An Introduction to ISO 27001 Annex A

An introduction to ISO 27001 Annex A (also known as the Statement of Applicability). Explore the controls and what is needed to get compliant.

< Return to The Controls of ISO 27001 Section

Introduction

ISO 27001 Annex A is one of the most recognised parts of the ISO/IEC 27001:2022 standard. It acts as a catalogue of security controls designed to manage information security risks and ensure organisations have robustly considered many common areas of risk.

While it may appear as a checklist at first glance, Annex A plays a deeper strategic role in helping organisations shape their Information Security Management System (ISMS) based on their unique context, risk landscape, and business needs.

In this article, we’ll explore the role of Annex A, and the document that captures your organisation’s response to each control, the Statement of Applicability.

What is ISO 27001 Annex A?

Annex A contains 93 controls, grouped into four key categories, or “control families”;

  1. Organisational controls (A.5) – Focused on policies, processes, and governance structures.
  2. People controls (A.6) – Covering human resources and employee awareness.
  3. Physical controls (A.7) – Addressing physical access and protection of facilities.
  4. Technological controls (A.8) – Related to IT systems, cybersecurity, and technical protections.

For more details on each family and its controls, please click on the link below.

Each control represents a potential way to manage information security risks, but not every control will apply equally to every organisation. That’s where the Statement of Applicability (SoA) comes in.

Important:

Controls are not to be confused with the ‘Clauses’ of ISO 27001. The clauses are the sections of the main body of the standard explaining how it works, where the controls are listed separately in Annex A and are intended to be selected and applied as needed to treat risks identified during the risk assessment process.

This distinction is key for understanding ISO 27001’s structure—Clauses 4 to 10 define the requirements for setting up and maintaining an ISMS, while Annex A provides a reference set of controls which can be selected and justified through the Statement of Applicability (SoA)

The Role of the Statement of Applicability

The SoA is a required document in ISO 27001 that lists:

  • All 93 controls from ISO 27001 Annex A.
  • Whether each control applies to your ISMS (i.e. a statement of its applicability)
  • The justification for inclusion or exclusion.
  • The current status of implementation.

This document is more than just administrative—it’s a strategic map showing how your organisation has considered each control in light of its risk assessment.

an example of the ISO 27001 Annex A statement of applicability from ISO 27001

How Applicability and Risk Management Work Together

ISO 27001 does not require every organisation to implement every control, but it does require each one to be considered. The decision about whether a control is applicable is based on:

  • Results of a risk assessment.
  • Legal, regulatory, and contractual obligations.
  • Organisational context and stakeholder expectations.

For example:

  • A small consultancy with no physical office may decide that certain physical controls are not applicable.
  • A large enterprise with sensitive personal data may implement advanced access control and encryption protocols as part of its technological controls.

Even when a control is applicable, the level of treatment—how it’s implemented—can vary. A startup might document access policies in simple terms, whereas a multinational may automate and continuously audit them.

What Evidence Should You Expect?

Evidence of control implementation typically includes:

  • Policies and procedures
  • Risk assessment results
  • Records of training or awareness activities
  • System configurations and audit logs
  • Access control lists and incident response plans

The formality and complexity of evidence will often reflect the organisation’s size, risk exposure, ISMS maturity, and even the type of audit you are undertaking.

How ISO 27002 Fits In

Annex A lists the control titles and a brief purpose, but ISO/IEC 27002:2022 offers detailed guidance on how to implement and manage these controls. While ISO 27001 requires you to justify applicability and implementation, ISO 27002 helps you understand how to do that effectively.

In future articles, we’ll explore each of the four control families, unpacking how the individual controls work, common ways to implement them, and what success looks like.

In Summary

  • ISO 27001 Annex A is not a checklist; it’s a toolbox.
  • Each control must be considered and justified if not applicable.
  • The Statement of Applicability ties risk management to the selection of controls.
  • Organisations define the level of treatment based on context.
  • ISO 27002 provides implementation guidance.

Whether you’re just starting your ISO 27001 journey or refining an existing ISMS, understanding Annex A is foundational to building a system that genuinely protects your organisation.

FAQs

What exactly is ISO 27001 Annex A?

Annex A of ISO 27001 is essentially a detailed checklist of controls, organised into four main areas—Organisational, People, Physical, and Technological—to help your business manage information security risks.

Do we have to implement every single Annex A control?

Not necessarily! You only need to implement controls relevant to your organisation’s risks and requirements. Your choices and justifications go into a key document called the Statement of Applicability (SoA).

What is a Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document that outlines clearly which Annex A controls you’ve chosen to implement and why. It also notes any controls you’ve excluded, explaining the rationale behind those decisions. [More details about the Statement of Applicability here].

Are Annex A controls mandatory for ISO 27001 certification?

While you’re not required to use every control, you must carefully review each one and justify your decisions. This thoughtful approach ensures your organisation covers all critical security aspects relevant to its unique risk profile.

How many controls are there in ISO 27001 Annex A?

ISO 27001 Annex A currently lists 93 controls, organised neatly into four main categories—Organisational, People, Physical, and Technological controls.

How do I know which Annex A controls are right for our organisation?

Selecting the right controls begins with conducting a thorough risk assessment. Based on the results, you’ll pinpoint the controls that effectively reduce or manage your identified risks.

Can we customise or add controls that aren’t listed in Annex A?

Absolutely! Annex A provides a structured baseline, but your organisation can (and sometimes should) develop or adapt controls that better suit specific risks or business contexts.

Further Reading

Building an ISO 27001 Business Case

How To Write an ISO 27001 Project Plan

How To Write an ISO 27001 Project Plan

Previous post

ISO 27001 Control 8.33: Test Information

NEXT post

ISO 27001 People Controls Explored

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG