Annex A in ISO 27001:2022

ISO/IEC 27001:2022 includes 93 controls in Annex A, organized into four categories. The 2013 edition had 114 controls across 14 categories, the 2022 revision merged redundant controls, added 11 new ones, and restructured the categories entirely.

The breakdown:

CategoryControlsClause range
Organizational375.1 – 5.37
People86.1 – 6.8
Physical147.1 – 7.14
Technological348.1 – 8.34
Total93

Source: ISMS.online (isms.online/iso-27001/annex-a); BSI Group (bsigroup.com/en-GB/iso-27001-information-security)

These controls are not mandatory by default. Annex A is a reference set. Your risk assessment (Clause 6.1.2) determines which controls are applicable, and your Statement of Applicability (SoA) documents which are in scope, implemented, and why any are excluded.

What Changed from 2013 to 2022

The shift from 114 controls in 14 categories to 93 controls in 4 categories looks like a reduction, but it reflects consolidation rather than simplification.

  • 24 controls were merged: multiple 2013 controls combined into single 2022 controls
  • 58 controls were revised: updated wording to reflect current threat environments
  • 11 new controls were added: covering threats that did not exist or were not prominent in 2013

The 4-category structure (Organizational, People, Physical, Technological) also replaced the older 14-domain structure, which made cross-framework mapping harder.

Source: ISMS.online (isms.online/iso-27001/annex-a)

The 11 New Controls in ISO 27001:2022

These controls have no direct equivalent in the 2013 edition:

ControlTitleCategory
5.7Threat IntelligenceOrganizational
5.23Information Security for Use of Cloud ServicesOrganizational
5.30ICT Readiness for Business ContinuityOrganizational
7.4Physical Security MonitoringPhysical
8.9Configuration ManagementTechnological
8.10Information DeletionTechnological
8.11Data MaskingTechnological
8.12Data Leakage PreventionTechnological
8.16Monitoring ActivitiesTechnological
8.23Web FilteringTechnological
8.28Secure CodingTechnological

Source: ISMS.online (isms.online/iso-27001/annex-a)

For organizations certified under the 2013 edition, transitioning to the 2022 edition means conducting a gap assessment against these 11 controls specifically, updating the SoA, and verifying whether existing controls already satisfy the new requirements, or whether new controls need to be implemented.

Category 1: Organizational Controls (37 controls, 5.1–5.37)

Organizational controls govern how information security is managed at the policy, process, and governance level. They include:

Policies and governance (5.1–5.6) Establishing an information security policy, defining roles and responsibilities, creating contact with authorities and interest groups, and building threat intelligence capability.

Asset and information management (5.9–5.14) Inventorying information assets, classifying information by sensitivity, handling labeled data consistently, and managing returned or transferred assets.

Access and identity management (5.15–5.18) Controlling access to information based on business and security requirements, managing user IDs, assigning access rights, and handling privileged access.

Supplier and third-party management (5.19–5.22) Addressing security in supplier agreements, managing the security posture of the supply chain, and monitoring suppliers during the relationship.

Incident management (5.24–5.28) Planning for information security events, responding to them, learning from them, and collecting evidence appropriately.

Business continuity and compliance (5.29–5.37) ICT readiness for disruption, intellectual property obligations, records protection, privacy requirements, and compliance with applicable laws.

Category 2: People Controls (8 controls, 6.1–6.8)

The smallest category covers the entire employee lifecycle:

ControlScope
6.1 ScreeningBackground verification before and during employment
6.2 Terms and conditions of employmentSecurity responsibilities in employment contracts
6.3 Information security awareness, education, and trainingOngoing security training for all staff
6.4 Disciplinary processFormal process for security policy violations
6.5 Responsibilities after termination or change of employmentSecurity obligations that continue after departure
6.6 Confidentiality or non-disclosure agreementsNDAs with employees, contractors, third parties
6.7 Remote workingControls for staff working away from premises
6.8 Information security event reportingHow staff report suspected incidents

People controls are commonly underimplemented. Organizations put significant effort into technical controls and then fail a certification audit because they cannot evidence that all staff completed security awareness training or that the offboarding procedure was followed consistently.

