What is ISO 27001 Annex A?
What is ISO 27001 Annex A?
ISO 27001 Annex A is the normative annex to the ISO 27001 standard that provides a reference list of information security controls. Organizations use Annex A as a checklist to ensure their Information Security Management System (ISMS) addresses a comprehensive range of security topics. As of the 2022 revision, Annex A contains 93 controls organized into four themes.
The four themes
The 2022 revision reorganized controls from the previous 14 categories into four themes:
- Organizational controls (37 controls) — policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, and more
- People controls (8 controls) — screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination
- Physical controls (14 controls) — physical security perimeters, entry controls, securing offices and facilities, equipment protection, and clear desk policies
- Technological controls (34 controls) — user endpoint devices, privileged access management, access restrictions, secure authentication, malware protection, logging, encryption, and secure development
How Annex A fits into ISO 27001
Annex A is not a standalone list of mandatory controls. Instead, it works in conjunction with the risk assessment process defined in clauses 6 and 8 of ISO 27001:
- The organization performs a risk assessment to identify information security risks
- The organization determines how to treat each risk (mitigate, accept, transfer, or avoid)
- For risks being mitigated, the organization selects appropriate controls
- The organization compares selected controls against Annex A to ensure nothing has been overlooked
- The results are documented in the Statement of Applicability
This approach ensures that control selection is risk-driven rather than checkbox-driven. An organization may determine that certain Annex A controls are not applicable based on their specific risk profile, and this is acceptable as long as the justification is documented.
Relationship to ISO 27002
ISO 27002 provides detailed implementation guidance for each Annex A control. While Annex A lists the controls with brief descriptions, ISO 27002 explains the purpose, guidance, and other information for each control. Think of Annex A as the "what" and ISO 27002 as the "how."
Changes in the 2022 revision
The 2022 update introduced several changes from the 2013 version:
- Controls were consolidated from 114 to 93
- The 14 categories were replaced with 4 themes
- 11 new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking
- Each control now includes attributes (control type, cybersecurity concept, operational capability, and security domain) to aid in filtering and mapping
Organizations certified under the 2013 version had a transition period to update their ISMS to align with the 2022 revision.
Statement of Applicability
The Statement of Applicability (SoA) is the document where an organization records which Annex A controls are applicable, which are not, and the justification for each decision. The SoA is a mandatory document for ISO 27001 certification and is a key artifact reviewed during certification audits.
How episki helps
episki includes all 93 Annex A controls with mappings to your risk treatment plan and Statement of Applicability. The platform helps you track implementation status, assign ownership, and collect evidence for each applicable control. Learn more on our ISO 27001 compliance page.
