Blog The ISO 27001 Controls from Annex A (2022 Standard)

The unusual structure of the ISO27001 standard

ISO27001 is a requirements standard, which means it’s possible for an organization to become certified to it, and then advertise this fact to any interested parties who will listen. But in some ways it’s unlike some of the other common requirements standards, such as ISO9001 (quality management) and ISO14001 (environmental management) in that it is effectively split into two parts:

1. The information security management system
2. The Annex A controls

The first of these is very similar to other standards, largely because ISO has deliberately made them the same over the last ten years or so, with its “Harmonized Structure“.So if you read the management system requirements for ISO27001 you’ll see that the headings and much of the wording is the same.

But the second part, Annex A, is unusual. This is not to say that other standards don’t have annexes; they do. But generally they are informative, or they offer guidance to supplement the requirements. Annex A of ISO27001 is different in that it forms part of the requirements and is a list of ISO 27001 controls.

What is the purpose of Annex A?

What is a control and why do we need them? To understand this, we need to step back into the management system part of ISO27001 and look at the idea of risk.

In Clause 6. Planning, ISO27001 requires an organization to determine the risks that need to be addressed to prevent, or reduce, undesired effects (amongst other things), and then to plan actions to address these risks. In essence, a risk is something that could go wrong in the future, and the actions are intended to make it less likely to happen, or to have less of an impact if it does.

And helpfully, ISO27001 provides a standard list of these actions in the form of the Annex A controls.

For example, if you believe that your organization is at risk of recruiting people who may steal your information then you may like to adopt control A.6.1 Screening, which requires background verification checks on all candidates to become personnel.

Or if you think there is a risk of your information being uploaded into the cloud without consideration or authorisation, then control A.5.23 Information security for use of cloud services will probably help to reduce that risk.

ISO 27001 Controls - The structure of Annex A

Within Annex A there are a total of ninety-three controls, grouped into four themes:

• A.5 Organizational controls – This group is the largest of the four, and the controls in here have a largely policy and procedure-driven focus, ranging from threat intelligence to classification of information to access control and much more. You’ll need significant business engagement in putting these controls in place as they also cover topics such as project management, supplier relationships, cloud services and intellectual property rights.
• A.6 People controls – You may need to work with your Human Resources department to implement most of the controls in this section. In most cases this will involve reviewing the existing procedures and documents to see if they cover information security sufficiently. Be careful that you will need to check that any changes you make comply with the laws of the country in which they will be implemented as employment law can be a bit of a minefield. The human factor is often cited as being the single most important issue in promoting effective information security; this section is intended to ensure that you recruit the right people, they know their responsibilities and action can be taken if they don’t fulfil them adequately.
• A.7 Physical controls – This set of controls will involve more work the larger and more numerous the offices and other facilities you have. You may need to spend some money to upgrade the security precautions in place and ensure that the different types of area (for example delivery and loading areas) are well-defined. However, a key part of this will be to ensure that all employees have an awareness of their responsibilities for physical security, for example challenging unescorted strangers, closing windows.
• A.8 Technological controls – If your organization develops its own software, it is likely that all these controls will apply. If it doesn’t then the number of applicable controls will depend upon whether software development is outsourced or purely commercial off the shelf (COTS) software is used. Remember that even COTS software still needs to be tested in a secure way so test-related controls will still be needed.

What are the 93 controls of Annex A?

A.5 Organizational controls

• A.5.1 Policies for information security
• A.5.2 Information security roles and responsibilities
• A.5.3 Segregation of duties
• A.5.4 Management responsibilities
• A.5.5 Contact with authorities
• A.5.6 Contact with special interest groups
• A.5.7 Threat intelligence
• A.5.8 Information security in project management
• A.5.9 Inventory of information and other associated assets
• A.5.10 Acceptable use of information and other associated assets
• A.5.11 Return of assets
• A.5.12 Classification of information
• A.5.13 Labelling of information
• A.5.14 Information transfer
• A.5.15 Access control
• A.5.16 Identity management
• A.5.17 Authentication information
• A.5.18 Access rights
• A.5.19 Information security in supplier relationships
• A.5.20 Addressing information security within supplier agreements
• A.5.21 Managing information security in the ICT supply chain
• A.5.22 Monitoring, review and change management of supplier services
• A.5.23 Information security for use of cloud services
• A.5.24 Information security incident management planning and preparation
• A.5.25 Assessment and decision on information security events
• A.5.26 Response to information security incidents
• A.5.27 Learning from information security incidents
• A.5.28 Collection of evidence
• A.5.29 Information security during disruption
• A.5.30 ICT readiness for business continuity
• A.5.31 Legal, statutory, regulatory and contractual requirements
• A.5.32 Intellectual property rights
• A.5.33 Protection of records
• A.5.34 Privacy and protection of PII
• A.5.35 Independent review of information security
• A.5.36 Compliance with policies, rules and standards for information security
• A.5.37 Documented operating procedures