Category 3: Physical Controls (14 controls, 7.1–7.14)

Physical controls address access to facilities, protection of equipment, and physical working environments.

Entry controls and secure areas (7.1–7.6) Defining physical security perimeters, controlling entry, protecting offices and facilities, monitoring physical security (7.4, a new 2022 control), securing against physical and environmental threats, and maintaining clear desk and screen policies.

Equipment security (7.8–7.14) Protecting equipment from threats, securing equipment off-premises, disposal of media (including sanitization before disposal), unattended user equipment, and preventing assets from being removed without authorization.

Physical controls are relevant even for fully remote or cloud-native organizations. The clear desk/screen policy (7.7) applies to remote working environments. Equipment disposal (7.14) applies to personal devices and company-issued hardware regardless of location.

Category 4: Technological Controls (34 controls, 8.1–8.34)

The largest category covers user endpoints, network security, cryptography, vulnerability management, and software development. Key areas:

Access control (8.2–8.6) Privileged access rights, management of secrets (passwords, API keys), access to source code, authentication, and secure log-on procedures.

Cryptography and key management (8.24) Use of cryptography and management of cryptographic keys throughout their lifecycle.

Operations security (8.8–8.16) Vulnerability management, technical configuration management (8.9, new in 2022), capacity management, separation of environments, event logging, clock synchronization, and monitoring activities (8.16, new in 2022).

Network security (8.20–8.23) Securing network infrastructure, segregating networks, filtering web access (8.23, new in 2022).

Application and development security (8.25–8.31) Secure development lifecycle, change management procedures, test environments, outsourced development, and secure coding practices (8.28, new in 2022).

Data protection (8.10–8.12) Information deletion (8.10, new), data masking (8.11, new), and data leakage prevention (8.12, new). These three controls together reflect the increased focus on data privacy requirements that have emerged since the 2013 edition.

How to Decide Which Controls Apply

The Statement of Applicability requires a decision for each of the 93 controls: applicable or not applicable, implemented or not, and justification for exclusions.

Common reasons a control may be genuinely non-applicable:

  • 5.23 (Cloud Services): not applicable if the organization uses no cloud services (rare, but possible for air-gapped environments)
  • 7.1–7.6 (Physical security perimeters): applicable even for remote-first companies, though the scope may be limited to a single room or co-working space
  • 8.28 (Secure Coding): not applicable if the organization does not write software

A control being hard to implement is not justification for exclusion. Auditors expect to see substantive reasoning, not convenience.

Attribute Tagging (New in 2022)

ISO 27001:2022 introduced an attribute taxonomy for Annex A controls. Each control is tagged with five attributes:

  • Control type (preventive, detective, corrective)
  • Information security properties (confidentiality, integrity, availability)
  • Cybersecurity concepts (mapped to the NIST framework: identify, protect, detect, respond, recover)
  • Operational capabilities (governance, asset management, identity and access management, etc.)
  • Security domains (governance and ecosystem, protection, defence, resilience)

This tagging makes cross-framework mapping easier. If you are implementing both ISO 27001 and NIST CSF, the attribute tags show you where controls overlap. For organizations managing multiple frameworks simultaneously, this reduces the effort of maintaining separate control sets.

Implementing Annex A Controls Efficiently

For organizations working toward certification, a few things reduce implementation time:

Start from risk, not the control list The risk assessment determines which controls matter most for your context. Starting from the full 93-control list and trying to implement everything simultaneously is slower and often produces controls that are over-engineered for the actual risk.

Map controls across frameworks before building evidence If you are also doing SOC 2, HIPAA, or GDPR, many Annex A controls have direct counterparts. Access control evidence collected for SOC 2 CC6.1 typically satisfies ISO 27001 A.5.15–5.18. Building evidence once and mapping it to multiple frameworks is more efficient than building separate evidence sets.

Use existing tooling where possible Many controls, especially in the Technological category, can be evidenced through existing tool configurations. GitHub branch protection rules satisfy A.8.32. AWS CloudTrail satisfies A.8.15–8.16. Auditors accept tool-generated evidence as long as it is collected consistently.


References:

Tags:
ISO 27001Annex AControlsISO 27001:2022