ISO 27001 Annex A Controls: The Complete 2022 Reference List (93 Controls)

Introduction

I am going to show you what ISO 27001 Annex A Controls are and for each control I am going to

• Show you what is new
• Detail what has changed in the 2022 update
• Give you real world examples
• Do a walkthrough
• Give you an implementation guide per control
• Show you how to comply
• Tell you what the top 3 mistakes people make so you can avoid them
• Where applicable give you ISO 27001 templates to save time and money

You will lean exactly what you need to do to satisfy each ISO 27001 Annex A Control for you to achieve ISO 27001 certification.

I am Stuart Barker the ISO 27001 Lead Auditor and this is the ultimate ISO 27001 Annex A Controls Reference Guide.

What is ISO 27001 Annex A?

ISO 27001 Annex A is a list of controls for a business to consider implementing that are designed to address risks to information security. The choice of controls depends on the scope of your ISO 27001 certification and the risks that your organisation faces.

The list of controls comes with suggested guidance. This is not a checklist to tick off and meet rather it is suggestions on how the controls could be implemented. People often get this wrong. The level to which you implement the Annex A controls is down to you. As long as you can justify it based on risk management and organisation need.

Purpose

The purpose of ISO 27001 Annex A Controls is to mitigate the risk to the organisation in terms of confidentiality, integrity and availability of data. These are the tenants that make up the definition of information security. It’s provided as a best practice list and is seen as the minimum set of controls an organisation should consider.

What are the 2022 changes to ISO 27001 Annex A?

We cover the detail in The Complete Guide To The Changes To ISO/IEC 27002:2022. In summary, the structure of the controls has changed, some have been removed, some added and some crashed together.

Implementation Guide

To implement the ISO 27001 Annex A Controls you will

• Define your scope
• Identify your risks
• Choose the controls that you need
• Record the list of controls on the ISO 27001 Statement of Applicability
• Implement and evidence the controls

Detailed implementation guides are provided per control in each control guide below.

Quick Reference: ISO 27001 Control List

Below is a summary of the 93 controls organised by the 4 distinct themes.

Theme	Control Count	Key Examples (ISO 27001 Ref)
Organizational	37 Controls	Policies (5.1), Threat Intelligence (5.7), Cloud Services (5.23)
People	8 Controls	Screening (6.1), Remote Working (6.7)
Physical	14 Controls	Physical Perimeters (7.1), Clear Desk Policy (7.7)
Technological	34 Controls	Secure Authentication (8.5), Data Leakage Prevention (8.12)

ISO 27001:2022 Annex A Controls Reference Guide

Organisational Controls

ISO 27001 Organisational Controls (Annex A 5) form the administrative backbone of your Information Security Management System (ISMS). This section contains 37 controls (numbered A.5.1 to A.5.37) that address the policies, legal obligations, and management frameworks required to secure your business.

Unlike technical fixes, these controls focus on the “governance” layer of security. They ensure that responsibilities are defined, supplier relationships are secured, and cloud services are managed effectively. Implementing these controls proves that security is a strategic business priority, not just an IT task.

