What is Annex A, and what has changed?
Annex A in ISO 27001 is a part of the standard that lists a set of classified security controls that organisations use to demonstrate compliance with ISO 27001 6.1.3 (Information security risk treatment) and its associated Statement of Applicability (see below).
It previously contained 114 controls divided into 14 categories, which covered a wide range of topics such as access control, cryptography, physical security, and incident management.
Following the release of ISO 27002:2022 (Information security, cybersecurity and privacy protection controls) on February 15, 2022, ISO 27001:2022 has aligned its Annex A controls.
The new version of the Standard draws upon a condensed set of 93 Annex A controls, including 11 new controls.
A total of 24 controls were merged from two, three, or more security controls from the 2013 version, and 58 controls from the ISO 27002:2013 were revised to align with the current cyber security and information security environment.
What is a Statement of Applicability?
Before continuing, it is worth introducing a statement of applicability (SoA) as this outlines an organisation’s approach to implementing specified Annex A controls.
A Statement of Applicability (SoA) in ISO 27001 2022 is a document that lists the Annex A controls that an organisation will implement to meet the requirements of the standard. It is a mandatory step for anyone planning on pursuing ISO 27001 certification.
Your SoA should contain four main elements:
- A list of all controls that are necessary to satisfy information security risk treatment options, including those contained within Annex A.
- A statement that outlines why all of the above controls have been included.
- Confirmation of implementation.
- The organisation’s justification for omitting any of the Annex A controls.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
The New ISO 27001:2022 control categories explained
The Annex A controls of ISO 27001:2013 were previously divided into 14 categories. ISO 27001 2022 adopts a similar categorical approach to information security that distributes processes among four top-level categories.
Annex a Controls Have Now Been Grouped Into Four Categories
The ISO 27001:2022 Annex controls have been restructured and consolidated to reflect current security challenges. The core ISMS management processes remain unchanged, but the Annex A control set has been updated to reflect more modern risks and their associated controls.
- Organisational
- People
- Physical
- Technological
Each control has additionally assigned an attribution taxonomy. Each control now has a table with a set of suggested attributes, and Annex A of ISO 27002:2022 provides a set of recommended associations.
These allow you to quickly align your control selection with common industry language and international standards. The use of attributes supports work many companies already do within their risk assessment and Statement of Applicability (SoA).
For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.
Organisational Controls
- Number of controls: 37
- Control numbers: ISO 27001 Annex A 5.1 to 5.37
Organisational controls encompass regulations and measures which dictate an organisation’s comprehensive attitude towards data protection over a broad range of matters. These controls include policies, rules, processes, procedures, organisational structures and more.
People Controls
- Number of controls: 8
- Control numbers: ISO 27001 Annex A 6.1 to 6.8
People controls enable businesses to regulate the human component of their information security program, by defining the manner in which personnel interact with data and each other. These controls cover secure human resources management, personnel security, and awareness and training.
Physical Controls
- Number of controls: 14
- Control numbers: ISO 27001 Annex A 7.1 to 7.13
Physical safeguards are measures employed to ensure the security of tangible assets. These may include entry systems, guest access protocols, asset disposal processes, storage medium protocols, and clear desk policies. Such safeguards are essential for the preservation of confidential information.
Technological Controls
- Number of controls: 34
- Control numbers: ISO 27001 Annex A 8.1 to 8.34
Technological restraints dictate the cybernetic/digital regulations and proceedings that corporations should adopt in order to execute a protected, compliant IT infrastructure, from authentication techniques to settings, BUDR strategies and information logging.
Step-by-step guidance
The ISMS.online platform, coupled with our built-in guidance and pre-configured ISMS, enables organisations to demonstrate compliance with each Annex A Control effortlessly.
Book a platform demo today to see how we can help your business.
Book a platform demoTable of all Annex A controls
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
Why Is Annex A important to my organisation?
The ISO 27001 standard is formulated in such a manner that allows organisations of all shapes and sizes to satisfy the requirements of the standard while adhering to the fundamental premise of implementing and sustaining comprehensive information security practices.
Organisations have various options for attaining and preserving compliance with ISO 27001, contingent upon the nature of their business and the extent of their data processing activities.
Annex A affords organisations a straightforward set of guidance from which to craft a well-structured information security plan that suits their exclusive commercial and operational needs.
Annex A serves as a time- and resource-saving tool for the initial certification and subsequent adherence processes and provides a basis for audits, process reviews and strategic planning. It may be employed as an internal governance document (i.e. a risk treatment plan) that lays out a formal approach to information security.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Understanding Risk Treatment in ISO 27001 6.1.3
ISO 27001 Requirement 6.1.3 is about establishing and maintaining an information security risk assessment process that includes risk acceptance and assessment criteria.
ISO 27001 6.1.3 serves as a conduit for organisations to guarantee that their information security risk procedures, inclusive of their risk management alternatives, conform to ISO’s recommended standards, in pursuit of certification.
Risk Treatment as a Concept
Certified and compliant organisations handle risk in multiple ways. Risk management is not confined to the curative actions necessary to reduce the risk. Upon identifying a risk, organisations are expected to:
- Accept the risk.
- Treat the risk.
- Mitigate the risk.
- Transfer the risk.
- Avoid the risk.
ISO 27001 6.1.3 asks organisations to formulate a risk treatment plan, including sign-off by risk owners, and broad acceptance of what ISO deems ‘residual risks’.
This process begins with the identification of risks associated with the loss of confidentiality, integrity, and availability of information. The organisation must then select appropriate information security risk treatment options based on the risk assessment results.
Other factors
As a governing requirement, ISO 27001 6.1.3 is not the ultimate authority of risk management. Large organisations frequently integrate security protocols from other accreditation entities (NIST, SOC2’s Trust Service Criteria).
Organisations must, however, give priority to Annex A controls throughout the certification and compliance process – ISO auditors are instructed to identify the authenticity and relevance of ISO regulations as usual, as such, this should be an organisation’s first choice when creating an ISO 27001-compliant information security management system.
Particular third-party public and private sector data standards – such as the National Health Service’s Data Security and Protection Toolkit (DSPT) – necessitate an alignment of information security standards between organisations and the public entities they interrelate with.
ISO 27001 6.1.3 permits organisations to coordinate their risk treatment operation with numerous external criteria, allowing for comprehensive adherence to whatever data security measures they are likely to confront.
What Annex A controls should I include?
It is essential to gauge your enterprise’s exclusive information security risks before establishing a resolution on which controls to instate and choosing controls that will aid in subduing identifiable risks.
In addition to risk treatment, controls may also be selected due to a corporate or business intention or goal, a lawful requirement, or in the fulfilment of contractual and/or regulatory obligations.
Moreover, organisations are obligated to illustrate why they have not integrated certain controls within their SOA – e.g. there is no necessity to incorporate controls that address remote or hybrid working if that is not a policy your institution practises, but an auditor will still require to be presented with this data when evaluating your certification/compliance tasks.
How ISMS.online can help
The ISMS.online platform, coupled with our built-in guidance and pre-configured ISMS, enables organisations to demonstrate compliance with each Annex A Control effortlessly. We are here to assist whether you are new to ISO 27001 or are required to transition your existing ISMS to align with the 2022 version of the standard.
Our step-by-step checklist guides you through the entire process, providing clear oversight of progress and outstanding requirements. Our software facilitates mapping your organisation’s information security controls against each aspect of your ISMS.
Book a platform demo today and experience the benefits of our solution for yourself.
