ISO 27001 Annex A Controls: Full List Explained

ISO 27001 Annex A controls are the reference set of security controls that organizations use to build their Information Security Management System (ISMS). The 2022 revision of ISO 27001 restructured Annex A from 114 controls across 14 domains into 93 controls organized into 4 themes. Understanding these controls is essential for any organization pursuing ISO 27001 certification.

This guide explains every Annex A control theme, breaks down the key controls within each, and provides practical guidance for implementation.

What Are ISO 27001 Annex A Controls?

Annex A is a normative annex to ISO 27001 that provides a comprehensive catalog of information security controls. These ISO 27001 Annex A controls are detailed in the companion standard ISO 27002:2022, which provides implementation guidance for each control. Whether you are a startup pursuing your first certification or an enterprise managing a mature ISMS, understanding these controls is the foundation of your ISO 27001 certification process.

The purpose of Annex A is straightforward: after you complete your risk assessment and identify risks to your information assets, you select controls from Annex A (and potentially other sources) to treat those risks. You then document your selections in the Statement of Applicability (SoA), explaining which controls you have selected, why, and how they are implemented.

Key changes in the 2022 revision:

• Reorganized from 14 domains to 4 themes: Organizational, People, Physical, and Technological
• Reduced from 114 to 93 controls: Through merging, updating, and consolidating related controls
• 11 new controls added: Reflecting modern threats and practices (threat intelligence, cloud security, data masking, and others)
• Control attributes introduced: Each control now has attributes for control type, information security properties, cybersecurity concepts, operational capabilities, and security domains

Organizations certified to the 2013 version had until October 31, 2025 to transition to the 2022 version. All new certifications must use the 2022 standard.

The Four Annex A Control Themes

Theme 1: Organizational Controls (37 Controls)

Organizational controls address policies, procedures, roles, and governance structures that form the management framework of your ISMS. These are the controls that leadership owns and that define how security is managed across the organization.

Key controls in this theme:

A.5.1 Policies for information security. Requires a set of information security policies, approved by management, published, and communicated to all relevant personnel. Your policy framework should include a top-level information security policy plus supporting policies for specific areas (access control, acceptable use, data classification).

A.5.2 Information security roles and responsibilities. All information security responsibilities must be defined and allocated. This includes defining who owns the ISMS, who manages day-to-day security operations, and who is responsible for specific controls.

A.5.7 Threat intelligence (NEW in 2022). Organizations must collect and analyze information about information security threats. This includes subscribing to threat feeds, participating in industry ISACs (Information Sharing and Analysis Centers), and monitoring vendor security advisories relevant to your technology stack.

A.5.23 Information security for use of cloud services (NEW in 2022). Requires organizations to establish processes for acquiring, using, managing, and exiting cloud services. This includes defining security requirements for cloud providers, understanding shared responsibility models, and monitoring cloud service compliance.

A.5.29 Information security during disruption. Plans for maintaining information security during adverse situations, including business continuity events. Security controls must remain operational even when normal business processes are disrupted.

A.5.30 ICT readiness for business continuity. ICT systems must be planned, implemented, maintained, and tested to ensure business continuity requirements are met. This bridges information security and business continuity management.

Theme 2: People Controls (8 Controls)

People controls address human resource security throughout the employment lifecycle, from screening before hiring through awareness training to responsibilities after employment ends.

Key controls in this theme:

A.6.1 Screening. Background verification checks on all candidates must be carried out before joining the organization. The depth of screening should be proportional to the sensitivity of the role and the information the person will access.

A.6.2 Terms and conditions of employment. Employment contracts must state the employee's and organization's information security responsibilities. This includes confidentiality agreements, acceptable use terms, and obligations that continue after employment ends.

A.6.3 Information security awareness, education, and training. All personnel must receive appropriate awareness training and regular updates on organizational policies relevant to their role. Training must be ongoing, not just at onboarding. Measure effectiveness through phishing simulations, quizzes, or practical exercises.

A.6.5 Responsibilities after termination or change of employment. Information security responsibilities that remain valid after termination must be defined, enforced, and communicated. This includes returning assets, revoking access, and honoring confidentiality agreements.

Theme 3: Physical Controls (14 Controls)

Physical controls protect against physical threats to premises, equipment, and information.