ISO 27001 Annex A Controls 5.1 – 5.37 Organizational Controls Overview

Control ID	Control Title	Description	Guide	Visual
Annex A 5.1	Policies for information security	Define and approve security policies at the management level. This control sets the strategic direction for information security, ensuring alignment with business goals. It mandates that policies are communicated to all employees and relevant external parties to ensure compliance and awareness of organizational security objectives.	Read Annex A 5.1 Guide
Annex A 5.2	Information Security Roles and Responsibilities	Allocate specific security tasks to individuals. This control prevents accountability gaps by ensuring that responsibilities for assets and security processes are clearly defined and assigned. It establishes a structured approach to risk management, ensuring every aspect of security has a designated owner.	Read Annex A 5.2 Guide
Annex A 5.3	Segregation of duties	Separate conflicting responsibilities to prevent fraud. This control mitigates the risk of error or misuse by ensuring no single individual has total control over a critical process. It mandates splitting execution, authorization, and verification tasks to create an internal system of checks and balances.	Read Annex A 5.3 Guide
Annex A 5.4	Management responsibilities	Require leadership to actively support security. This control mandates that management provides necessary resources and ensures personnel adhere to established policies. It emphasizes that a strong security culture starts at the top, requiring ongoing commitment and direction from senior leadership.	Read Annex A 5.4 Guide
Annex A 5.5	Contact with authorities	Establish communication channels with regulators and law enforcement. This control ensures the organization is prepared to report security incidents or seek legal advice during a breach. It enables a rapid, legally compliant response to major security events and ensures adherence to reporting obligations.	Read Annex A 5.5 Guide
Annex A 5.6	Contact with special interest groups	Engage with security forums and professional communities. This control encourages participation in industry groups to stay updated on emerging threats and best practices. It ensures the organization benefits from collective intelligence and early warnings regarding industry-specific risks and technological advancements.	Read Annex A 5.6 Guide
Annex A 5.7	Threat intelligence	Collect and analyze data on security threats. This control mandates gathering intelligence on attack vectors and motives to inform risk decisions. By understanding the evolving threat landscape, organizations can proactively adjust their defenses to mitigate specific risks before they are exploited by attackers.	Read Annex A 5.7 Guide
Annex A 5.8	Information security in project management	Integrate security risks into project lifecycles. This control ensures that information security is addressed from the start of any project, preventing costly retrofits. It mandates defining security requirements early to ensure that all project deliverables are secure by design and aligned with organizational standards.	Read Annex A 5.8 Guide
Annex A 5.9	Inventory of information and other associated assets	Identify and list all critical assets. This control creates the foundation for risk assessment by requiring a detailed inventory of information and physical assets. It ensures that all valuable items are known, owned, and protected according to their importance and criticality to business operations.	Read Annex A 5.9 Guide
Annex A 5.10	Acceptable use of information and other associated assets	Define strict rules for asset usage. This control establishes clear policies regarding how employees and external parties may use organizational technology and data. It protects assets from misuse, damage, or unauthorized access by setting explicit boundaries and expectations for professional behavior.	Read Annex A 5.10 Guide
Annex A 5.11	Return of assets	Mandate the retrieval of equipment upon termination. This control ensures that all organizational assets and information are returned when an employee or contractor leaves. It prevents data leakage and unauthorized access by ensuring hardware and intellectual property remain securely within the organization’s control.	Read Annex A 5.11 Guide
Annex A 5.12	Classification of information	Categorize data based on value and sensitivity. This control requires information to be classified to ensure appropriate protection levels are applied. It optimizes security resources by focusing strong defenses on critical and confidential data while meeting legal and regulatory requirements.	Read Annex A 5.12 Guide
