Introduction to Annex A Controls
ISO 27001:2022 includes 93 controls in Annex A, organized into four categories. These controls provide a comprehensive framework for information security management.
The Four Control Categories
1. Organizational Controls (37 Controls)
These controls focus on policies, procedures, and organizational structures:
Key Controls Include:
- A.5.1 Policies for Information Security: Establish and maintain security policies
- A.5.2 Information Security Roles: Define security responsibilities
- A.5.7 Threat Intelligence: Collect and analyze threat information
- A.5.15 Access Control: Manage access based on business requirements
- A.5.23 Cloud Security: Address cloud-specific security requirements
- A.5.30 ICT Readiness: Ensure business continuity planning
2. People Controls (8 Controls)
Controls addressing human aspects of security:
Key Controls Include:
- A.6.1 Screening: Pre-employment verification
- A.6.2 Terms of Employment: Security in employment contracts
- A.6.3 Security Awareness: Training and education
- A.6.4 Disciplinary Process: Handling security violations
- A.6.5 After Employment: Exit procedures
- A.6.7 Remote Working: Secure remote work practices
3. Physical Controls (14 Controls)
Controls protecting physical assets and environments:
Key Controls Include:
- A.7.1 Physical Security Perimeters: Secure boundaries
- A.7.2 Physical Entry: Access control to facilities
- A.7.4 Physical Security Monitoring: Surveillance and detection
- A.7.8 Equipment Siting: Secure equipment placement
- A.7.10 Storage Media: Protecting removable media
- A.7.14 Secure Disposal: Equipment and media disposal
4. Technological Controls (34 Controls)
Controls for technical security measures:
Key Controls Include:
- A.8.1 User Endpoints: Securing user devices
- A.8.5 Secure Authentication: Strong authentication mechanisms
- A.8.9 Configuration Management: Secure system configurations
- A.8.12 Data Leakage Prevention: Preventing data exfiltration
- A.8.16 Monitoring Activities: Security monitoring and logging
- A.8.24 Cryptography: Encryption and key management
- A.8.28 Secure Coding: Secure software development
New Controls in ISO 27001:2022
The 2022 revision introduced 11 new controls:
- A.5.7 Threat Intelligence
- A.5.23 Information Security for Cloud Services
- A.5.30 ICT Readiness for Business Continuity
- A.7.4 Physical Security Monitoring
- A.8.9 Configuration Management
- A.8.10 Information Deletion
- A.8.11 Data Masking
- A.8.12 Data Leakage Prevention
- A.8.16 Monitoring Activities
- A.8.23 Web Filtering
- A.8.28 Secure Coding
Creating Your Statement of Applicability
Not all controls apply to every organization. Use our SoA Generator to:
- Review each control systematically
- Document applicability decisions
- Justify exclusions
- Track implementation status
Implementation Priority
Focus on controls that address your highest risks first. Use your risk assessment results to prioritize implementation.
Conclusion
Understanding Annex A controls is essential for ISO 27001 implementation. Use our tools to systematically work through each control and build a comprehensive ISMS.
Found this article helpful?
Share it with your colleagues.
