ISO 27001 Annex A Controls Explained
Quick Answer
ISO 27001:2022 Annex A contains 93 controls organized into 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). These controls cover everything from access management and encryption to supplier relationships and incident response.
Annex A Control Structure (2022)
ISO 27001:2022 reorganized the Annex A controls from 14 domains (2013 version) into 4 themes. The total number of controls was reduced from 114 to 93 through merging, and 11 new controls were added to address modern security challenges like cloud services and threat intelligence.
Key Takeaways
- 93 controls in 4 themes: Organizational (37), People (8), Physical (14), Technological (34)
- 11 new controls added in 2022 for cloud, threat intelligence, data masking, and more
- Not all 93 controls are mandatory — you select controls based on your risk assessment
- The Statement of Applicability (SoA) documents which controls apply and why
- Each control has associated implementation guidance in ISO 27002:2022
| Theme | Number of Controls | Key Areas |
|---|---|---|
| A.5 Organizational | 37 controls | Policies, roles, asset management, access control, supplier management, incident management, business continuity, compliance |
| A.6 People | 8 controls | Screening, employment terms, security awareness, disciplinary process, termination responsibilities |
| A.7 Physical | 14 controls | Physical perimeters, entry controls, securing offices, monitoring, equipment protection, secure disposal |
| A.8 Technological | 34 controls | User endpoints, access rights, authentication, cryptography, logging, network security, secure development, data protection |
New Controls in 2022
| Control | Theme | Purpose |
|---|---|---|
| A.5.7 Threat Intelligence | Organizational | Collect and analyze threat intelligence to inform security decisions |
| A.5.23 Information Security for Cloud Services | Organizational | Manage security of cloud service usage and provisioning |
| A.5.30 ICT Readiness for Business Continuity | Organizational | Ensure ICT systems support business continuity requirements |
| A.7.4 Physical Security Monitoring | Physical | Continuous monitoring of premises for unauthorized access |
| A.8.9 Configuration Management | Technological | Manage security configurations of hardware, software, and networks |
| A.8.10 Information Deletion | Technological | Delete information when no longer needed (supports GDPR) |
| A.8.11 Data Masking | Technological | Mask data to protect PII and sensitive information |
| A.8.12 Data Leakage Prevention | Technological | Detect and prevent unauthorized data disclosure |
| A.8.16 Monitoring Activities | Technological | Monitor systems, networks, and applications for anomalous behavior |
| A.8.23 Web Filtering | Technological | Filter access to external websites to reduce malware exposure |
| A.8.28 Secure Coding | Technological | Apply secure coding principles in software development |
Implementing Controls Effectively
Control Implementation Process
Complete your risk assessment first
Controls should be selected based on identified risks. Don't start implementing controls before understanding what risks you're addressing. The risk assessment drives the Statement of Applicability.
Review the Statement of Applicability
For each of the 93 controls, determine: Does it apply? If yes, how will it be implemented? If no, why is it excluded? Document justifications for all decisions.
Prioritize by risk level
Implement high-risk controls first. Use the risk treatment plan to guide priority. Focus on controls that address your most significant risks before moving to lower-risk items.
Use ISO 27002 for guidance
ISO 27002:2022 provides detailed implementation guidance for each control. It's not mandatory but is the official companion document for how to implement Annex A controls.
Document everything
For each implemented control, document: the control objective, how it's implemented, who is responsible, what evidence demonstrates it's working, and how it's monitored.
ℹ️ Controls Are Risk-Based, Not Mandatory
A common misconception is that all 93 Annex A controls must be implemented. In reality, you select controls based on your risk assessment. If a control doesn't address an identified risk and isn't relevant to your context, you can exclude it — but you must document the justification in your Statement of Applicability.
93
Total Controls
In ISO 27001:2022 Annex A
11
New Controls
Added in the 2022 revision
4
Control Themes
Organizational, People, Physical, Technological
ISO 27002
Implementation Guide
Companion standard with control guidance
Do I need to implement all 93 controls?
No. You implement controls based on your risk assessment. If a control isn't relevant to your risks or context, you can exclude it — but you must document why in your Statement of Applicability (SoA). Most organizations implement 60-80 of the 93 controls.
What's the difference between ISO 27001 and ISO 27002?
ISO 27001 is the certifiable standard that defines ISMS requirements and lists the Annex A controls. ISO 27002 is a guidance document that provides detailed implementation advice for each control. You certify against 27001; you reference 27002 for how to implement the controls.
How do the 2022 controls map to the 2013 version?
ISO provides an official mapping table. Most 2013 controls map directly to 2022 controls, though some were merged. The 11 new controls have no direct 2013 equivalent. If you're transitioning from 2013, your existing controls likely cover most of the 2022 requirements.
Can I use compensating controls?
Yes. If you cannot implement a specific Annex A control as described, you can implement compensating controls that achieve the same security objective. Document the compensating control and the rationale in your SoA. Auditors will assess whether the compensating control adequately addresses the risk.
Manage ISO 27001 Controls Efficiently
Compare platforms that map controls to evidence, automate monitoring, and track implementation progress.
Browse ISO 27001 Tools