ISO 27001 Annex A Controls: All 93 Controls Explained

ISO 27001 Annex A Controls: All 93 Controls Explained

TL;DR

• ISO/IEC 27001:2022 Annex A contains 93 controls in 4 themes: Organizational (37), People (8), Physical (14), and Technological (34).
• The 2022 revision replaced 114 controls across 14 domains from the 2013 version; 11 controls are entirely new.
• You must assess all 93 controls for applicability — you do not implement every one. Exclusions must be justified in the Statement of Applicability (SoA).
• ISO/IEC 27002:2022 is the companion document with implementation guidance for each control; you certify against ISO 27001, not ISO 27002.
• The October 31, 2025 transition deadline has passed. All active certifications now must reference the 2022 standard.

Who this is for

This article is for security managers, IT leads, and compliance staff preparing for ISO 27001 certification or transitioning an existing ISMS from the 2013 standard. It covers what each control theme requires and where the 11 new controls fit. If you are still deciding whether to pursue ISO 27001, start with the ISO 27001 certification process overview.

What Annex A Is — and What It Is Not

Annex A is a normative annex to ISO/IEC 27001:2022, meaning it is part of the standard itself, not advisory. It lists the controls your organization must evaluate during risk treatment.

The controls in Annex A are documented in detail in ISO/IEC 27002:2022, published in March 2022. ISO 27002 provides the purpose, implementation guidance, and other information for each of the 93 controls. Annex A names them; ISO 27002 explains how to apply them. Neither document is a checklist you work through sequentially. The correct sequence is:

1. Complete a risk assessment (Clause 6.1.2).
2. Select controls to treat identified risks — from Annex A and any other sources (Clause 6.1.3(b)).
3. Document all 93 controls in your Statement of Applicability, marking each as applicable or not applicable with justification (Clause 6.1.3(d)).
4. Implement selected controls and gather operating evidence.

A certification auditor reviews the SoA against your risk assessment to verify the logic holds. Controls marked "not applicable" without a credible rationale are a common finding at Stage 2 audits.

What changed from 2013 to 2022

The 2013 version organized 114 controls across 14 alphabetically-named domains (A.5 through A.18). The 2022 version reorganized into 4 themes with consecutive numbering (5.1 through 8.34). The structural differences:

Each control in the 2022 version carries five attributes: control type (preventive/detective/corrective), information security properties (confidentiality/integrity/availability), cybersecurity concepts aligned to NIST CSF, operational capabilities, and security domains. These attributes are not certification requirements, but they help with control mapping and gap analysis.

Theme 1: Organizational Controls (Controls 5.1 – 5.37)

Organizational controls set the management framework for the ISMS. They cover policies, governance structures, asset ownership, supplier relationships, and legal obligations. Leadership owns most of these controls.

Policies and governance (5.1 – 5.4)

5.1 Policies for information security. A set of information security policies must be defined, approved by management, published, and communicated to relevant personnel. The standard requires a top-level policy plus supporting policies for specific areas. Auditors check for evidence of management approval and distribution, not just the documents themselves.

5.2 Information security roles and responsibilities. All information security responsibilities must be defined and allocated. This includes the ISMS owner, control owners, and day-to-day operational roles. Undefined responsibilities are one of the most frequent nonconformities at Stage 1 audits.

5.3 Segregation of duties. Conflicting duties and areas of responsibility must be segregated to reduce opportunities for unauthorized modification or misuse. For small organizations with limited headcount, compensating controls (logs, supervisory review) can satisfy this requirement.

5.4 Management responsibilities. Management must require all personnel to apply information security in line with the organization's policies. This feeds directly into awareness training (6.3) and disciplinary processes (6.4).

Risk, assets, and classification (5.5 – 5.14)

5.5 Contact with authorities. The organization must maintain appropriate contacts with relevant authorities (regulators, law enforcement, emergency services). This is not about lobbying; it means knowing who to call during an incident and having documented escalation paths.

5.6 Contact with special interest groups. Participation in professional forums, ISACs, or vendor advisory groups to stay informed about threat developments. Relevant for threat intelligence (5.7).

5.7 Threat intelligence (new in 2022). The organization must collect, analyze, and produce information about information security threats to inform risk treatment decisions. In practice, this means subscribing to threat feeds relevant to your sector, monitoring vendor advisories, and reviewing outputs from groups like FS-ISAC or H-ISAC. The control does not mandate a full threat intelligence program; it requires that threat information reaches decision-makers.

