Introduction

I am going to show you what ISO 27001 Annex A Controls are and for each control I am going to

  • Show you what is new
  • Detail what has changed in the 2022 update
  • Give you real world examples
  • Do a walkthrough
  • Give you an implementation guide per control
  • Show you how to comply
  • Tell you what the top 3 mistakes people make so you can avoid them
  • Where applicable give you ISO 27001 templates to save time and money

You will lean exactly what you need to do to satisfy each ISO 27001 Annex A Control for you to achieve ISO 27001 certification.

I am Stuart Barker the ISO 27001 Ninja and this is the ultimate ISO 27001 Annex A Controls Reference Guide.

What is it?

ISO 27001 Annex A is a list of controls for a business to consider implementing that are designed to address risks to information security. The choice of controls depends on the scope of your ISO 27001 certification and the risks that your organisation faces.

The list of controls comes with suggested guidance. This is not a checklist to tick off and meet rather it is suggestions on how the controls could be implemented. People often get this wrong. The level to which you implement the Annex A controls is down to you. As long as you can justify it based on risk management and organisation need.

Purpose

The purpose of ISO 27001 Annex A Controls is to mitigate the risk to the organisation in terms of confidentiality, integrity and availability of data. These are the tenants that make up the definition of information security. It’s provided as a best practice list and is seen as the minimum set of controls an organisation should consider.

What are the 2022 changes to ISO 27001 Annex A?

We cover the detail in The Complete Guide To The Changes To ISO/IEC 27002:2022. In summary, the structure of the controls has changed, some have been removed, some added and some crashed together.

Implementation Guide

To implement the ISO 27001 Annex A Controls you will

  • Define your scope
  • Identify your risks
  • Choose the controls that you need
  • Record the list of controls on the ISO 27001 Statement of Applicability
  • Implement and evidence the controls

Detailed implantation guides are provided per control in each control guide below.

ISO 27001:2022 Annex A Controls Reference Guide

People Controls

Physical Controls

Technology Controls

ISO 27001 Annex A Controls FAQ

What are the 4 domains of the ISO 27001:2022 Annex A Controls?

The controls have now been structured into 4 domains
1. Organisational Controls (ISO 27001:2002 Annex A 5.1 – 5.37)
2. People Controls (ISO 27001:2002 Annex A 6.1 – 6.9)
3. Physical Controls (ISO 27001:2002 Annex A 7.1 – 5.13)
4. Technological Controls (ISO 27001:2002 Annex A 8.1 – 8.34)

What are the main changes to ISO 27002 in the 2022 update?

They have removed the term ‘Code of Practice’
The structure of the document has changed
Some controls have been merged, some deleted and new controls have been introduced.

How many ISO 27001:2022 Annex A Controls are there?

ISO 27001:2022 lists 93 controls compared to the 114 controls in ISO 27001:2013

What are the new controls in ISO 27001:2022 Annex A Controls?

The list of brand new controls in ISO 27001:2022 Annex A is:
Threat intelligence
Information security for use of Cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

What is the list of ISO 27001:2022 Annex A attribute values?

There are 5 types of ‘attribute’ that apply to control to make them easier to categorise and they are:
1. Control type (Preventive, Detective, Corrective)
2. Information security properties (Confidentiality, Integrity, Availability)
3. Cyber security concepts (Identify, Protect, Detect, Respond, Recover)
4. Operational capabilities (Governance, Asset Management, Information Protection, Human Resources Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationship Security, Legal and Compliance, Information Security Event Management, Information Security Assurance.)
5. Security domains (Governance and Ecosystem, Protection, Defence, Resilience)

What is the ISO 27001:2022 Annex A attribute called control type?

Control type is an attribute value added to each control to allow controls to be viewed from the perspective of risk, showing how and when the control modifies the risk. It is made up of 3 values being:
Preventive: the control prevents an information security incident
Detective: the control acts when a information security incident happens
Corrective: the control acts after and information security incident happens

What is ISO 27001:2022 Annex A attribute called Information Security Properties?

This is the attribute value the sets out which characteristic of information security the control helps. There are 3 values taken from the definition of information security being:
Confidentiality
Integrity
Availability

What is ISO 27001:2022 Annex A attribute called Cybersecurity Concepts?

This is the attribute value that aligns controls to the cybersecurity concepts as set out in ISO/IEC TS 27110. In the realms of the academics here but there are 5 values being:
Identify
Protect
Detect
Respond
Recover

What is ISO 27001:2022 Annex A attribute called Security Domains

This is the attribute value that assigns controls to security domains. There are 4 security domains being:
Governance and Ecosystem – includes Information System Security Governance and Risk Management, Ecosystem of cybersecurity management
Protection – includes IT Security Architecture, IT Security Administration, Identity and Access Management, IT Security Maintenance, Physical and Environmental Security
Defence – includes Detection, Computer Security Incident Management
Resilience – include Continuity of Operations, Crisis Management

What are ISO 27001:2022 Annex A Organisational Controls?

Organisational controls include laws and regulations and the operations of the organisation in relations to information security. Examples of these controls include organisational structure, information security policies, processes and procedures.

How many ISO 27001:2022 Annex A Organisational Controls are there?

There are 37 ISO 27001:2022 Annex A Organisational Controls

What are the control numbers of the ISO 27001:2022 Annex A Organisational Controls?

They are ISO 27001:2022 Annex A 5.1 to 5.37

What are ISO 27001:2022 Annex A People Controls?

People controls relate to the human aspect of information security. Examples of these controls include background checks on employees, screening and terms of employment.

How many ISO 27001:2022 Annex A People Controls are there?

There are 8 ISO 27001:2022 Annex A People Controls

What are the control numbers of the ISO 27001:2022 Annex A People Controls?

They are ISO 27001:2022 Annex A 6.1 to 6.8

What are ISO 27001:2022 Annex A Physical Controls?

Physical controls relate to physical assets. Entry to buildings, perimeters, clear desk, secure areas are all examples of these controls.

How many ISO 27001:2022 Annex A Physical Controls are there?

There are 14 ISO 27001:2022 Annex A Physical Controls

What are the control numbers of the ISO 27001:2022 Annex A Physical Controls?

They are ISO 27001:2022 Annex A 7.1 to 7.13

What are ISO 27001:2022 Annex A Technological Controls?

Technological controls are software and hardware that work to protect the information security. These include technologies around end point protection, configuration management, data leakage prevention, network security – as examples.

How many ISO 27001:2022 Annex A Technological Controls are there?

There are 34 ISO 27001:2022 Annex A Technological Controls

What are the control numbers of the ISO 27001:2022 Annex A Technological Controls?

They are ISO 27001:2022 Annex A 8.1 to 8.33