Annex A Controls

Annex A in ISO 27001:2022 contains 93 security controls covering the full spectrum from organisational security management to technical access control and physical security. The controls serve as a reference catalogue from which your organisation selects the appropriate security measures based on your risk assessment.

Back to Dictionary

What is Annex A?

Annex A in ISO 27001 is a normative annex containing a catalogue of information security controls. It is not part of the management system itself but functions as a reference of possible controls that the organisation may choose to implement as part of its risk treatment.

Annex A is directly linked to ISO 27002, which provides detailed implementation guidance for each control. ISO 27001 sets the requirements for having an ISMS, whilst ISO 27002 helps with how to implement the specific controls.

The four categories in ISO 27001:2022

With the 2022 revision, Annex A was reorganised from 14 domains into four overarching categories:

Organisational controls (5.1–5.37): 37 controls covering policies, roles, supplier management, incident handling and more.
People controls (6.1–6.8): 8 controls covering screening, employment terms, training and disciplinary processes.
Physical controls (7.1–7.14): 14 controls covering physical access, equipment security and clear desk routines.
Technological controls (8.1–8.34): 34 controls covering access management, encryption, logging, vulnerability management and cloud security.

New controls in 2022

ISO 27001:2022 introduced 11 new controls reflecting modern security challenges:

Threat intelligence – 5.7
Information security for cloud services – 5.23
ICT readiness for business continuity – 5.30
Physical security monitoring – 7.4
Configuration management – 8.9
Information deletion – 8.10
Data masking – 8.11
Data leakage prevention – 8.12
Monitoring activities – 8.16
Web filtering – 8.23
Secure coding – 8.28

Annex A and the Statement of Applicability

For each Annex A control, you must state in your Statement of Applicability (SoA) whether the control is included or excluded, and provide a justification based on your risk assessment. It is not a requirement to implement all 93 controls, but you must be able to justify any exclusions.

Frequently Asked Questions about Annex A Controls

How many controls are in Annex A?

ISO 27001:2022 (the current version) contains 93 controls in Annex A, divided into four categories: 37 organisational, 8 people, 14 physical and 34 technological controls.

Must all Annex A controls be implemented?

No. You must implement the controls relevant to your organisation’s risk environment. Controls you exclude must be documented and justified in your Statement of Applicability (SoA).

What changed in ISO 27001:2022 Annex A?

ISO 27001:2022 reduced the number of controls from 114 to 93 and reorganised them from 14 domains to 4 categories. 11 new controls were added, including controls on threat intelligence, cloud security and data masking.

What is the relationship between Annex A and ISO 27002?

Annex A lists the controls, whilst ISO 27002 provides detailed implementation guidance for each one. Think of Annex A as the ‘what’ and ISO 27002 as the ‘how’.

How do I choose which Annex A controls to implement?

The selection should be driven by your risk assessment. Identify your information assets, assess the threats and vulnerabilities, and then select the controls that effectively mitigate the identified risks.