5.8 Information security in project management. Information security must be integrated into project management, regardless of the project type. Projects that introduce new systems, change data flows, or affect suppliers all require a security assessment step.

5.9 Inventory of information and other associated assets. Maintaining an inventory of assets associated with information and information processing is required. The inventory must show asset ownership and classification.

5.10 Acceptable use of information and other associated assets. Rules for acceptable use must be identified, documented, and implemented.

5.11 Return of assets. All personnel and relevant third parties must return organizational assets upon change or termination of employment, contract, or agreement.

5.12 Classification of information. Information must be classified according to the legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Most organizations use a three-tier scheme (public/internal/confidential or similar).

5.13 Labeling of information. An appropriate set of procedures for information labeling must be developed and implemented in accordance with the classification scheme.

5.14 Information transfer. Rules, procedures, or agreements for the transfer of information between the organization and third parties must be in place for all transfer types (electronic, physical, verbal).

Suppliers, incident management, and continuity (5.15 – 5.30)

5.15 Access control. Rules to control physical and logical access to information and processing facilities must be established and implemented, based on business and information security requirements.

5.16 Identity management. The full lifecycle of identities — creation, maintenance, and deletion — must be managed. This pairs with 5.17 (authentication information) and 5.18 (access rights).

5.17 Authentication information. Management of authentication information must follow a formal management process, including advising personnel to keep authentication information confidential.

5.18 Access rights. Provisioning, reviewing, modification, and removal of access rights must follow a documented process, with periodic access reviews.

5.19 Information security in supplier relationships. Requirements for managing information security risks associated with supplier access must be agreed on and documented.

5.20 Addressing information security in supplier agreements. Relevant security requirements must be included in agreements with suppliers.

5.21 Managing information security in the ICT supply chain. Processes for managing security risks in the ICT supply chain must be defined and implemented, including software and hardware components.

5.22 Monitoring, review, and change management of supplier services. Supplier performance against security requirements must be regularly monitored and reviewed.

5.23 Information security for use of cloud services (new in 2022). Processes for acquiring, using, managing, and exiting cloud services must be established in line with the organization's security requirements. Cloud services introduce shared responsibility models that require explicit definition of which security obligations belong to the provider and which belong to the customer.

5.24 Information security incident management planning and preparation. The organization must plan for and prepare to handle incidents through defined roles, responsibilities, and procedures.

5.25 Assessment and decision on information security events. Security events must be assessed and triaged to determine whether they qualify as incidents.

5.26 Response to information security incidents. Incidents must be responded to in accordance with documented procedures.

5.27 Learning from information security incidents. Knowledge gained from incidents must feed back into the risk assessment and control improvements.

5.28 Collection of evidence. Procedures for identifying, collecting, acquiring, and preserving information that can serve as evidence must be defined.

5.29 Information security during disruption. Plans must address how information security controls will be maintained during adverse situations, including business continuity events.

5.30 ICT readiness for business continuity (new in 2022). ICT systems supporting critical business functions must be planned, implemented, maintained, and tested to ensure availability during disruption. This control bridges the ISMS with business continuity management system (BCMS) requirements.

Legal and compliance (5.31 – 5.37)

5.31 Legal, statutory, regulatory, and contractual requirements. Requirements relevant to information security must be identified, documented, and kept current.

5.32 Intellectual property rights. Procedures for protecting intellectual property rights in relation to software and information assets must be implemented.

5.33 Protection of records. Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.

5.34 Privacy and protection of personal information. Privacy and protection of personally identifiable information (PII) must be ensured as required by relevant legislation and regulation. For organizations subject to GDPR or similar regimes, ISO 27701 (Privacy Information Management) extends this control.

5.35 Independent review of information security. The organization's approach to managing information security must be reviewed independently at planned intervals.

5.36 Compliance with policies, rules, and standards for information security. Managers must regularly review compliance with information security policies, procedures, and standards.

5.37 Documented operating procedures. Operating procedures for information processing must be documented and made available to all who need them.

Theme 2: People Controls (Controls 6.1 – 6.8)

People controls cover the full employment lifecycle from pre-hire screening through post-termination obligations. Eight controls, but failures here — inadequate screening, no security training, poor offboarding — account for a disproportionate share of security incidents.

6.1 Screening. Background verification checks must be carried out before hiring or engaging personnel. The depth of screening should match the role's access to sensitive information and systems. Roles with privileged access warrant more thorough checks.

6.2 Terms and conditions of employment. Employment and contractor agreements must state each party's information security responsibilities. This includes confidentiality obligations, acceptable use, and duties that survive termination.

