Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What are the Annex A Controls in ISO 27001:2013?

In essence, the ISO27001:2013 standard can be considered to be in two parts:

  • Part A – The Management system and Operational elements required for implementing an Information Security Management System (ISMS)
  • Part B – The Annex A controls set

Today we’re going to focus on the second of these, the Annex A control set.

Computer with ISO27001: Annex A controls on

What is the purpose of the Annex A controls?

A useful way to understand Annex A is to think of it as a catalogue of security controls. The authors of the ISO27001 standard included a set of controls that you apply within processes & procedures, and more importantly to the risks that you identify within your risk analysis stage.

There are 114 Annex A Controls, divided into 14 categories. As you build your ISMS you can use the Annex A controls to give you direction as to “what” needs to be implemented and then in your ISMS you define “how” the controls are applied.  Annex A controls can also be mapped onto risks within the risk treatment plan.

The supplementary code of practice ISO27002 adds detail about each of the controls to avoid the ISO27001 standard becoming unnecessarily large and possibly complicated for organizations to understand. It is cited that ISO27002 is to be updated early 2022 and ISO27001 will be updated at some date, as yet not known. Until the new release of ISO27001 the current controls defined will continue to apply.

Other options available

For the majority of organizations, the Annex A controls are sufficient. However, if your organization is complex in nature and requires a diverse set or IT or infrastructure controls, then you may adopt alternative control sets or supplement the Annex A controls as you see fit.  The selection of controls or omission of controls should be documented in your Statement of Applicability document.  Some of these other control sets could be:

  • NIST 800 – NIST Special Publication 800-53 provides a catalogue of security and privacy controls for all U.S. federal information systems
  • CObIT (Control Objectives for Information and Related Technologies) is a control framework published by ISACA for IT governance and management

What are the Annex A controls?

Below are the 14 categories and a brief description of what each collection of controls aims to achieve.

Annex A.5 – Information Security Policies

  • Annex A.5.1 covers the need for information security policies, which are effectively sets of rules that govern the way in which information security is implemented within the organization. These need to be published and reviewed regularly.

Annex A.6 – Organisation of Information Security

  • Annex A.6.1 is concerned with the management framework used to achieve information security and the roles and responsibilities within it. It also covers issues such as segregation of duties and relationships with external authorities (such as regulators) and special groups such as professional bodies.
  • Annex A.6.2 requires that a mobile device policy be established and implemented to manage the risks associated with laptops, mobile phones and the like. A policy for teleworking (perhaps now more commonly known as remote working, something which will be addressed in the new ISO27002 controls) is also needed.

Annex A.7 – Human Resource Security

  • Annex A.7.1 is about controls that apply prior to employment. The objective in this area is to ensure that employees and contractors undergo some kind of security screening and background checks and that when they join that they understand their responsibilities in information security-related areas.
  • Annex A.7.2 – this covers information security responsibilities during employment. One of the most common ways to achieve this is through induction training and ongoing security briefings.
  • Annex A.7.3 talks about termination and change of employment. The goal is to ensure that duties carried out by a person are reviewed and to determine impacts when employees leave the company or go into a new job role.

Annex A.8 – Asset Management

  • Annex A.8.1 is about establishing what Information assets exist and define responsibility for those assets. These controls also define what employees are allowed to do or not to do with assets that are assigned to them, typically with an “acceptable use policy”, and what process is to be followed for return of assets.
  • Annex A.8.2 describes the need for information classification. This is needed to ensure that information is classified and labelled appropriately so that it is protected by the correct level of controls.
  • Annex A.8.3 covers the way in which removable media (such as USB memory devices and SD cards) are managed, including when they are disposed of or transported.

Annex A.9 – Access Control

  • Annex A.9.1 says that an access control policy should be created and that users should only be able to access networks and services that they need to use as part of their roles.
  • Annex A.9.2 describes the controls needed around the creation of user accounts and the permissions they are given, including admin accounts and password rules.
  • Annex A.9.3 is a single control section that says that user must manage their authentication information, such as passwords, according to the rules.
  • Annex A.9.4 requires that the systems that are put in place must be able to comply with the policy in areas such as logons, passwords and access to application functions.