Key controls in this theme:

A.7.1 Physical security perimeters. Define and use security perimeters to protect areas that contain information and information processing facilities. This includes office spaces, data centers, server rooms, and any area where sensitive information is stored or processed.

A.7.4 Physical security monitoring. Premises should be continuously monitored for unauthorized physical access. This includes CCTV, intrusion detection systems, and security guards where appropriate.

A.7.7 Clear desk and clear screen. Rules for clear desks for papers and removable storage media, and clear screen rules for information processing facilities. This simple control prevents a significant category of information exposure.

A.7.9 Security of assets off-premises. Off-site assets, including laptops, mobile devices, and removable media, must be protected. This is increasingly important with remote and hybrid work arrangements.

A.7.10 Storage media. Storage media must be managed through their lifecycle: acquisition, use, transportation, and disposal. This includes requirements for encrypting portable media and securely destroying media that is no longer needed.

Theme 4: Technological Controls (34 Controls)

Technological controls cover the technical security measures that protect information systems, networks, and data.

Key controls in this theme:

A.8.1 User endpoint devices. Information stored on, processed by, or accessible via user endpoint devices must be protected. This includes laptops, desktops, tablets, and mobile phones. Implement endpoint detection and response (EDR), disk encryption, and mobile device management (MDM).

A.8.5 Secure authentication. Secure authentication technologies and procedures must be established based on information access restrictions and the classification of information. This includes multi-factor authentication (MFA), password policies aligned with current NIST guidelines, and session management.

A.8.9 Configuration management. Configurations of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. Configuration drift is a common source of security vulnerabilities.

A.8.11 Data masking (NEW in 2022). Data masking must be used in accordance with the organization's topic-specific policy on access control and other related policies, considering applicable legislation. This is particularly relevant for development and testing environments that should not use production data.

A.8.12 Data leakage prevention (NEW in 2022). Data leakage prevention measures must be applied to systems, networks, and other devices that process, store, or transmit sensitive information. DLP tools and policies help prevent unauthorized data exfiltration.

A.8.16 Monitoring activities (NEW in 2022). Networks, systems, and applications must be monitored for anomalous behavior, and appropriate actions taken to evaluate potential information security incidents. This formalizes the need for SIEM, log analysis, and behavioral analytics.

A.8.23 Web filtering (NEW in 2022). Access to external websites must be managed to reduce exposure to malicious content. Web filtering policies should block known malicious categories while allowing legitimate business use.

A.8.25 Secure development lifecycle. Rules for the secure development of software and systems must be established and applied. This includes secure coding standards, code review, security testing (SAST/DAST), and separation of development, testing, and production environments.

A.8.28 Secure coding. Secure coding principles must be applied to software development. This includes input validation, output encoding, parameterized queries, and following frameworks like OWASP Top 10 for identifying common vulnerabilities.

The 11 New Controls in ISO 27001:2022

| Control | Theme | Description | |---------|-------|-------------| | A.5.7 Threat intelligence | Organizational | Collect and analyze threat information | | A.5.23 Cloud services security | Organizational | Manage security for cloud service use | | A.5.30 ICT readiness for business continuity | Organizational | Ensure ICT supports business continuity | | A.7.4 Physical security monitoring | Physical | Monitor premises for unauthorized access | | A.8.9 Configuration management | Technological | Manage and monitor system configurations | | A.8.10 Information deletion | Technological | Delete information when no longer needed | | A.8.11 Data masking | Technological | Mask data per access control policies | | A.8.12 Data leakage prevention | Technological | Prevent unauthorized data exfiltration | | A.8.16 Monitoring activities | Technological | Monitor for anomalous behavior | | A.8.23 Web filtering | Technological | Manage external website access | | A.8.28 Secure coding | Technological | Apply secure coding principles |

How to Select and Implement Annex A Controls

Implementing Annex A controls follows a structured process:

Step 1: Complete Your Risk Assessment

Before selecting controls, complete a thorough risk assessment per Clause 6.1.2 of ISO 27001. Identify information assets, threats, vulnerabilities, and the likelihood and impact of risk scenarios. Your control selection should be driven by identified risks, not by implementing every control blindly.

Step 2: Select Controls from Annex A

For each identified risk, determine which Annex A controls mitigate that risk to an acceptable level. Some controls address multiple risks, and some risks require multiple controls. Not every control will be applicable to every organization.

Step 3: Build Your Statement of Applicability

The Statement of Applicability (SoA) is a mandatory document (Clause 6.1.3(d)) that lists all 93 Annex A controls, indicates which are applicable and which are not, and provides justification for each decision. For applicable controls, include the implementation status and a reference to the implementing policy or procedure.

Step 4: Create a Risk Treatment Plan

Your risk treatment plan documents how and when each selected control will be implemented. Include responsible persons, timelines, required resources, and success criteria.

Step 5: Implement and Monitor

Implement controls according to your risk treatment plan. Establish metrics to measure control effectiveness. Monitor controls continuously, not just during internal audits.

Mapping Annex A Controls to Other Frameworks

Many organizations must comply with multiple frameworks simultaneously. ISO 27001 Annex A controls map to several other standards:

| ISO 27001:2022 Control | NIST CSF 2.0 | SOC 2 TSC | NIST 800-53 | |------------------------|-------------|-----------|-------------| | A.5.1 Policies | GV.PO | CC1.1 | PL-1 | | A.5.7 Threat intelligence | ID.RA | CC3.2 | RA-3, SI-5 | | A.6.3 Awareness training | PR.AT | CC1.4 | AT-2 | | A.8.5 Secure authentication | PR.AA | CC6.1 | IA-2 | | A.8.9 Configuration management | PR.PS | CC6.1 | CM-2 | | A.8.16 Monitoring | DE.CM | CC7.2 | SI-4 | | A.8.25 Secure development | PR.DS | CC8.1 | SA-3 |

If your organization is already compliant with SOC 2 or has implemented NIST 800-53 controls, you have a significant head start on ISO 27001 Annex A controls. Use control mapping to identify what you already have in place and where gaps exist. For a direct framework comparison, see our ISO 27001 vs SOC 2 guide.

Common Implementation Mistakes

1. Implementing all 93 controls regardless of risk. The SoA should reflect your specific risk profile. Implementing controls that do not address identified risks wastes resources and does not improve security.

1. Treating controls as a checklist. Controls must be part of a living management system. Documentation alone does not satisfy the requirement, you need evidence that controls are operating and effective.

1. Ignoring the new controls. Organizations transitioning from the 2013 version sometimes treat the 11 new controls as optional extras. They are not. If a new control is relevant to your risk profile, it must be implemented.

1. Underestimating organizational controls. Technical controls are easier to implement and verify, but organizational controls (policies, roles, governance) form the foundation. Weak organizational controls undermine everything else.

1. Poor documentation. Each control needs documented evidence of implementation and effectiveness. Internal audit findings should reference specific controls and evidence. Your auditor will look for a clear chain from risk assessment to control selection to implementation to monitoring.

Frequently Asked Questions

How many controls are in ISO 27001 Annex A?

ISO 27001:2022 Annex A contains 93 controls organized into 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). The previous 2013 version had 114 controls across 14 domains.

Do I have to implement all 93 Annex A controls?

No. You must assess all 93 controls for applicability based on your risk assessment results. Controls that are not relevant to your risk profile can be excluded, but you must document the justification for each exclusion in your Statement of Applicability.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard that defines requirements for an ISMS. ISO 27002 is a guidance document that provides detailed implementation advice for the Annex A controls. You certify against ISO 27001, and you use ISO 27002 as a reference for how to implement the controls.

What are the new controls in ISO 27001:2022?

The 2022 revision added 11 new controls covering threat intelligence, cloud services security, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

How long does it take to implement Annex A controls?

Implementation timelines for ISO 27001 Annex A controls vary significantly based on organization size, existing security maturity, and scope. A small to mid-size organization with some existing controls typically needs 6 to 12 months. Larger or less mature organizations may need 12 to 18 months. For budgeting, see our ISO 27001 certification cost breakdown.

Can I use controls from outside Annex A?

Yes. ISO 27001 Clause 6.1.3(b) allows organizations to use additional controls from any source. Annex A is a reference set, not an exhaustive list. If your risk assessment identifies a risk that no Annex A control adequately addresses, you can implement a custom control.