Information Security Management
ISO 27001 Annex A Controls Explained
Annex A is the practical heart of ISO 27001.
It lists 93 security controls that help organisations protect their information and meet the standard’s risk-treatment requirements.
Select a control family to explore it in more detail
What Is Annex A in ISO 27001?
Annex A is an appendix of recommended security controls in ISO/IEC 27001:2022.
It provides a catalogue of measures an organisation can adopt to treat the information-security risks identified under Clause 6 โ Planning.
Organisations use risk assessments and risk management processes to select appropriate controls from Annex A. The selection of these controls is based on the specific risks identified within the organisation and its supply chain.
The controls are not mandatory in full โ instead, you select the ones relevant to your environment and justify that selection in the Statement of Applicability (SoA). Organisations must implement controls that are appropriate to their identified risks to ensure effective information security and compliance.
Annex A and the Statement of Applicability
The SoA is a required document listing:
- Which Annex A controls youโve chosen,
- Why theyโre included or excluded,
- How theyโre implemented.
The SoA should also document information security responsibilities and consider the needs of interested parties to ensure all relevant obligations and expectations are addressed.
Tip: Even if a control doesnโt apply, it must still appear in your SoA with a reason for exclusion. Appropriate protection responsibilities for assets should be clearly defined in the SoA to ensure proper asset management and compliance.
How Annex A Is Organised
The 2022 edition replaced the old 14 control domains with four themes and 93 controls:
| Theme | Number of Controls | Focus Area |
|---|---|---|
| Organisational | 37 | Organisational controls cover policies, governance, supplier management, incident response, compliance |
| People | 8 | People controls cover human resource security, e.g. roles, responsibilities, screening, awareness, training, discipline |
| Physical | 14 | Physical controls are about the physical and environmental security, e.g. secure offices, equipment, clear-desk, access control |
| Technological | 34 | Technological controls cover authentication, malware, encryption, logging, monitoring, backups, etc. |
My Guides on The Controls of ISO 27001
Click on a control family below to see each of the controls and explore detailed guidance on how to implement them.
The Purpose of Annex A
- It connects your risk assessment to concrete actions.
- It ensures coverage across organisational, people, physical and technological layers.
- It provides an internationally recognised baseline for information security controls
- It helps auditors test effectiveness and completeness.
Organisations must implement controls from ISO 27001:2022 Annex A that are appropriate controls for their identified risks. The ISO 27001:2022 update introduced new controls and reorganised the annex into four domains, providing a clearer structure for managing information security risks and ensuring comprehensive risk mitigation.
You can include extra controls beyond Annex A (e.g. NIST or CIS Benchmarks) if they support your risk treatment plan.
ISO 27002 and How it Relates to Annex A
ISO 27002 is the companion standard to ISO 27001.
While Annex A in ISO 27001 lists the control titles, ISO 27002 provides detailed implementation guidance for each of those controls.
Think of it this way:
| ISO 27001 | ISO 27002 |
|---|---|
| Lists the 93 control names in Annex A | Explains how to implement and operate them |
| Focuses on management system requirements | Focuses on control objectives and examples |
| Mandatory reference in your Statement of Applicability | Optional but invaluable for implementation detail |
In practice:
When you select a control from Annex A (for example, A.5.23 โ Information Security for Use of Cloud Services), ISO 27002 tells you what good looks like โ the intent, recommended steps, and verification points. ISO 27002 explains controls such as configuration management andcloud security in detail, helping you integrate security requirements into the information security system lifecycle.
Tip: Auditors will expect you to understand both. ISO 27001 tells you what to manage; ISO 27002 tells you how to do it effectively.
Related Pages and Next Steps
Select a control family to explore it in more detail
FAQ: Annex A Controls
Are all 93 controls mandatory?
No โ you only apply those relevant to your risks, but you must list and justify each in the SoA.
What changed in the 2022 update?
Controls were reduced from 114 to 93 and grouped into four themes, with 11 new ones added (e.g. Threat Intelligence, Data Leakage Prevention).
Do I need ISO 27002?
ISO 27002 explains the controls in detail โ useful for implementation guidance but not required for certification.
Includes all the mandatory document templates โ free, no commitment