Home

How it Works

Company

Book a Demo

ISO 27001 Controls: Complete Guide to Annex A

ISO 27001 Annex A controls structure and compliance guide.

Understanding ISO 27001 control requirements is a critical step when implementing an information security management system (ISMS). ISO 27001 is an internationally recognized standard designed to help organizations manage information security risks through an Information Security Management System (ISMS). A core component of this standard is Annex A, which provides a reference list of information security controls.

Annex A supports the risk treatment process by helping organizations translate risk assessment results into practical security controls. Following the ISO/IEC 27001:2022 update, Annex A now includes 93 controls organized to address modern cybersecurity risks such as cloud adoption, remote work, and evolving threat landscapes.

This article is intended for security leaders implementing an ISMS, compliance teams preparing for audits, and advisory firms supporting client readiness. Understanding Annex A helps organizations implement appropriate security controls as part of ISO 27001 certification preparation.

What Are ISO 27001 Annex A Controls?

Annex A provides a reference set of information security controls that organizations consider during risk treatment. During ISO 27001 implementation, organizations perform risk assessment and risk treatment to identify appropriate security controls. Applicable Annex A controls, along with any additional controls, are documented in the Statement of Applicability (SoA), including justification for inclusion or exclusion.

Purpose of Annex A Controls

Annex A provides a structured set of controls that organizations use to manage information security risks and support ISMS implementation. These controls help organizations protect the confidentiality, integrity, and availability of information by integrating security practices into operational processes.

Are All Annex A Controls Required?

No. ISO 27001 follows a risk-based approach. Organizations select applicable Annex A controls based on risk assessment results and may implement additional controls where necessary. Any excluded controls must be justified and documented in the Statement of Applicability (SoA).

ISO 27001:2022 Annex A Control Structure

The 2022 version of ISO/IEC 27001 has made changes to Annex A, introducing a control theme approach that simplifies implementation and modernizes alignment between business and cybersecurity controls.

A.5 Organizational Controls (37 Controls)

Organizational controls emphasize governance, policies, and risk management processes that shape an organization’s overall approach to information security. These controls encompass information security policies, asset management, threat intelligence, and supplier security management.

A.6 People Controls (8 Controls)

The set of controls here underscores the security concerns and risks that come with employees, contractors, and third parties. Given that human error is a common factor in security incidents, this area is a critical component of the ISMS. Focus areas cover security awareness training spearheaded by the organization, human resources security, and remote working and post-employment termination responsibilities

A.7 Physical Controls (14 Controls)

The controls here provide a framework for the protection of facilities and equipment as well as the control of physical access to the organization's information assets. These controls offer protection and prevention of unauthorized access, disruption, destruction, or interference with the activities of the organization.

A.8 Technological Controls (34 Controls)

These controls cover technical measures used to safeguard systems, networks, and data within the organization. These controls foster the secure use of applications and the IT infrastructure of the organization.

Complete ISO 27001 Annex A Controls List

To help map your compliance strategy, below is an overview of ISO 27001:2022 Annex A controls, organized by their respective domains. This section highlights representative controls from each domain.

A.5 Organizational Controls List

Organizational controls focus on governance, policy management, risk management, and supplier security.

Examples include:

  • 5.1 Policies for information security

  • 5.2 Information security roles and responsibilities

  • 5.3 Segregation of duties

  • 5.4 Management responsibilities

  • 5.7 Threat intelligence

  • 5.9 Inventory of information and other associated assets

  • 5.10 Acceptable use of information and other associated assets

  • 5.12 Information classification

  • 5.15 Access control

  • 5.18 Access rights

  • 5.19 Information security in supplier relationships

  • 5.23 Information security for use of cloud services

  • 5.30 ICT readiness for business continuity

  • 5.31 Legal, statutory, regulatory and contractual requirements

This domain includes 37 controls focusing on governance, asset management, supplier security, and business continuity.

A.6 People Controls List

People controls address risks associated with employees, contractors, and third-party personnel.

Examples include:

  • 6.1 Screening

  • 6.2 Terms and conditions of employment

  • 6.3 Information security awareness, education and training

  • 6.4 Disciplinary process

  • 6.5 Responsibilities after termination or change of employment

  • 6.6 Confidentiality or non-disclosure agreements

  • 6.7 Remote working

  • 6.8 Information security event reporting

This domain includes 8 controls focused on personnel security.

A.7 Physical Controls List

Physical controls protect facilities, equipment, and physical access.

Examples include:

  • 7.1 Physical security perimeters

  • 7.2 Physical entry controls

  • 7.3 Securing offices, rooms and facilities

  • 7.4 Physical security monitoring

  • 7.5 Protecting against physical and environmental threats

  • 7.8 Equipment siting and protection

  • 7.9 Security of assets off-premises

  • 7.10 Storage media

  • 7.14 Secure disposal or re-use of equipment

This domain includes 14 controls dedicated to physical security.

A.8 Technological Controls List

Technological controls address technical safeguards for systems and infrastructure.

Examples include:

  • 8.1 User endpoint devices

  • 8.2 Privileged access rights

  • 8.3 Information access restriction

  • 8.5 Secure authentication

  • 8.8 Management of technical vulnerabilities

  • 8.9 Configuration management

  • 8.10 Information deletion

  • 8.11 Data masking

  • 8.12 Data leakage prevention

  • 8.16 Monitoring activities

  • 8.23 Web filtering

  • 8.24 Use of cryptography

  • 8.28 Secure coding

  • 8.31 Separation of development, test and production environments

This domain includes 34 controls addressing modern cybersecurity risks.

New ISO 27001 Annex A Controls (2022 Update)

ISO/IEC 27001:2022 introduced 11 new controls while consolidating and reorganizing existing ones. These controls address modern risks such as cloud security, threat intelligence, secure development, and data protection.

  1. A.5.7 Threat Intelligence: Collecting and analysis of threats so as to support the identification and reduction of risks.

  2. A.5.23 Information Security for Use of Cloud Services: Defining the security needs for the selection, acquisition, and use of cloud services.

  3. A.5.30 ICT Readiness for Business Continuity: Business disruptions caused by technology must be managed by the contemporary IT systems in place.

  4. A.7.4 Physical Security Monitoring: Introduced to strengthen monitoring of physical environments and facilities supporting information systems.

  5. A.8.9 Configuration Management: Defining and maintaining security within a system and application’s configuration.

  6. A.8.10 Information Deletion: Securely deleting information that is no longer needed.

  7. A.8.11 Data Masking: The protection of sensitive information through data masking in the development and testing of systems.

  8. A.8.12 Data Leakage Prevention: Implementing controls to detect and prevent unauthorized data transfer.

  9. A.8.16 Monitoring Activities: Monitoring networks and systems to detect abnormal or suspicious behavior.

  10. A.8.23 Web Filtering: The control of access to information and the protection of systems from external websites deemed to be malicious or inappropriate.

  11. A.8.28 Secure Coding: The implementation of practices of secure coding in the development of software.

ISO 27001:2013 vs ISO 27001:2022 Annex A

ISO/IEC 27001:2022 replaced ISO/IEC 27001:2013 and introduced structural updates to better align with modern cybersecurity risks and technology environments. Organizations certified to ISO/IEC 27001:2013 were required to transition to ISO/IEC 27001:2022 by October 31, 2025.

The update consolidated controls, reduced redundancy, and introduced new controls addressing areas such as cloud services, secure development, and enhanced monitoring.

Feature

ISO 27001:2013

ISO 27001:2022

Controls

114

93

Domains

14 Control Domains

4 Control Themes

Cloud Security

Limited

Expanded

DevOps Security

Limited

Enhanced

Risk Focus

Traditional

Modern Threats

The restructuring simplifies control organization and improves alignment with modern cybersecurity risks. It also improves control mapping during risk assessment and audit processes. The 2022 version added 11 new controls, new and modern terminology was referenced, and previous controls were merged to accommodate for modern technology like the cloud and remote work.

Who is Responsible for Implementing ISO 27001 Annex A Controls?

Implementing Annex A controls typically involves collaboration across multiple teams within the organization. Successful ISMS implementation requires collaboration between management, security, IT, and operational teams.

  • Leadership/Executive Team: Provides resources, approves security policies, and supports information security initiatives. They ensure the ISMS is in tandem with the company's objectives.

  • CISO / Security Team: Responsible for coordinating ISMS implementation, risk assessments, and control management.

  • IT Team: Responsible for establishing and administering technical controls, including access controls, network security, backups, system security, and monitoring to ensure technical safeguards are in place.

  • Compliance / Risk / Governance Team: Coordinates control mapping; manages ISMS documentation, including the Statement of Applicability (SoA); and supports internal and external audit readiness.

  • Business Unit Owners: Business unit owners support control implementation, participate in asset classification, and report security incidents.

Common ISO 27001 Annex A Implementation Challenges

Implementing ISO 27001 Annex A controls can present several challenges, particularly for organizations building an ISMS for the first time.

  • Identifying Applicable Controls: Organizations may struggle to determine which Annex A controls apply to their risk environment. This requires a structured risk assessment and careful control selection.

  • Documentation Complexity: It takes a lot of time to create and compile policies, procedures, and documents. The implementation of new controls and updates to risk treatments further complicates the time required to maintain any nonstatic documentation.

  • Evidence Collection: Maintaining control evidence can be resource-intensive. There are a lot of controls that are audit- and logging-dependent. For example, organizations need to maintain access control, security, incident evidence, training logs, risk control, and other related aspects.

  • Control Ownership Confusion: Control implementation is difficult if ownership is not defined. To achieve compliance, organizations need to assign oversight to controls, processes, and evidence.

How Roz Simplifies ISO 27001 Readiness

Preparing clients for ISO 27001 readiness often involves heavy documentation review and gap analysis. Roz helps CPA firms and advisory teams streamline this process with a structured, AI-native engagement workspace.

Roz helps teams:

  • Organize documentation and evidence in centralized client workspaces

  • Generate AI-assisted draft workpapers with audit trails

  • Extract controls and highlight documentation gaps

  • Support questionnaires using source-linked documentation

  • Structure audit preparation workflows

By organizing documentation and supporting first-pass analysis, Roz helps teams organize documentation and support ISO 27001 engagement preparation.