Annex A 5.13	Labelling of information	Mark data to prevent mishandling. This control ensures that information is clearly labeled according to its classification scheme. Visual and electronic labels help personnel and automated systems identify sensitive data, preventing accidental disclosure or unauthorized access to confidential records.	Read Annex A 5.13 Guide
Annex A 5.14	Information transfer	Secure data in transit. This control establishes formal policies for transferring information to external parties. It prevents interception, copying, or modification by mandating the use of encryption, secure protocols, and strict agreements whenever sensitive data moves outside the organization’s secure perimeter.	Read Annex A 5.14 Guide
Annex A 5.15	Access control	Restrict access based on business needs. This control requires a formal policy to manage access rights to information and facilities. By enforcing the principle of least privilege, it ensures users only access data necessary for their roles, minimizing internal threats and data exposure.	Read Annex A 5.15 Guide
Annex A 5.16	Identity management	Manage the full lifecycle of user identities. This control covers the registration, provisioning, and de-provisioning of user IDs. It ensures that only valid, authorized users have identities within the system and that these identities are uniquely linked to specific individuals for accountability.	Read Annex A 5.16 Guide
Annex A 5.17	Authentication information	Protect secrets used for verifying identity. This control governs the management of passwords, tokens, and biometric data. It mandates strict confidentiality for authentication credentials and requires system controls like complexity and rotation to prevent unauthorized access via credential theft.	Read Annex A 5.17 Guide
Annex A 5.18	Access rights	Review and revoke user permissions regularly. This control involves the provisioning, modification, and removal of access rights. It ensures permissions are adjusted when roles change and revoked immediately upon termination, preventing “permission creep” and unauthorized access by former employees.	Read Annex A 5.18 Guide
Annex A 5.19	Information security in supplier relationships	Enforce security standards with external partners. This control ensures that suppliers agree to and adhere to the organization’s security requirements. It mitigates supply chain risk by establishing a baseline of security that must be met before suppliers can access organizational data or systems.	Read Annex A 5.19 Guide
Annex A 5.20	Addressing information security within supplier agreements	Embed security obligations in formal contracts. This control mandates that information security requirements are documented in supplier agreements. It provides a legal framework for enforcement, covering data protection, the right to audit, and incident reporting to protect the organization legally and operationally.	Read Annex A 5.20 Guide
Annex A 5.21	Managing information security in the ICT supply chain	Secure the technology supply chain. This control addresses risks associated with ICT products and services. It requires agreements with suppliers to ensure the integrity of hardware and software components, preventing the introduction of compromised or malicious technology into the critical infrastructure.	Read Annex A 5.21 Guide
Annex A 5.22	Monitoring, review and change management of supplier services	Audit supplier performance regularly. This control requires the ongoing review of supplier service delivery against security agreements. It ensures that changes to services are managed securely and that any deficiencies or security incidents are identified and rectified promptly.	Read Annex A 5.22 Guide
Annex A 5.23	Information security for use of cloud services	Establish criteria for secure cloud usage. This control sets requirements for selecting, using, and exiting cloud services. It ensures the shared responsibility model is understood and that cloud providers offer adequate controls to protect organizational data in multi-tenant environments.	Read Annex A 5.23 Guide
Annex A 5.24	Information security incident management planning and preparation	Prepare for security breaches. This control requires establishing procedures and responsibilities for managing information security incidents. It ensures the organization is ready to detect, report, assess, and respond to incidents effectively, minimizing damage and operational downtime.	Read Annex A 5.24 Guide
Annex A 5.25	Assessment and decision on information security events	Triage security events effectively. This control mandates a process to determine if an observed event constitutes a security incident. It ensures proper classification so that genuine threats trigger the incident response plan while false positives are filtered out to avoid alert fatigue.	Read Annex A 5.25 Guide