A.6 People controls

• A.6.1 Screening
• A.6.2 Terms and conditions of employment
• A.6.3 Information security awareness, education and training
• A.6.4 Disciplinary process
• A.6.5 Responsibilities after termination or change of employment
• A.6.6 Confidentiality or non-disclosure agreements
• A.6.7 Remote working
• A.6.8 Information security event reporting

A.7 Physical controls

• A.7.1 Physical security perimeters
• A.7.2 Physical entry
• A.7.3 Securing offices, rooms and facilities
• A.7.4 Physical security monitoring
• A.7.5 Protecting against physical and environmental threats
• A.7.6 Working in secure areas
• A.7.7 Clear desk and clear screen
• A.7.8 Equipment siting and protection
• A.7.9 Security of assets off-premises
• A.7.10 Storage media
• A.7.11 Supporting utilities
• A.7.12 Cabling security
• A.7.13 Equipment maintenance
• A.7.14 Secure disposal or re-use of equipment

A.8 Technological controls

• A.8.1 User endpoint devices
• A.8.2 Privileged access rights
• A.8.3 Information access restriction
• A.8.4 Access to source code
• A.8.5 Secure authentication
• A.8.6 Capacity management
• A.8.7 Protection against malware
• A.8.8 Management of technical vulnerabilities
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.13 Information backup
• A.8.14 Redundancy of information processing facilities
• A.8.15 Logging
• A.8.16 Monitoring activities
• A.8.17 Clock synchronization
• A.8.18 Use of privileged utility programs
• A.8.19 Installation of software on operational systems
• A.8.20 Networks security
• A.8.21 Security of network services
• A.8.22 Segregation of networks
• A.8.23 Web filtering
• A.8.24 Use of cryptography
• A.8.25 Secure development life cycle
• A.8.26 Application security requirements
• A.8.27 Secure system architecture and engineering principles
• A.8.28 Secure coding
• A.8.29 Security testing in development and acceptance
• A.8.30 Outsourced development
• A.8.31 Separation of development, test and production environments
• A.8.32 Change management
• A.8.33 Test information
• A.8.34 Protection of information systems during audit testing

But are all the controls applicable?

So Annex A is a list of “reference” controls that can be used to reduce risk. But depending on what your organization does and how it does it, you may not need all ninety-three of them. Accordingly, the standard requires you to define a “Statement of Applicability” which says whether or not each control applies to you, and whether you have implemented it.

If you like, Annex A is a menu of good ideas to help you reduce your organization’s risk.

Where do these controls come from?

Annex A of ISO27001 doesn’t go into much detail about the controls, but if you want the full story about what they mean, there is a separate document, ISO27002, which gives chapter and verse on their interpretation.

But remember that ISO27002 is only guidance, so you don’t have to do everything it says in order to become certified to the ISO27001 standard.

In summary

The ISO 27001 Controls of Annex A is a great list of sensible ideas to help to prevent your organization falling victim to a cyber incident. Allied to the management system parts, it provides an effective framework around which to build your information security defences.

For more information on the ISO 27001 controls and the standard, download our free comprehensive ISO27001 Implementation Guide.

Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. Published in December 2022 and updated in September 2024. 

More ISO27001 resources

CertiKit provide ISO Toolkits, Consultancy and Internal Auditing for ISO27001, and have helped more than 7000 organizations worldwide with their compliance.

Watch our webinar replay on transitioning to the ISO27001:2022 standard.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources