Controls

    All 93 ISO 27001:2022 Annex A Controls Explained

    A detailed breakdown of all 93 Annex A controls in ISO 27001:2022, organized by category with practical implementation guidance.

    ISO27001KIT|June 5, 2025|15 min read
    All 93 ISO 27001:2022 Annex A Controls Explained

    Introduction to Annex A Controls

    ISO 27001:2022 includes 93 controls in Annex A, organized into four categories. These controls provide a comprehensive framework for information security management.

    The Four Control Categories

    1. Organizational Controls (37 Controls)

    These controls focus on policies, procedures, and organizational structures:

    Key Controls Include:

    • A.5.1 Policies for Information Security: Establish and maintain security policies
    • A.5.2 Information Security Roles: Define security responsibilities
    • A.5.7 Threat Intelligence: Collect and analyze threat information
    • A.5.15 Access Control: Manage access based on business requirements
    • A.5.23 Cloud Security: Address cloud-specific security requirements
    • A.5.30 ICT Readiness: Ensure business continuity planning

    2. People Controls (8 Controls)

    Controls addressing human aspects of security:

    Key Controls Include:

    • A.6.1 Screening: Pre-employment verification
    • A.6.2 Terms of Employment: Security in employment contracts
    • A.6.3 Security Awareness: Training and education
    • A.6.4 Disciplinary Process: Handling security violations
    • A.6.5 After Employment: Exit procedures
    • A.6.7 Remote Working: Secure remote work practices

    3. Physical Controls (14 Controls)

    Controls protecting physical assets and environments:

    Key Controls Include:

    • A.7.1 Physical Security Perimeters: Secure boundaries
    • A.7.2 Physical Entry: Access control to facilities
    • A.7.4 Physical Security Monitoring: Surveillance and detection
    • A.7.8 Equipment Siting: Secure equipment placement
    • A.7.10 Storage Media: Protecting removable media
    • A.7.14 Secure Disposal: Equipment and media disposal

    4. Technological Controls (34 Controls)

    Controls for technical security measures:

    Key Controls Include:

    • A.8.1 User Endpoints: Securing user devices
    • A.8.5 Secure Authentication: Strong authentication mechanisms
    • A.8.9 Configuration Management: Secure system configurations
    • A.8.12 Data Leakage Prevention: Preventing data exfiltration
    • A.8.16 Monitoring Activities: Security monitoring and logging
    • A.8.24 Cryptography: Encryption and key management
    • A.8.28 Secure Coding: Secure software development

    New Controls in ISO 27001:2022

    The 2022 revision introduced 11 new controls:

    1. A.5.7 Threat Intelligence
    2. A.5.23 Information Security for Cloud Services
    3. A.5.30 ICT Readiness for Business Continuity
    4. A.7.4 Physical Security Monitoring
    5. A.8.9 Configuration Management
    6. A.8.10 Information Deletion
    7. A.8.11 Data Masking
    8. A.8.12 Data Leakage Prevention
    9. A.8.16 Monitoring Activities
    10. A.8.23 Web Filtering
    11. A.8.28 Secure Coding

    Creating Your Statement of Applicability

    Not all controls apply to every organization. Use our SoA Generator to:

    • Review each control systematically
    • Document applicability decisions
    • Justify exclusions
    • Track implementation status

    Implementation Priority

    Focus on controls that address your highest risks first. Use your risk assessment results to prioritize implementation.

    Conclusion

    Understanding Annex A controls is essential for ISO 27001 implementation. Use our tools to systematically work through each control and build a comprehensive ISMS.

    Tags:
    Annex A
    ISO 27001
    Security Controls
    ISO 27001:2022
    ISMS

    Found this article helpful?

    Share it with your colleagues.