Annex A.10 – Cryptography

  • Annex A.10.1 is about Cryptographic controls. Cryptography is about encryption approaches, so the objective of this area is to ensure that the right type of encryption is applied in the right places to protect information. It requires policy on where it is used and the control of cryptographic key management.

Annex A.11 – Physical & Environmental Security

  • Annex A.11.1 is concerned with the design and implementation of physical controls for example within a building. This may involve provisioning security via entry controls and alarms and ensuring in more general access areas that controls prevent unauthorized access to buildings and information systems.
  • Annex A.11.2 covers the various ways in which equipment and other assets (and the utilities that support them) must be protected, including when they are offsite or unattended. Screens and desks must be kept clear too.

Annex A.12 – Operations Security

  • Annex A.12.1 proposes the need for operating procedures to be documented, changes and capacity to be managed, and the various environments (such as development and testing) to be separated.
  • Annex A.12.2 is about protection from malware. Malware protection covers the detection of malware and the preventive and recovery controls in the event of being impacted by malware.
  • Annex A.12.3 is concerned with backup. The objective is to protect against data being lost and to be able to recover it in the event of an event such as a ransomware attack.
  • Annex A.12.4 is about logging and monitoring. The objective in this area is to ensure that events are captured and logs processed to identify faults as well as exceptions to normal events that could indicate deliberate attempts to breach IT controls by internal and external threats.
  • Annex A.12.5 relates to control over who has the appropriate privileges and methods for installing software on systems.
  • Annex A.12.6 covers technical vulnerability management. The objective of this control is to prevent bugs in software being exploited, usually through patching and upgrading of software or hardware.
  • Annex A.12.7 requires that audits of operational systems should be planned to minimise their impact on those systems and their use.

Annex A.13 – Communications Security

  • Annex A.13.1 brings up network security management, including the segregation of networks using facilities such as VLANs. There are also controls covering the situation where networks or services are provided by external parties.
  • Annex A.13.2 is about information transfer and requires appropriate policies and procedures to be in place, depending on the nature of the transfers involved. One of the biggest areas is potentially email transfer as well as data transfer between systems.

Annex A.14 – System Acquisition, Development & Maintenance

  • Annex A.14.1 requires that information security requirement be identified and “baked in” to new systems and services. The first part of this is concerned with in house development, where appropriate. However, some of these aspects apply when considering the procurement of systems and deploying them in the organization.

Annex A.15 – Supplier Relationships

  • Annex A.15.1 wants you to establish a policy for managing the security aspects of supplier relationships, and to address security in the contract. If you have a lot of suppliers, then it is key to understand the sensitivity of data needed by suppliers in fulfilling their contractual requirements for you.
  • Annex A.15.2 covers the management of supplier services, including when they change them. A key aspect of this is measuring those suppliers are achieving quality & performance requirements.

Annex A.16 – Information Security Incident Management

  • Annex A.16.1 sets out methods for identifying and managing incidents, including who will do it and how. The controls require a defined incident process and evidence that incidents are recorded, assessed and responded to, and improvements made where appropriate.

Annex A.17 – Information Security Aspects of Business Continuity Management

  • Annex A.17.1 asks that information security is considered when planning for adverse situations so that controls don’t become inoperative when the worst happens. Measures need to be tested and verified too.
  • Annex A.17.2 covers the failover facilities that may be put in place to cope with failures of hardware, software or other aspects.

Annex A.18 – Compliance

  • Annex A.18.1 requires that the organization understands the laws and regulations that apply to them and that they meet their obligations in areas such as privacy, intellectual property and cryptography. Another key aspect of this is to perform information security reviews and to assess that the ISMS and systems remain compliant with policies, standards, and other requirements.


It’s important to note that organizations don’t need to meet all 114 controls if they’re not relevant, and they’re there as a list of opportunities based on the requirements of your organization. This will become clearer as you complete gap assessments and risk assessments as part of your ISMS compliance.


More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance


The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.


View all Testimonials