6.3 Information security awareness, education, and training. All personnel and relevant contractors must receive security awareness training at hire and regularly thereafter, calibrated to their role. One-time onboarding training does not satisfy this control. Auditors look for documented training completion records, not just training materials.

6.4 Disciplinary process. A formal disciplinary process must exist for personnel who violate information security policy. The process must be documented and communicated.

6.5 Responsibilities after termination or change of employment. Security responsibilities and obligations that survive the end of employment — confidentiality agreements, data return, non-disclosure — must be defined, communicated, and enforced. Offboarding checklists should reference these obligations explicitly.

6.6 Confidentiality or non-disclosure agreements. NDAs or confidentiality agreements reflecting the organization's information protection needs must be in place with personnel and third parties.

6.7 Remote working. Security measures for personnel working remotely must be implemented and communicated. This includes equipment security, access controls, and policies for working in public or shared spaces.

6.8 Information security event reporting. Personnel must be required to report observed or suspected information security events through appropriate channels as quickly as possible. Barriers to reporting — fear of blame, unclear escalation paths — are a control failure under 6.8.

Theme 3: Physical Controls (Controls 7.1 – 7.14)

Physical controls protect premises, equipment, and storage media from unauthorized physical access, damage, and loss.

7.1 Physical security perimeters. Security perimeters must be defined and used to protect areas containing information and processing facilities. Perimeters can include building walls, locked server rooms, reception barriers, and guarded areas.

7.2 Physical entry. Secure areas must be protected by appropriate entry controls to ensure only authorized personnel gain access.

7.3 Securing offices, rooms, and facilities. Physical security for offices and facilities must be designed and applied.

7.4 Physical security monitoring (new in 2022). Premises must be continually monitored for unauthorized physical access. Monitoring tools include CCTV, intrusion alarms, and access control logs. The requirement for monitoring is new in 2022; the 2013 version addressed physical entry but not ongoing monitoring.

7.5 Protecting against physical and environmental threats. Physical and environmental threats — fire, flood, earthquake, power failure, vandalism — must be identified and protections put in place.

7.6 Working in secure areas. Procedures for working in secure areas must be designed and applied.

7.7 Clear desk and clear screen. Clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities, must be defined and implemented. This control addresses the exposure risk from unattended documents and unlocked screens.

7.8 Equipment siting and protection. Equipment must be sited and protected to reduce risks from environmental threats and unauthorized access.

7.9 Security of assets off-premises. Off-premises assets — laptops, mobile devices, external drives — must be protected. The organization must define what protection is required when assets leave controlled premises.

7.10 Storage media. Storage media must be managed through their lifecycle: acquisition, use, transport, and disposal. Encrypted transport and secure destruction at end-of-life (e.g., NIST SP 800-88-compliant wiping or physical destruction) satisfy the disposal requirement.

7.11 Supporting utilities. Equipment must be protected from power failures and other disruptions caused by failures in supporting utilities.

7.12 Cabling security. Power and telecommunications cabling must be protected from interception, interference, or damage.

7.13 Equipment maintenance. Equipment must be maintained correctly to ensure availability and integrity.

7.14 Secure disposal or reuse of equipment. Equipment must be verified to ensure sensitive data and licensed software have been removed or securely overwritten before disposal or reuse.

Theme 4: Technological Controls (Controls 8.1 – 8.34)

The largest theme, covering technical security measures for endpoints, networks, applications, data, and development environments.

Endpoints and access (8.1 – 8.6)

8.1 User endpoint devices. Information stored on, processed by, or accessible via user endpoints must be protected. This covers laptops, desktops, tablets, and mobile phones. Disk encryption, endpoint detection tools, and mobile device management (MDM) are common implementation choices.

8.2 Privileged access rights. Privileged access rights must be restricted, managed, and monitored. Privileged accounts should be separate from standard user accounts, used only when elevated access is required.

8.3 Information access restriction. Access to information and system functions must be restricted in accordance with the access control policy.

8.4 Access to source code. Read and write access to source code, development tools, and software libraries must be appropriately managed.

8.5 Secure authentication. Authentication technologies and procedures must be established based on access restrictions and information classification. This includes multi-factor authentication (MFA) for privileged and remote access, and password policies aligned with NIST SP 800-63B guidance (length over complexity, no mandatory rotation without evidence of compromise).

8.6 Capacity management. Capacity requirements must be monitored, adjusted, and projections made to ensure required system performance.

Operations and protection (8.7 – 8.15)

8.7 Protection against malware. Protection against malware must be implemented and supported by appropriate user awareness.

