ISO/IEC 27001 •

ISO 27001:2022 Annex A Explained

Simplify your ISO 27001 journey with ISMS.online

See it in action
By Max Edwards | Updated 12 March 2024

In October 2022, the ISO 27001 standard was updated to reflect the ever-changing landscape of technology and information security. The changes were mostly cosmetic and include restructuring and refining existing requirements. The biggest change is Annex A which specific controls derived from ISO 27002:2022. In this guide we'll look at what has changed, and what this means for you.

Jump to topic

What is Annex A, and what has changed?

Annex A in ISO 27001 is a part of the standard that lists a set of classified security controls that organisations use to demonstrate compliance with ISO 27001 6.1.3 (Information security risk treatment) and its associated Statement of Applicability (see below).

It previously contained 114 controls divided into 14 categories, which covered a wide range of topics such as access control, cryptography, physical security, and incident management.

Following the release of ISO 27002:2022 (Information security, cybersecurity and privacy protection controls) on February 15, 2022, ISO 27001:2022 has aligned its Annex A controls.

The new version of the Standard draws upon a condensed set of 93 Annex A controls, including 11 new controls.

A total of 24 controls were merged from two, three, or more security controls from the 2013 version, and 58 controls from the ISO 27002:2013 were revised to align with the current cyber security and information security environment.

What is a Statement of Applicability?

Before continuing, it is worth introducing a statement of applicability (SoA) as this outlines an organisation’s approach to implementing specified Annex A controls.

A Statement of Applicability (SoA) in ISO 27001 2022 is a document that lists the Annex A controls that an organisation will implement to meet the requirements of the standard. It is a mandatory step for anyone planning on pursuing ISO 27001 certification.

Your SoA should contain four main elements:

  • A list of all controls that are necessary to satisfy information security risk treatment options, including those contained within Annex A.
  • A statement that outlines why all of the above controls have been included.
  • Confirmation of implementation.
  • The organisation’s justification for omitting any of the Annex A controls.
Free download

Get your guide to
ISO 27001 success

Everything you need to know about achieving ISO 27001 first time

Get your free guide

The New ISO 27001:2022 control categories explained

The Annex A controls of ISO 27001:2013 were previously divided into 14 categories. ISO 27001 2022 adopts a similar categorical approach to information security that distributes processes among four top-level categories.

Annex a Controls Have Now Been Grouped Into Four Categories

The ISO 27001:2022 Annex controls have been restructured and consolidated to reflect current security challenges. The core ISMS management processes remain unchanged, but the Annex A control set has been updated to reflect more modern risks and their associated controls.

  • Organisational
  • People
  • Physical
  • Technological

Each control has additionally assigned an attribution taxonomy. Each control now has a table with a set of suggested attributes, and Annex A of ISO 27002:2022 provides a set of recommended associations.

These allow you to quickly align your control selection with common industry language and international standards. The use of attributes supports work many companies already do within their risk assessment and Statement of Applicability (SoA).

For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.

Annex A Control Categories

Organisational Controls

  • Number of controls: 37
  • Control numbers: ISO 27001 Annex A 5.1 to 5.37

Organisational controls encompass regulations and measures which dictate an organisation’s comprehensive attitude towards data protection over a broad range of matters. These controls include policies, rules, processes, procedures, organisational structures and more.

People Controls

  • Number of controls: 8
  • Control numbers: ISO 27001 Annex A 6.1 to 6.8

People controls enable businesses to regulate the human component of their information security program, by defining the manner in which personnel interact with data and each other. These controls cover secure human resources management, personnel security, and awareness and training.

Physical Controls

  • Number of controls: 14
  • Control numbers: ISO 27001 Annex A 7.1 to 7.13

Physical safeguards are measures employed to ensure the security of tangible assets. These may include entry systems, guest access protocols, asset disposal processes, storage medium protocols, and clear desk policies. Such safeguards are essential for the preservation of confidential information.

Technological Controls

  • Number of controls: 34
  • Control numbers: ISO 27001 Annex A 8.1 to 8.34

Technological restraints dictate the cybernetic/digital regulations and proceedings that corporations should adopt in order to execute a protected, compliant IT infrastructure, from authentication techniques to settings, BUDR strategies and information logging.