Conclusion

The updated Annex A control structure offers a modernized, streamlined approach to information security. By adopting a risk-based implementation strategy, organizations can build an ISMS aligned with organizational risks and evolving security requirements.

Whether you are pursuing certification for the first time or transitioning to the 2022 standard, beginning with a thorough gap assessment is the most effective way forward. Identify your critical assets, map your existing controls, and start planning your route to a stronger security posture.

FAQs

How many Annex A controls are there?

ISO 27001:2022 includes 93 controls.

Are all Annex A controls mandatory?

No. Organizations select applicable controls based on risk assessment and document them in the Statement of Applicability (SoA).

What changed in ISO 27001:2022?

Controls reduced from 114 to 93 and reorganized into four domains.

What is a Statement of Applicability?

A document listing selected controls and justification.

Back to Blog

Back to Blog

Related Articles

Read more from us here

NIST 800-53 control framework structure overview
NIST SP 800-53 Rev. 5: A Complete Guide for Compliance Teams

HIPAA compliance checklist for risk, safeguards, and audits.
HIPAA Compliance Checklist: A Complete Guide (2026)

ISO 27002 security control themes for audit and risk management.
ISO 27002 Controls Explained: A Complete Guide for Auditors

ISO 27001 vs NIST comparison of security frameworks and use cases.
ISO 27001 vs NIST (2026): Key Differences & Use Cases

SOC report guidelines explaining SOC 3 and its role in compliance frameworks.
SOC 3 Compliance: Everything You Need to Know

Compliance checklist to help startups prepare for SOC 2 audits.
Why Startups Fail Compliance Audits (It Isn't Security)

ISO 42001 certification guide for AI governance and compliance framework.
ISO 42001 Certification: Requirements, Cost & Process

SOC 2 Type 2 report timeline, cost, and audit process overview.
SOC 2 Type 2 Report: Timeline, Cost & Process

PCI DSS vs ISO 27001 comparison of security scope and requirements.
PCI DSS vs ISO 27001: Key Differences Explained

Comparison of CCPA and GDPR data privacy requirements for compliance.
CCPA vs GDPR Compliance: Key Differences and Requirements

ISO 27017 cloud security framework.
ISO 27017 Explained: Cloud Security Controls & Certification

ISO 42001 vs ISO 27001 showing key differences and scope.
ISO 42001 vs ISO 27001: Key Differences & Use Cases

ISO 9001 certification process, requirements, and cost overview.
ISO 9001 Certification: Requirements, Cost, and Process

GRC integrates governance, risk, and compliance for better security.
GRC Framework: Governance, Risk & Compliance Guide

ISO 42001 overview with AI lifecycle and compliance.
ISO 42001: AI Governance & Compliance Guide

PCI DSS audit process checklist and compliance guide for secure payments.
PCI DSS Audit: A Complete Guide to Audit & Compliance

CCPA compliance guide explaining requirements and consumer rights.
What Is CCPA Compliance? Requirements Explained

HIPAA compliance guide explaining rules, requirements, and violations.
HIPAA Compliance: Everything You Need to Know

Top PCI compliance tools to secure data, automate tasks, and simplify audits.
8 Best PCI Compliance Software to Secure Payment Data

GDPR compliance services overview for businesses and privacy teams.
GDPR Compliance Services: A Complete Guide for Businesses

A guide to ISO 27001 audits, including tools for improving ISMS processes.
ISO 27001 Internal Audit: A Complete Guide

SOC report types and their role in trust and security.
SOC Report: What It Is, Types & Why It Matters

SOC 2 compliance overview with audit types and criteria.
What is SOC 2 Compliance? A Beginner's Guide

SOX compliance basics and key requirements.
SOX Compliance: Requirements, Controls, and Audit Guide

SOC 1 vs SOC 2 compliance comparison guide.
SOC 1 vs SOC 2: Key Differences Explained

CMMC 2.0 compliance costs, levels, and avoiding costly mistakes.
CMMC 2.0 Compliance: Cost, Levels & Certification Guide

ISO 27001 vs SOC 2 comparison table and costs.
ISO 27001 vs SOC 2: Which Security Standard Fits Best?

ISO 27001 certification process timeline and guide.
ISO 27001 Certification: What It Is & How It Works

Simplify SaaS security audits, avoid errors, and streamline processes with AI.
Security Audits: What SaaS Startups Get Wrong

AI built for Auditors

Menu

How it Works

News & Resources

Company

Contact information

sales@getroz.com

Terms of Service

Privacy Policy

© 2026 Roz. All rights reserved.

AI built for Auditors

Menu

How it Works

News & Resources

Company

Contact information

sales@getroz.com

Terms of Service

Privacy Policy

© 2026 Roz. All rights reserved.

AI built for Auditors

Menu

How it Works

News & Resources

Company

Contact information

sales@getroz.com

Terms of Service

Privacy Policy

© 2026 Roz. All rights reserved.