Annex A 5.26	Response to information security incidents	Execute incident response procedures. This control dictates that confirmed incidents must be responded to according to documented plans. It ensures containment, eradication, and recovery actions are taken promptly to limit the impact on confidentiality, integrity, and availability of data.	Read Annex A 5.26 Guide
Annex A 5.27	Learning from information security incidents	Analyze incidents to prevent recurrence. This control requires a post-incident review to identify root causes and improve future responses. It turns security failures into opportunities for strengthening defenses, updating policies, and preventing the same type of attack from succeeding again.	Read Annex A 5.27 Guide
Annex A 5.28	Collection of evidence	Preserve forensic data legally. This control ensures that evidence related to security incidents is gathered and stored in a way that is legally admissible. It enables the organization to pursue disciplinary action or legal prosecution by maintaining the chain of custody and integrity of digital evidence.	Read Annex A 5.28 Guide
Annex A 5.29	Information security during disruption	Maintain security controls during disasters. This control ensures that information security measures continue to function or are replaced by equivalent controls during a crisis. It prevents security compromises from occurring while the organization operates in emergency mode or while business continuity plans are active.	Read Annex A 5.29 Guide
Annex A 5.30	ICT readiness for business continuity	Ensure IT systems support recovery goals. This control requires that ICT systems have sufficient resilience to support business continuity objectives. It ensures that redundant systems, backups, and failover mechanisms are tested and available to meet defined recovery time (RTO) and recovery point (RPO) objectives.	Read Annex A 5.30 Guide
Annex A 5.31	Identification of legal, statutory, regulatory and contractual requirements	Document all compliance obligations. This control mandates the explicit identification and documentation of all relevant laws and regulations. It prevents non-compliance penalties by ensuring the organization understands its specific legal obligations regarding data protection, intellectual property, and industry standards.	Read Annex A 5.31 Guide
Annex A 5.32	Intellectual property rights	Ensure compliance with IP laws. This control protects the organization from litigation regarding software piracy or copyright infringement. It ensures compliance with legal restrictions on the use of third-party material and safeguards the organization’s own proprietary assets and intellectual property.	Read Annex A 5.32 Guide
Annex A 5.33	Protection of records	Secure records against loss and falsification. This control safeguards organizational records from destruction and unauthorized access. It ensures that statutory, regulatory, and contractual requirements for record retention and secure disposal are met, preserving organizational memory and legal standing.	Read Annex A 5.33 Guide
Annex A 5.34	Privacy and protection of PII	Safeguard Personally Identifiable Information. This control ensures compliance with privacy laws like GDPR or CCPA. It mandates technical and organizational measures to protect personal data, respecting the rights of data subjects and preventing privacy breaches that could lead to heavy fines and reputational damage.	Read Annex A 5.34 Guide
Annex A 5.35	Independent review of information security	Conduct objective security assessments. This control requires an impartial review of the organization’s approach to information security. By using independent auditors, the organization verifies that its controls are implemented effectively and remain suitable for the evolving risk landscape.	Read Annex A 5.35 Guide
Annex A 5.36	Compliance with policies and standards for information security	Verify adherence to internal rules. This control mandates regular reviews of information processing systems against security policies. It ensures that managers regularly check that their teams are strictly adhering to established rules, correcting non-compliance before it leads to security incidents.	Read Annex A 5.36 Guide
Annex A 5.37	Documented operating procedures	Standardize operations through documentation. This control requires the creation of detailed procedures for information processing facilities. It ensures consistency, reduces the risk of human error during operations, and provides a critical reference for training staff and resolving incidents efficiently.	Read Annex A 5.37 Guide

People Controls

ISO 27001 People Controls (Annex A 6) address the human factor of information security, often considered the most vulnerable part of any defence strategy. This section includes 8 controls (numbered A.6.1 to A.6.8) designed to mitigate risks associated with human error, theft, and negligence.

These controls cover the entire employee lifecycle, from pre-employment screening and terms of employment to ongoing awareness training and disciplinary processes. By implementing these measures, you ensure that anyone interacting with your data understands their responsibilities and the consequences of non-compliance.

ISO 27001 Annex A Controls 6.1 – 6.8 Overview

Control ID	Control Title	Description	Guide	Visual
Annex A 6.1	Screening	Verify the background of all candidates before employment. This control mitigates insider threats by ensuring that employees, contractors, and suppliers are trustworthy and suitable for their roles. It mandates checks proportionate to the classification of information to be accessed, ensuring due diligence is performed prior to access.	Read Annex A 6.1 Guide
Annex A 6.2	Terms and conditions of employment	Establish clear contractual obligations regarding information security. This control ensures that employees and contractors understand their legal responsibilities for confidentiality and data protection before access is granted. It solidifies the organization’s legal position and sets explicit expectations for acceptable behavior and non-disclosure requirements.	Read Annex A 6.2 Guide
Annex A 6.3	Information security awareness, education and training	Educate personnel on their specific security roles and evolving threats. This control mandates regular, relevant training to reduce human error, often the weakest link in security. By fostering a security-conscious culture, organizations ensure staff are equipped to recognize phishing, handle data correctly, and follow policies.	Read Annex A 6.3 Guide
Annex A 6.4	Disciplinary process	Enforce a formal disciplinary process for security violations. This control provides a structured framework to address data breaches caused by negligence or malicious intent. It acts as a critical deterrent, ensuring consistent consequences are applied, thereby reinforcing the seriousness of information security policies across the organization.	Read Annex A 6.4 Guide
Annex A 6.5	Responsibilities after termination or change of employment	Protect organizational assets during personnel transitions. This control dictates that security responsibilities remain valid even after employment ends. It ensures the immediate return of assets, removal of access rights, and ongoing confidentiality obligations to prevent data leakage during the critical offboarding or role-change phase.	Read Annex A 6.5 Guide
Annex A 6.6	Confidentiality or non-disclosure agreements	Bind employees and external parties to secrecy through legal agreements. This control requires the identification and review of Non-Disclosure Agreements (NDAs) to protect proprietary information. It establishes a legal recourse for data theft and ensures all parties legally acknowledge their duty to maintain confidentiality.	Read Annex A 6.6 Guide
Annex A 6.7	Remote working	Secure information accessed outside the physical office. This control establishes policies for teleworking to protect data on unsecured networks and personal devices. It addresses physical security at home and secure connectivity, ensuring that remote work flexibility does not compromise the organization’s information security posture.	Read Annex A 6.7 Guide
Annex A 6.8	Information security event reporting	Enable rapid incident response through mandatory reporting channels. This control requires employees to report observed security weaknesses or events immediately. It serves as the organization’s early warning system, allowing for quick containment of threats and preventing minor anomalies from escalating into major data breaches.	Read Annex A 6.8 Guide

Physical Controls

ISO 27001 Physical Controls (Annex A 7) are established to prevent unauthorised physical access, damage, and interference to your organization’s premises and information. This theme consists of 14 controls (numbered A.7.1 to A.7.14) that secure the tangible environment where data lives.

Digital security is useless if someone can simply walk in and steal a server. These controls range from defining physical security perimeters and entry controls to implementing “Clear Desk” policies and ensuring equipment is maintained securely. They apply equally to headquarters, remote offices, and secure server rooms.

ISO 27001 Annex A Controls 7.1 – 7.14 Physical & Environmental Security

Control ID	Control Title	Description	Guide	Visual
Annex A 7.1	Physical security perimeter	Establish secure barriers to protect sensitive information. This control requires defining and constructing robust perimeters—such as walls, gates, or card-controlled entry points—to prevent unauthorized physical access to facilities where critical data and assets are stored, creating the first line of defense against intrusion.	Read Annex A 7.1 Guide
Annex A 7.2	Physical entry controls	Restrict entry to secure areas through authentication mechanisms. This control mandates the implementation of access systems, such as badging, biometrics, or manned reception desks, ensuring that only authorized personnel can enter specific zones and maintaining an audit trail of physical movement.	Read Annex A 7.2 Guide
Annex A 7.3	Securing offices, rooms and facilities	Harden workspaces to prevent unauthorized access and protect assets. This control focuses on the physical security of offices and server rooms, requiring measures like locked doors, window protection, and strategic layout design to safeguard information from theft, damage, or eavesdropping.	Read Annex A 7.3 Guide
Annex A 7.4	Physical security monitoring	Detect unauthorized physical access using continuous surveillance. This control requires the deployment of monitoring systems, such as CCTV cameras, intrusion alarms, and motion sensors, to provide real-time visibility and recorded audit trails of all physical activities within secure perimeters.	Read Annex A 7.4 Guide
Annex A 7.5	Protecting against physical and environmental threats	Shield infrastructure from natural and man-made disasters. This control necessitates protective measures against hazards like fire, flood, earthquakes, and civil unrest. It ensures critical equipment is situated and hardened to withstand environmental risks, guaranteeing business continuity and data availability.	Read Annex A 7.5 Guide
Annex A 7.6	Working in secure areas	Regulate personnel behavior within high-security zones. This control establishes strict protocols for working in designated secure areas, including supervision requirements and restrictions on photography or recording, to prevent the accidental or malicious compromise of sensitive information housed within those specific locations.	Read Annex A 7.6 Guide
Annex A 7.7	Clear desk and clear screen	Prevent data leakage through visual exposure. This control mandates that sensitive documents be locked away when not in use and that computer screens be locked when unattended. It reduces the risk of unauthorized viewing, theft, or “shoulder surfing” in shared office environments.	Read Annex A 7.7 Guide
Annex A 7.8	Equipment siting and protection	Position hardware strategically to minimize risks. This control involves placing equipment to protect it from environmental threats and unauthorized access, while also ensuring that display screens are positioned to prevent overlooking by unauthorized persons, thereby securing both the physical asset and the data displayed.	Read Annex A 7.8 Guide
Annex A 7.9	Security of assets off-premises	Secure devices and data taken outside the organization. This control sets requirements for protecting assets like laptops and mobile devices used remotely. It mandates physical protection, encryption, and strict usage policies to prevent theft, loss, or compromise while equipment is in transit or home offices.	Read Annex A 7.9 Guide
Annex A 7.10	Storage media	Manage the lifecycle of physical media to prevent data breaches. This control governs the management of removable media, hard drives, and tapes. It requires establishing procedures for the classification, handling, transportation, and eventual secure destruction of media to ensure data remains confidential throughout its physical existence.	Read Annex A 7.10 Guide
Annex A 7.11	Supporting utilities	Ensure continuous power and utility supply for critical systems. This control protects against failures in electricity, telecommunications, or HVAC systems. It mandates the implementation of uninterruptible power supplies (UPS) and backup generators to prevent data corruption or loss of availability during utility outages.	Read Annex A 7.11 Guide
Annex A 7.12	Cabling security	Protect power and data cables from interception or damage. This control requires that cabling infrastructure be shielded from physical tampering and environmental damage. It mitigates the risks of wiretapping and accidental disconnection, ensuring the integrity and availability of the organization’s network communication.	Read Annex A 7.12 Guide
Annex A 7.13	Equipment maintenance	Maintain hardware availability and integrity through regular servicing. This control ensures that equipment is serviced according to manufacturer specifications and that maintenance activities are supervised. It prevents failure due to wear and tear and protects against unauthorized modifications during repair processes.	Read Annex A 7.13 Guide
Annex A 7.14	Secure disposal or re-use of equipment	Sanitize hardware before disposal or reassignment. This control mandates the irreversible deletion of data from storage devices prior to selling, discarding, or re-using equipment. It ensures that sensitive information cannot be recovered by third parties after the hardware leaves the organization’s control.	Read Annex A 7.14 Guide

Technology Controls

ISO 27001 Technological Controls (Annex A 8) represent the largest and most technical section of the standard. It comprises 34 controls (numbered A.8.1 to A.8.34) focused on securing the digital perimeter, hardware, software, and networks.

This is where IT and Engineering teams will focus their efforts. The controls cover critical cyber defence mechanisms including secure authentication (MFA), malware protection, data leakage prevention, and secure coding principles. Implementing these controls ensures your digital assets remain confidential, available, and integral against modern cyber threats.

ISO 27001 Annex A Controls 8.1 – 8.34 Technological Controls Overview

Control ID	Control Title	Description	Guide	Visual
Annex A 8.1	User Endpoint Devices	Protect devices used to access information. This control establishes requirements for securing laptops, smartphones, and tablets to prevent unauthorized access. It ensures that endpoints are hardened, encrypted, and monitored, reducing the risk of data theft or malware entry through vulnerable user devices.	Read Annex A 8.1 Guide
Annex A 8.2	Privileged Access Rights	Restrict high-level access to authorized users only. This control mandates the allocation and review of privileged access rights based on the principle of least privilege. By strictly managing who can override system controls, organizations minimize the blast radius of insider threats and compromised administrator accounts.	Read Annex A 8.2 Guide
Annex A 8.3	Information Access Restriction	Limit data availability based on business needs. This control ensures that access to information and application functions is restricted according to the established access control policy. It prevents unauthorized viewing or manipulation of sensitive data by enforcing granular access rules aligned with specific job responsibilities.	Read Annex A 8.3 Guide
Annex A 8.4	Access To Source Code	Secure the intellectual property and integrity of software. This control strictly limits read and write access to program source code and associated items. It prevents unauthorized changes, theft of proprietary algorithms, and the introduction of malicious code or backdoors into the organization’s software assets.	Read Annex A 8.4 Guide
Annex A 8.5	Secure Authentication	Verify user identity with robust mechanisms. This control requires the implementation of strong authentication technologies, such as Multi-Factor Authentication (MFA), to validate users before granting access. It mitigates the risk of credential theft and ensures that only legitimate users can access critical systems and data.	Read Annex A 8.5 Guide
Annex A 8.6	Capacity Management	Monitor resource usage to prevent system failure. This control ensures that information processing facilities have sufficient capacity to meet current and future business needs. By projecting requirements and tuning systems, organizations avoid service interruptions caused by overloads, ensuring high availability and performance continuity.	Read Annex A 8.6 Guide
Annex A 8.7	Protection Against Malware	Deploy defense mechanisms against malicious software. This control mandates the implementation of detection, prevention, and recovery controls to protect against malware. It involves using antivirus software, raising awareness, and scanning incoming files to prevent infection and the subsequent loss or corruption of organizational data.	Read Annex A 8.7 Guide
Annex A 8.8	Management of Technical Vulnerabilities	Identify and patch system weaknesses promptly. This control requires obtaining information about technical vulnerabilities in use and evaluating the exposure to apply appropriate measures (patching). It proactively closes security gaps before attackers can exploit them, maintaining the integrity and security of the IT infrastructure.	Read Annex A 8.8 Guide
Annex A 8.9	Configuration Management	Standardize security settings across systems. This control ensures that configurations for hardware, software, and networks are defined, documented, and enforced. By preventing unauthorized changes and “configuration drift,” organizations maintain a consistent security posture and reduce the attack surface available to potential intruders.	Read Annex A 8.9 Guide
Annex A 8.10	Information Deletion	Erase data securely when no longer needed. This control mandates that information stored in information systems, devices, or storage media is deleted when it is no longer required. It ensures compliance with privacy laws (like GDPR) and prevents the retrieval of sensitive data from decommissioned or repurposed assets.	Read Annex A 8.10 Guide
Annex A 8.11	Data Masking	Obscure sensitive data to protect privacy. This control requires the use of data masking, pseudonymization, or anonymization techniques in accordance with the organization’s access control policy. It allows data to be used for testing or analysis without exposing personally identifiable information (PII) or critical business secrets.	Read Annex A 8.11 Guide
Annex A 8.12	Data Leakage Prevention	Detect and block unauthorized data exfiltration. This control involves applying measures to network, endpoint, and email systems to identify and stop the unauthorized transfer of sensitive information. It acts as a safety net against accidental sharing or malicious theft of intellectual property and regulated data.	Read Annex A 8.12 Guide
Annex A 8.13	Information Backup	Guarantee data recovery through regular backups. This control mandates the creation and testing of backup copies of information, software, and system images. It ensures that the organization can restore operations quickly following a ransomware attack, hardware failure, or physical disaster, minimizing downtime and data loss.	Read Annex A 8.13 Guide
Annex A 8.14	Redundancy of Information Processing Facilities	Ensure high availability via failover systems. This control requires identifying business requirements for availability and implementing redundant components or architectures. By eliminating single points of failure, organizations ensure that critical systems remain operational even during component failures or maintenance windows.	Read Annex A 8.14 Guide
Annex A 8.15	Logging	Record system activities for audit and analysis. This control mandates the generation, protection, and analysis of logs recording user activities, exceptions, faults, and information security events. It provides the forensic evidence needed to investigate incidents and verify the effectiveness of security controls.	Read Annex A 8.15 Guide
Annex A 8.16	Monitoring Activities	Detect anomalous behavior in real-time. This control involves monitoring networks, systems, and applications for unusual behavior that could indicate a security incident. It enables rapid response to threats by correlating events and alerting security teams to potential breaches or policy violations.	Read Annex A 8.16 Guide
Annex A 8.17	Clock Synchronisation	Synchronize system clocks to a single reference time. This control ensures that the clocks of all relevant information processing systems are synchronized to a trusted time source. Accurate time stamping is critical for log analysis, forensic investigations, and the proper functioning of time-dependent security protocols like Kerberos.	Read Annex A 8.17 Guide
Annex A 8.18	Use of Privileged Utility Programs	Restrict the use of powerful system tools. This control strictly limits and monitors the use of utility programs that can override system and application controls. By controlling these tools, organizations prevent unauthorized changes to data or software and reduce the risk of privilege escalation.	Read Annex A 8.18 Guide
Annex A 8.19	Installation of Software on Operational Systems	Control software deployment to production environments. This control establishes procedures to govern the installation of software on operational systems. It prevents the introduction of unauthorized, untested, or malicious software that could compromise system stability or security integrity.	Read Annex A 8.19 Guide
Annex A 8.20	Network Security	Secure networks to protect connected services. This control requires the management and control of networks to protect information in systems and applications. It involves implementing firewalls, intrusion detection, and encryption to safeguard data in transit and prevent unauthorized network access.	Read Annex A 8.20 Guide
Annex A 8.21	Security of Network Services	Define security requirements for network providers. This control ensures that security mechanisms, service levels, and management requirements for all network services (whether in-house or outsourced) are identified and included in service agreements to maintain data confidentiality and availability.	Read Annex A 8.21 Guide
Annex A 8.22	Segregation of Networks	Divide networks to contain potential breaches. This control mandates the separation of groups of information services, users, and information systems on networks (e.g., via VLANs). It limits lateral movement by attackers and prevents unauthorized access between critical business systems and public-facing or guest networks.	Read Annex A 8.22 Guide
Annex A 8.23	Web Filtering	Block access to malicious or non-compliant websites. This control involves managing access to external websites to reduce exposure to malicious content. By filtering web traffic, organizations prevent employees from accessing phishing sites, malware distribution points, or illegal content that could compromise the network.	Read Annex A 8.23 Guide
Annex A 8.24	Use of Cryptography	Encrypt data to ensure confidentiality and integrity. This control defines rules for the effective use of cryptography, including key management. It ensures that sensitive information is rendered unreadable to unauthorized parties and protects data both at rest and in transit against interception and tampering.	Read Annex A 8.24 Guide
Annex A 8.25	Secure Development Life Cycle	Integrate security into every phase of software development. This control mandates that information security rules are applied throughout the software development lifecycle (SDLC). It ensures that security is designed in from the start, rather than bolted on later, reducing vulnerabilities in the final product.	Read Annex A 8.25 Guide
Annex A 8.26	Application Security Requirements	Define security needs before building or buying software. This control requires identifying, specifying, and approving information security requirements when developing or acquiring applications. It ensures that software meets the organization’s security standards regarding authentication, input validation, and transaction protection.	Read Annex A 8.26 Guide
Annex A 8.27	Secure Systems Architecture and Engineering Principles	Build systems on a secure foundation. This control establishes principles for engineering secure systems and applies them to all information system development activities. It ensures a consistent approach to defense-in-depth, least privilege, and failure handling across the organization’s technology stack.	Read Annex A 8.27 Guide
Annex A 8.28	Secure Coding	Write code that resists attack. This control mandates the application of secure coding principles to software development. It aims to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS) by ensuring developers follow best practices and sanitize inputs during the coding process.	Read Annex A 8.28 Guide
Annex A 8.29	Security Testing in Development and Acceptance	Validate security controls before deployment. This control requires defining and implementing security testing processes within the development lifecycle. It involves stress testing, penetration testing, and code review to verify that new systems or changes do not introduce security weaknesses into the production environment.	Read Annex A 8.29 Guide
Annex A 8.30	Outsourced Development	Supervise third-party software creation. This control ensures that the organization directs, monitors, and reviews the activities related to outsourced system development. It guarantees that external vendors adhere to the same security standards and coding practices as internal teams, preventing supply chain vulnerabilities.	Read Annex A 8.30 Guide
Annex A 8.31	Separation of Development, Test and Production Environments	Isolate environments to prevent accidental changes. This control requires the separation of development, testing, and production environments. It prevents untested code from breaking live systems and ensures that live data is not used insecurely in testing environments, maintaining system stability and data confidentiality.	Read Annex A 8.31 Guide
Annex A 8.32	Change Management	Control changes to IT infrastructure. This control mandates a formal process for managing changes to information processing facilities and systems. It ensures that all changes are assessed, authorized, prioritized, planned, and tested to minimize the risk of disruption or security incidents caused by unmanaged alterations.	Read Annex A 8.32 Guide
Annex A 8.33	Test Information	Protect operational data during testing. This control requires the careful selection, protection, and management of test information. It generally prohibits using live PII or sensitive operational data for testing unless properly sanitized or masked, ensuring that testing activities do not lead to data breaches.	Read Annex A 8.33 Guide
Annex A 8.34	Protection of information systems during audit testing	Minimize disruption during security audits. This control ensures that audit tests and other assurance activities are planned and agreed upon to minimize the impact on business operations. It prevents audits from accidentally causing downtime or compromising the availability and integrity of the systems being tested.	Read Annex A 8.34 Guide

All ISO 27001:2022 Annex A Controls Listed

ISO 27001 Annex A Controls FAQ