Table of contents
Introduction
I am going to show you what ISO 27001 Annex A Controls are and for each control I am going to
- Show you what is new
- Detail what has changed in the 2022 update
- Give you real world examples
- Do a walkthrough
- Give you an implementation guide per control
- Show you how to comply
- Tell you what the top 3 mistakes people make so you can avoid them
- Where applicable give you ISO 27001 templates to save time and money
You will lean exactly what you need to do to satisfy each ISO 27001 Annex A Control for you to achieve ISO 27001 certification.
I am Stuart Barker the ISO 27001 Lead Auditor and this is the ultimate ISO 27001 Annex A Controls Reference Guide.
What is ISO 27001 Annex A?
ISO 27001 Annex A is a list of controls for a business to consider implementing that are designed to address risks to information security. The choice of controls depends on the scope of your ISO 27001 certification and the risks that your organisation faces.
The list of controls comes with suggested guidance. This is not a checklist to tick off and meet rather it is suggestions on how the controls could be implemented. People often get this wrong. The level to which you implement the Annex A controls is down to you. As long as you can justify it based on risk management and organisation need.
Purpose
The purpose of ISO 27001 Annex A Controls is to mitigate the risk to the organisation in terms of confidentiality, integrity and availability of data. These are the tenants that make up the definition of information security. It’s provided as a best practice list and is seen as the minimum set of controls an organisation should consider.
What are the 2022 changes to ISO 27001 Annex A?
We cover the detail in The Complete Guide To The Changes To ISO/IEC 27002:2022. In summary, the structure of the controls has changed, some have been removed, some added and some crashed together.
Implementation Guide
To implement the ISO 27001 Annex A Controls you will
- Define your scope
- Identify your risks
- Choose the controls that you need
- Record the list of controls on the ISO 27001 Statement of Applicability
- Implement and evidence the controls
Detailed implementation guides are provided per control in each control guide below.
The Ultimate ISO27001 Toolkit
Skip the expensive fees. Get the Auditor-Verified documentation framework, step-by-step video walkthroughs, and every pre-written policy you need to pass your audit.
ISO 27001:2022 Annex A Controls Reference Guide
Organisational Controls
ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities
ISO 27001 Annex A 5.8 Information security in project management
ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change
ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change
ISO 27001 Annex A 5.18 Access rights – change
ISO 27001 Annex A 5.19 Information security in supplier relationships
ISO 27001 Annex A 5.20 Addressing information security within supplier agreements
ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new
ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change
ISO 27001 Annex A 5.23 Information security for use of cloud services – new
ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change
ISO 27001 Annex A 5.25 Assessment and decision on information security events
ISO 27001 Annex A 5.26 Response to information security incidents
ISO 27001 Annex A 5.27 Learning from information security incidents
ISO 27001 Annex A 5.29 Information security during disruption – change
ISO 27001 Annex A 5.30 ICT readiness for business continuity – new
ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27001 Annex A 5.35 Independent review of information security
ISO 27001 Annex A 5.36 Compliance with policies and standards for information security
People Controls
ISO 27001 Annex A 6.3 Information security awareness, education and training
ISO 27001 Annex A 6.5 Responsibilities after termination or change of employment
ISO 27001 Annex A 6.6 Confidentiality or non-disclosure agreements
Physical Controls
ISO 27001 Annex A 7.3 Securing offices, rooms and facilities
ISO 27001 Annex A 7.5 Protecting against physical and environmental threats
ISO 27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment
Technology Controls
ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities
ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities
ISO 27001 Annex A 8.19 Installation of Software on Operational Systems
ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles
ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance
ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments
ISO 27001 Annex A 8.34 Protection of information systems during audit testing
ISO 27001 Annex A Controls FAQ
The controls have now been structured into 4 domains
1. Organisational Controls (ISO 27001:2002 Annex A 5.1 – 5.37)
2. People Controls (ISO 27001:2002 Annex A 6.1 – 6.9)
3. Physical Controls (ISO 27001:2002 Annex A 7.1 – 5.13)
4. Technological Controls (ISO 27001:2002 Annex A 8.1 – 8.34)
They have removed the term ‘Code of Practice’
The structure of the document has changed
Some controls have been merged, some deleted and new controls have been introduced.
ISO 27001:2022 lists 93 controls compared to the 114 controls in ISO 27001:2013
The list of brand new controls in ISO 27001:2022 Annex A is:
Threat intelligence
Information security for use of Cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
There are 5 types of ‘attribute’ that apply to control to make them easier to categorise and they are:
1. Control type (Preventive, Detective, Corrective)
2. Information security properties (Confidentiality, Integrity, Availability)
3. Cyber security concepts (Identify, Protect, Detect, Respond, Recover)
4. Operational capabilities (Governance, Asset Management, Information Protection, Human Resources Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationship Security, Legal and Compliance, Information Security Event Management, Information Security Assurance.)
5. Security domains (Governance and Ecosystem, Protection, Defence, Resilience)
Control type is an attribute value added to each control to allow controls to be viewed from the perspective of risk, showing how and when the control modifies the risk. It is made up of 3 values being:
Preventive: the control prevents an information security incident
Detective: the control acts when a information security incident happens
Corrective: the control acts after and information security incident happens
This is the attribute value the sets out which characteristic of information security the control helps. There are 3 values taken from the definition of information security being:
Confidentiality
Integrity
Availability
This is the attribute value that aligns controls to the cybersecurity concepts as set out in ISO/IEC TS 27110. In the realms of the academics here but there are 5 values being:
Identify
Protect
Detect
Respond
Recover
This is the attribute value that assigns controls to security domains. There are 4 security domains being:
Governance and Ecosystem – includes Information System Security Governance and Risk Management, Ecosystem of cybersecurity management
Protection – includes IT Security Architecture, IT Security Administration, Identity and Access Management, IT Security Maintenance, Physical and Environmental Security
Defence – includes Detection, Computer Security Incident Management
Resilience – include Continuity of Operations, Crisis Management
Organisational controls include laws and regulations and the operations of the organisation in relations to information security. Examples of these controls include organisational structure, information security policies, processes and procedures.
There are 37 ISO 27001:2022 Annex A Organisational Controls
They are ISO 27001:2022 Annex A 5.1 to 5.37
People controls relate to the human aspect of information security. Examples of these controls include background checks on employees, screening and terms of employment.
There are 8 ISO 27001:2022 Annex A People Controls
They are ISO 27001:2022 Annex A 6.1 to 6.8
Physical controls relate to physical assets. Entry to buildings, perimeters, clear desk, secure areas are all examples of these controls.
There are 14 ISO 27001:2022 Annex A Physical Controls
They are ISO 27001:2022 Annex A 7.1 to 7.13
Technological controls are software and hardware that work to protect the information security. These include technologies around end point protection, configuration management, data leakage prevention, network security – as examples.
There are 34 ISO 27001:2022 Annex A Technological Controls
They are ISO 27001:2022 Annex A 8.1 to 8.33
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