8.8 Management of technical vulnerabilities. Technical vulnerabilities must be identified, evaluated, and remediated in a timely manner. This requires a defined patching process with risk-based prioritization and tracking.

8.9 Configuration management (new in 2022). Configurations of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. Configuration drift is a documented source of security vulnerabilities; this control formalizes the requirement to prevent it.

8.10 Information deletion (new in 2022). Information stored in information systems, devices, or other storage media must be deleted when no longer required. This supports both security (reducing exposure) and regulatory compliance (data retention limits).

8.11 Data masking (new in 2022). Data masking must be used in line with the access control policy and applicable legislation. Development and test environments must not use unmasked production data. This applies particularly to environments with PII or financial data.

8.12 Data leakage prevention (new in 2022). Data leakage prevention measures must be applied to systems, networks, and devices that process, store, or transmit sensitive information. DLP tooling combined with data classification (5.12) is the standard implementation path.

8.13 Information backup. Backup copies of information, software, and systems must be maintained and tested in accordance with the agreed backup policy. Testing means actually restoring from backup, not just verifying that backup jobs complete.

8.14 Redundancy of information processing facilities. Facilities must be implemented with sufficient redundancy to meet availability requirements.

8.15 Logging. Logs recording user activities, exceptions, faults, and information security events must be produced, stored, protected, and analyzed. Log retention periods must reflect regulatory and operational requirements.

Monitoring and network security (8.16 – 8.22)

8.16 Monitoring activities (new in 2022). Networks, systems, and applications must be monitored for anomalous behavior, with actions taken to evaluate potential incidents. This formalizes SIEM or equivalent log analysis capabilities as a requirement, not an optional enhancement.

8.17 Clock synchronization. The clocks of information processing systems must be synchronized to an approved time source. Accurate timestamps are required for log correlation and incident investigation.

8.18 Use of privileged utility programs. Utility programs capable of overriding system or application controls must be restricted and tightly controlled.

8.19 Installation of software on operational systems. Procedures and measures must be implemented to securely manage software installation on operational systems.

8.20 Networks security. Networks and network devices must be secured, managed, and controlled to protect information in systems and applications.

8.21 Security of network services. Security mechanisms, service levels, and management requirements of all network services must be identified, implemented, and monitored.

8.22 Segregation of networks. Groups of information services, users, and information systems must be segregated in networks. Flat networks where all devices can reach each other directly are a common gap here.

Web, cryptography, and supply chain (8.23 – 8.30)

8.23 Web filtering (new in 2022). Access to external websites must be managed to reduce exposure to malicious content. Policy-based filtering that blocks known malicious categories while allowing legitimate business access is the standard implementation.

8.24 Use of cryptography. Rules for effective use of cryptography, including key management, must be defined and implemented. This includes encryption standards, key generation, storage, distribution, retirement, and revocation.

8.25 Secure development lifecycle. Rules for secure development of software and systems must be established and applied throughout the development lifecycle. This includes threat modeling, security requirements, code review, SAST/DAST testing, and separation of development, test, and production environments.

8.26 Application security requirements. Information security requirements must be identified, specified, and approved for application development or acquisition.

8.27 Secure system architecture and engineering principles. Principles for engineering secure systems must be established, documented, maintained, and applied to any information system implementation. OWASP guidelines and NIST SP 800-160 are common reference points.

8.28 Secure coding (new in 2022). Secure coding principles must be applied to software development. This includes input validation, output encoding, parameterized queries, error handling, and following the OWASP Top 10 for identifying common vulnerabilities. The control formalizes what many development teams do informally.

8.29 Security testing in development and acceptance. Security testing processes must be defined and implemented in the development and acceptance cycle.

8.30 Outsourced development. The organization must direct, monitor, and review activities related to outsourced system development.

Change management and assets (8.31 – 8.34)

8.31 Separation of development, test, and production environments. Development, testing, and production environments must be separated and secured.

8.32 Change management. Changes to information processing facilities and information systems must be subject to change management procedures.

8.33 Test information. Test information must be appropriately selected, protected, and managed.

8.34 Protection of information systems during audit testing. Audit requirements and activities involving verification of operational systems must be carefully planned and agreed to minimize disruptions to business processes.

The 11 New Controls at a Glance

If your organization transitioned from the 2013 standard, these 11 controls warrant specific attention in your gap analysis. A control marked "not applicable" without a documented rationale is a finding waiting to happen.

Mapping Annex A to Other Frameworks

For organizations managing multiple compliance obligations, Annex A controls overlap substantially with other frameworks.