Step-by-step guidance

The ISMS.online platform, coupled with our built-in guidance and pre-configured ISMS, enables organisations to demonstrate compliance with each Annex A Control effortlessly.

Book a platform demo today to see how we can help your business

Book a platform demo

Table of all Annex A controls

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures


ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting


ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment


ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing



Why Is Annex A important to my organisation?

The ISO 27001 standard is formulated in such a manner that allows organisations of all shapes and sizes to satisfy the requirements of the standard while adhering to the fundamental premise of implementing and sustaining comprehensive information security practices.

Organisations have various options for attaining and preserving compliance with ISO 27001, contingent upon the nature of their business and the extent of their data processing activities.

Annex A affords organisations a straightforward set of guidance from which to craft a well-structured information security plan that suits their exclusive commercial and operational needs.

Annex A serves as a time- and resource-saving tool for the initial certification and subsequent adherence processes and provides a basis for audits, process reviews and strategic planning. It may be employed as an internal governance document (i.e. a risk treatment plan) that lays out a formal approach to information security.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Understanding Risk Treatment in ISO 27001 6.1.3

ISO 27001 Requirement 6.1.3 is about establishing and maintaining an information security risk assessment process that includes risk acceptance and assessment criteria.

ISO 27001 6.1.3 serves as a conduit for organisations to guarantee that their information security risk procedures, inclusive of their risk management alternatives, conform to ISO’s recommended standards, in pursuit of certification.

Risk Treatment as a Concept

Certified and compliant organisations handle risk in multiple ways. Risk management is not confined to the curative actions necessary to reduce the risk. Upon identifying a risk, organisations are expected to:

  • Accept the risk.
  • Treat the risk.
  • Mitigate the risk.
  • Transfer the risk.
  • Avoid the risk.

ISO 27001 6.1.3 asks organisations to formulate a risk treatment plan, including sign-off by risk owners, and broad acceptance of what ISO deems ‘residual risks’.

This process begins with the identification of risks associated with the loss of confidentiality, integrity, and availability of information. The organisation must then select appropriate information security risk treatment options based on the risk assessment results.

Other factors

As a governing requirement, ISO 27001 6.1.3 is not the ultimate authority of risk management. Large organisations frequently integrate security protocols from other accreditation entities (NIST, SOC2’s Trust Service Criteria).

Organisations must, however, give priority to Annex A controls throughout the certification and compliance process – ISO auditors are instructed to identify the authenticity and relevance of ISO regulations as usual, as such, this should be an organisation’s first choice when creating an ISO 27001-compliant information security management system.

Particular third-party public and private sector data standards – such as the National Health Service’s Data Security and Protection Toolkit (DSPT) – necessitate an alignment of information security standards between organisations and the public entities they interrelate with.

ISO 27001 6.1.3 permits organisations to coordinate their risk treatment operation with numerous external criteria, allowing for comprehensive adherence to whatever data security measures they are likely to confront.


What Annex A controls should I include?

It is essential to gauge your enterprise’s exclusive information security risks before establishing a resolution on which controls to instate and choosing controls that will aid in subduing identifiable risks.

In addition to risk treatment, controls may also be selected due to a corporate or business intention or goal, a lawful requirement, or in the fulfilment of contractual and/or regulatory obligations.

Moreover, organisations are obligated to illustrate why they have not integrated certain controls within their SOA – e.g. there is no necessity to incorporate controls that address remote or hybrid working if that is not a policy your institution practises, but an auditor will still require to be presented with this data when evaluating your certification/compliance tasks.


How ISMS.online can help

The ISMS.online platform, coupled with our built-in guidance and pre-configured ISMS, enables organisations to demonstrate compliance with each Annex A Control effortlessly. We are here to assist whether you are new to ISO 27001 or are required to transition your existing ISMS to align with the 2022 version of the standard.

Our step-by-step checklist guides you through the entire process, providing clear oversight of progress and outstanding requirements. Our software facilitates mapping your organisation’s information security controls against each aspect of your ISMS.

Book a platform demo today and experience the benefits of our solution for yourself.

Book a demo
complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more