  • Business continuity. Ensuring information security requirements are addressed during disruption.

Organizational controls form the backbone of your ISMS and are heavily examined during both Stage 1 and Stage 2 of the certification process.

2. People Controls (8 Controls)

People controls focus on the human element of information security. Despite being the smallest theme by count, these controls address one of the most significant risk areas.

Controls in this theme cover:

  • Screening. Background verification of personnel before and during employment.
  • Terms and conditions of employment. Contractual obligations related to information security.
  • Information security awareness, education, and training. Ensuring all personnel understand their security responsibilities.
  • Disciplinary process. Formal processes for addressing security policy violations.
  • Responsibilities after termination or change of employment. Protecting information when people leave or change roles.
  • Remote working. Security measures for personnel working outside traditional office environments. This control was updated significantly in 2022.
  • Information security event reporting. Mechanisms for personnel to report suspected security events.

3. Physical Controls (14 Controls)

Physical controls protect the tangible assets and environments where information is processed and stored.

This theme includes controls for:

  • Physical security perimeters and entry. Controlling access to buildings, data centers, and secure areas.
  • Securing offices, rooms, and facilities. Appropriate physical protection based on risk.
  • Physical security monitoring. Surveillance and detection systems.
  • Protecting against physical and environmental threats. Fire, flood, power loss, and other environmental risks.
  • Equipment security. Protecting hardware from theft, damage, and unauthorized access, including off-site equipment and secure disposal.
  • Clear desk and clear screen. Reducing exposure of sensitive information in work areas.
  • Storage media. Managing the lifecycle of removable and fixed storage media.

4. Technological Controls (34 Controls)

Technological controls address the technical safeguards that protect information systems and data.

Notable controls include:

  • User endpoint devices. Securing laptops, phones, and other devices that access organizational information.
  • Privileged access rights. Restricting and monitoring the use of elevated system privileges.
  • Access control. Managing who can access what information and systems based on business and security requirements.
  • Secure authentication. Implementing strong authentication mechanisms.
  • Configuration management. Ensuring systems are configured securely and consistently. This is new in 2022.
  • Information deletion. Securely removing information when it is no longer needed. Also new in 2022.
  • Data masking. Protecting sensitive data through masking techniques. New in 2022.
  • Data leakage prevention. Detecting and preventing unauthorized disclosure of information. New in 2022.
  • Monitoring activities. Monitoring systems, networks, and applications for anomalous behavior. New in 2022.
  • Web filtering. Controlling access to external websites to reduce exposure to malicious content. New in 2022.
  • Secure coding. Applying security principles in software development. New in 2022.
  • Logging and monitoring. Recording events and reviewing logs for security purposes.
  • Network security. Protecting networks and network services.
  • Cryptography. Using encryption and related techniques to protect information confidentiality, integrity, and authenticity.
  • Vulnerability management. Identifying and addressing technical vulnerabilities.
  • Backup. Maintaining and testing backup copies of information and software.

Control Attributes

ISO 27001:2022 introduced a set of attributes that can be applied to each control, making it easier to filter and organize controls based on different perspectives:

  • Control type: Preventive, detective, or corrective.
  • Information security properties: Confidentiality, integrity, or availability.
  • Cybersecurity concepts: Identify, protect, detect, respond, or recover (aligned with NIST CSF).
  • Operational capabilities: Governance, asset management, access control, and other operational groupings.
  • Security domains: Governance and ecosystem, protection, defense, or resilience.

These attributes are not mandatory to implement but provide useful ways to map controls to your risk assessment outcomes and to communicate control coverage to different stakeholders.

Relationship to the Statement of Applicability

Every Annex A control must be evaluated and either declared applicable or excluded in your Statement of Applicability. The SoA documents which controls you have selected, why, and how they are implemented. You cannot simply ignore a control without justification. Even controls that are not applicable must be listed with a rationale for their exclusion.

This evaluation is driven by your risk assessment. Controls are selected based on the risks they mitigate, regulatory requirements, contractual obligations, and business needs.

Implementation Approach

Start with Risk, Not Controls

A common mistake is to start by trying to implement all 93 controls and then retrofit risk justifications. The standard requires the opposite flow: identify risks first through your risk assessment process, then select controls that treat those risks appropriately.

Prioritize Based on Risk Treatment

Not all controls carry equal weight for every organization. A cloud-native SaaS company will invest heavily in technological controls around access management, secure coding, and monitoring while spending less effort on physical perimeter security. A manufacturing firm with on-premises data centers will have the opposite emphasis.

Use ISO 27002 for Guidance

ISO 27002:2022 is the companion standard that provides detailed implementation guidance for each control. While ISO 27001 tells you what controls exist, ISO 27002 tells you how to implement them. It is not mandatory to follow ISO 27002 prescriptively, but it is an invaluable reference.

Document Proportionally

Each control needs evidence of implementation, but the level of documentation should be proportionate to the risk and complexity involved. A small organization does not need the same volume of documentation as a multinational enterprise. Auditors look for effectiveness, not paperwork volume.

Map Controls to Existing Practices

Many organizations already have security practices in place that satisfy Annex A controls without realizing it. During your gap analysis, map existing practices to controls before building new processes. This reduces duplication and avoids creating parallel systems.

Keeping Controls Current

Annex A controls are not a set-and-forget exercise. Your control implementation should evolve as your risk landscape changes, new threats emerge, and your business grows. Regular internal audits, management reviews, and surveillance audits provide structured checkpoints to assess whether controls remain effective.

Platforms like episki help organizations maintain a living map between risks, controls, and evidence so that control coverage stays visible and gaps are identified early rather than during an external audit.

For a broader view of how ISO 27001 fits into your compliance strategy, explore the full framework overview.

Related topics

statement-of-applicabilityrisk-assessmentisms-implementationcertification-processsurveillance-audits

Related terms

What is an ISMS?What is ISO 27001?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough