ISO27001:2022 Annex A Controls Reference Guide

Home / ISO 27001 Annex A Controls / ISO27001:2022 Annex A Controls Reference Guide

Introduction

I am going to show you what ISO 27001 Annex A Controls are and for each control I am going to

  • Show you what is new
  • Detail what has changed in the 2022 update
  • Give you real world examples
  • Do a walkthrough
  • Give you an implementation guide per control
  • Show you how to comply
  • Tell you what the top 3 mistakes people make so you can avoid them
  • Where applicable give you ISO 27001 templates to save time and money

You will lean exactly what you need to do to satisfy each ISO 27001 Annex A Control for you to achieve ISO 27001 certification.

I am Stuart Barker the ISO 27001 Ninja and this is the ultimate ISO 27001 Annex A Controls Reference Guide.

What is it?

ISO 27001 Annex A is a list of controls for a business to consider implementing that are designed to address risks to information security. The choice of controls depends on the scope of your ISO 27001 certification and the risks that your organisation faces.

The list of controls comes with suggested guidance. This is not a checklist to tick off and meet rather it is suggestions on how the controls could be implemented. People often get this wrong. The level to which you implement the Annex A controls is down to you. As long as you can justify it based on risk management and organisation need.

Purpose

The purpose of ISO 27001 Annex A Controls is to mitigate the risk to the organisation in terms of confidentiality, integrity and availability of data. These are the tenants that make up the definition of information security. It’s provided as a best practice list and is seen as the minimum set of controls an organisation should consider.

What are the 2022 changes to ISO 27001 Annex A?

We cover the detail in The Complete Guide To The Changes To ISO/IEC 27002:2022. In summary, the structure of the controls has changed, some have been removed, some added and some crashed together.

Implementation Guide

To implement the ISO 27001 Annex A Controls you will

  • Define your scope
  • Identify your risks
  • Choose the controls that you need
  • Record the list of controls on the ISO 27001 Statement of Applicability
  • Implement and evidence the controls

Detailed implantation guides are provided per control in each control guide below.

ISO 27001:2022 Annex A Controls Reference Guide

People Controls

Physical Controls

Technology Controls

ISO 27001 Annex A Controls FAQ

What are the 4 domains of the ISO 27001:2022 Annex A Controls?

The controls have now been structured into 4 domains
1. Organisational Controls (ISO 27001:2002 Annex A 5.1 – 5.37)
2. People Controls (ISO 27001:2002 Annex A 6.1 – 6.9)
3. Physical Controls (ISO 27001:2002 Annex A 7.1 – 5.13)
4. Technological Controls (ISO 27001:2002 Annex A 8.1 – 8.34)

What are the main changes to ISO 27002 in the 2022 update?

They have removed the term ‘Code of Practice’
The structure of the document has changed
Some controls have been merged, some deleted and new controls have been introduced.

How many ISO 27001:2022 Annex A Controls are there?

ISO 27001:2022 lists 93 controls compared to the 114 controls in ISO 27001:2013

What are the new controls in ISO 27001:2022 Annex A Controls?

The list of brand new controls in ISO 27001:2022 Annex A is:
Threat intelligence
Information security for use of Cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

What is the list of ISO 27001:2022 Annex A attribute values?

There are 5 types of ‘attribute’ that apply to control to make them easier to categorise and they are:
1. Control type (Preventive, Detective, Corrective)
2. Information security properties (Confidentiality, Integrity, Availability)
3. Cyber security concepts (Identify, Protect, Detect, Respond, Recover)
4. Operational capabilities (Governance, Asset Management, Information Protection, Human Resources Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationship Security, Legal and Compliance, Information Security Event Management, Information Security Assurance.)
5. Security domains (Governance and Ecosystem, Protection, Defence, Resilience)

What is the ISO 27001:2022 Annex A attribute called control type?

Control type is an attribute value added to each control to allow controls to be viewed from the perspective of risk, showing how and when the control modifies the risk. It is made up of 3 values being:
Preventive: the control prevents an information security incident
Detective: the control acts when a information security incident happens
Corrective: the control acts after and information security incident happens

What is ISO 27001:2022 Annex A attribute called Information Security Properties?

This is the attribute value the sets out which characteristic of information security the control helps. There are 3 values taken from the definition of information security being:
Confidentiality
Integrity
Availability

What is ISO 27001:2022 Annex A attribute called Cybersecurity Concepts?

This is the attribute value that aligns controls to the cybersecurity concepts as set out in ISO/IEC TS 27110. In the realms of the academics here but there are 5 values being:
Identify
Protect
Detect
Respond
Recover

What is ISO 27001:2022 Annex A attribute called Security Domains

This is the attribute value that assigns controls to security domains. There are 4 security domains being:
Governance and Ecosystem – includes Information System Security Governance and Risk Management, Ecosystem of cybersecurity management
Protection – includes IT Security Architecture, IT Security Administration, Identity and Access Management, IT Security Maintenance, Physical and Environmental Security
Defence – includes Detection, Computer Security Incident Management
Resilience – include Continuity of Operations, Crisis Management

What are ISO 27001:2022 Annex A Organisational Controls?

Organisational controls include laws and regulations and the operations of the organisation in relations to information security. Examples of these controls include organisational structure, information security policies, processes and procedures.

How many ISO 27001:2022 Annex A Organisational Controls are there?

There are 37 ISO 27001:2022 Annex A Organisational Controls

What are the control numbers of the ISO 27001:2022 Annex A Organisational Controls?

They are ISO 27001:2022 Annex A 5.1 to 5.37

What are ISO 27001:2022 Annex A People Controls?

People controls relate to the human aspect of information security. Examples of these controls include background checks on employees, screening and terms of employment.

How many ISO 27001:2022 Annex A People Controls are there?

There are 8 ISO 27001:2022 Annex A People Controls

What are the control numbers of the ISO 27001:2022 Annex A People Controls?

They are ISO 27001:2022 Annex A 6.1 to 6.8

What are ISO 27001:2022 Annex A Physical Controls?

Physical controls relate to physical assets. Entry to buildings, perimeters, clear desk, secure areas are all examples of these controls.

How many ISO 27001:2022 Annex A Physical Controls are there?

There are 14 ISO 27001:2022 Annex A Physical Controls

What are the control numbers of the ISO 27001:2022 Annex A Physical Controls?

They are ISO 27001:2022 Annex A 7.1 to 7.13

What are ISO 27001:2022 Annex A Technological Controls?

Technological controls are software and hardware that work to protect the information security. These include technologies around end point protection, configuration management, data leakage prevention, network security – as examples.

How many ISO 27001:2022 Annex A Technological Controls are there?

There are 34 ISO 27001:2022 Annex A Technological Controls

What are the control numbers of the ISO 27001:2022 Annex A Technological Controls?

They are ISO 27001:2022 Annex A 8.1 to 8.33

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing