ISO 27001 Annex A Control Applicability Checker

Which Annex A controls apply to your organisation?

ISO 27001:2022 Annex A contains 93 security controls across four control groups. Not all of them apply to every organisation — but working out which ones do is one of the most confusing parts of the standard.

This tool asks you a short set of questions about your organisation and produces a filtered, prioritised list of the controls most likely to apply — the starting point for your Statement of Applicability.

Profile your organisation 6 short sections covering people, technology, data, premises, and suppliers

Get your control set See which of the 93 controls apply, grouped by control group and priority

Understand each control Plain-English descriptions and relevance tags for every applicable control

Takes approximately 3–4 minutes to complete.

Your Annex A Applicability Results

Control Groups

Priorities

Core Applies to virtually all organisations regardless of profile. Auditors will always look for these.

Standard Applies based on common characteristics (cloud, staff, data). Likely applicable to most SMEs.

Conditional Applies only when specific triggers are present (e.g. software development, physical server rooms, international transfers).

What is the Statement of Applicability?

This filtered list is the starting point for your Statement of Applicability (SoA) — the document that records which controls apply to your ISMS, which are implemented, and the justification for any exclusions. Your SoA is a mandatory deliverable for ISO 27001 certification. A certification body will review it at your Stage 1 audit.

Ready to take the next step?

Get practical guidance on implementing these controls and building your ISMS.

Get my ISO 27001 Toolkit Explore Coaching Options

This tool provides an indicative applicability assessment based on your self-reported profile. Actual control applicability should be confirmed through a formal risk assessment and reviewed by a qualified practitioner. All 93 controls must be considered in your Statement of Applicability — exclusions must be justified.