ISO 27001 Annex A Controls
Annex A is the reference set of information security controls that ISO 27001 provides. The 2022 revision reorganized these controls from 14 domains into four themes, reducing the total from 114 to 93 while adding 11 new controls. Understanding Annex A is essential for building an effective ISMS.
The Four Control Themes
Organizational controls (37 controls) cover policies, roles, responsibilities, and management-level security measures. These include information security policies, asset management, access control policies, supplier relationships, and incident management. Most organizations implement the majority of organizational controls.
People controls (8 controls) address the human element of security. They cover screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination. These controls ensure employees understand and fulfill their security obligations.
Physical controls (14 controls) protect physical premises, equipment, and media. They include physical security perimeters, entry controls, securing offices and facilities, equipment maintenance, and secure disposal of media. Cloud-first companies may find fewer physical controls applicable.
Technological controls (34 controls) are the technical measures most security professionals think of first. They cover endpoint security, access management, cryptography, network security, logging, vulnerability management, and secure development practices.
Selecting Controls
You do not implement every Annex A control. Your risk assessment drives control selection. For each identified risk, you determine which controls mitigate it. Controls not relevant to your risk profile can be excluded — but you must justify every exclusion in your Statement of Applicability.
New Controls in 2022
The 2022 revision added 11 new controls reflecting modern security practices: threat intelligence, cloud security, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
Implementation Approach
Start with the controls that address your highest-priority risks. Implement organizational and people controls first — they establish the foundation. Then layer in technological controls that automate and enforce your policies. Document everything: your implementation approach, evidence of operation, and any compensating controls.
In the next lesson, we will cover the Statement of Applicability in detail.