An organization that has implemented NIST 800-53 controls or holds SOC 2 will find significant overlap with Annex A. A gap analysis comparing existing controls against the Annex A list is faster than starting from scratch. For a structured comparison, see our ISO 27001 vs SOC 2 guide.

Common Mistakes When Implementing Annex A Controls

Treating the SoA as a status tracker rather than a risk document. The SoA must show the connection between each control and a specific risk or legal obligation. An SoA that just lists controls as "implemented" or "not applicable" without rationale will not hold up at audit.

Implementing all 93 controls regardless of scope. Controls that do not address identified risks in your defined ISMS scope add cost without adding security. A cloud-only SaaS company with no physical premises has legitimate grounds to limit several physical controls, provided the rationale is documented.

Marking controls as implemented when they are still partial. Controls partially in place should be documented as "in progress" with a target date. Auditors do not penalize honest in-progress status; they penalize claims of implementation that evidence contradicts.

Underweighting organizational controls. Controls 5.1 through 5.37 are the management foundation. A mature technical posture on top of weak policies and undefined ownership creates an ISMS that works on paper but fails in incidents.

Skipping the new controls on transition. The 11 new controls from 2022 address real gaps — cloud security, configuration drift, data leakage, monitoring — that the 2013 version did not directly require. Carrying over an existing ISMS without reassessing these controls is a gap.

Frequently Asked Questions

How many controls are in ISO 27001:2022 Annex A?

ISO 27001:2022 Annex A contains 93 controls across 4 themes: Organizational (37, controls 5.1–5.37), People (8, controls 6.1–6.8), Physical (14, controls 7.1–7.14), and Technological (34, controls 8.1–8.34). The 2013 version contained 114 controls across 14 domains.

Do I have to implement all 93 controls?

No. ISO 27001 Clause 6.1.3 requires you to evaluate all 93 controls and document your decisions in the Statement of Applicability. Controls outside your scope or not relevant to identified risks can be excluded, but each exclusion requires a written justification. Undocumented exclusions are a nonconformity.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard defining ISMS requirements. ISO 27002 is a guidance document providing implementation advice for each Annex A control. Certification is against ISO 27001. ISO 27002 is a reference used during implementation, not an auditable requirement.

What are the 11 new controls added in 2022?

5.7 (Threat intelligence), 5.23 (Cloud services security), 5.30 (ICT readiness for business continuity), 7.4 (Physical security monitoring), 8.9 (Configuration management), 8.10 (Information deletion), 8.11 (Data masking), 8.12 (Data leakage prevention), 8.16 (Monitoring activities), 8.23 (Web filtering), and 8.28 (Secure coding).

How long does it take to implement Annex A controls?

Implementation timelines depend on your organization's size, existing security maturity, and ISMS scope. The October 2025 transition deadline required organizations certified to the 2013 standard to update their ISMS to the 2022 structure. New certifications vary: a focused scope with some existing controls can reach Stage 1 audit readiness in under a year; a broad scope starting from minimal documentation typically requires longer. See our ISO 27001 certification cost breakdown for related planning data.

Can I include controls not listed in Annex A?

Yes. ISO 27001 Clause 6.1.3(b) explicitly allows organizations to use controls from any source. Annex A is a reference set, not an exhaustive catalog. If your risk assessment identifies a risk that none of the 93 controls adequately addresses, you can and should implement a custom control, documented in the SoA.

Sources

1. ISO, "ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements," iso.org, accessed 2026-05-12. https://www.iso.org/standard/27001
2. ISO, "ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls," iso.org, accessed 2026-05-12. https://www.iso.org/standard/75652.html
3. NIST, "Special Publication 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management," pages.nist.gov, accessed 2026-05-12. https://pages.nist.gov/800-63-3/sp800-63b.html
4. OWASP, "OWASP Top Ten," owasp.org, accessed 2026-05-12. https://owasp.org/www-project-top-ten/
5. Wikipedia contributors, "ISO/IEC 27002," Wikipedia, accessed 2026-05-12. https://en.wikipedia.org/wiki/ISO/IEC_27002
6. isms.online, "ISO 27001 Annex A Controls," isms.online, accessed 2026-05-12. https://www.isms.online/iso-27001/annex-a/

Sources used

1. ISO/IEC 27001:2022 — accessed 2026-05-12
2. ISO/IEC 27002:2022 — accessed 2026-05-12
3. NIST SP 800-63B — accessed 2026-05-12
4. OWASP Top 10 — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.