ISO 27001 Annex A Controls Explained

Introduction

Annex A of ISO 27001:2022 contains 93 security controls organized into four themes. These controls are not all mandatory — you select which ones to implement based on your risk assessment. However, for each Annex A control, you must either implement it or justify its exclusion in your Statement of Applicability (SoA).

This guide provides a practical overview of each control theme, helping you understand what is required and how to approach implementation.

Organizational Controls (A.5) — 37 Controls

Organizational controls address governance, policies, roles, and management processes. They form the backbone of your ISMS.

Key Controls Include:

A.5.1 Policies for Information Security: Establish and maintain an information security policy approved by management. This is your top-level commitment and direction.

A.5.2 Information Security Roles: Define and assign information security responsibilities. Everyone should know their role in protecting information.

A.5.7 Threat Intelligence: NEW in 2022. Collect and analyze information about threats relevant to your organization. This does not require a dedicated threat intelligence team — subscribing to relevant advisories and monitoring vendor security bulletins can suffice.

A.5.23 Information Security for Cloud Services: NEW in 2022. Establish processes for managing security in cloud service acquisition, use, management, and exit. Critical for modern organizations relying on SaaS, IaaS, and PaaS.

A.5.29 Information Security During Disruption: Ensure security is maintained during adverse conditions. This links your ISMS to your business continuity planning.

Implementation Tip: Start with the policy framework (A.5.1) and roles (A.5.2). These enable everything else. Many organizational controls can be addressed through well-written policies and procedures — the challenge is ensuring they are followed in practice.

People Controls (A.6) — 8 Controls

People controls address the human element of security — hiring, awareness, responsibilities, and offboarding.

Key Controls Include:

A.6.1 Screening: Background verification checks on candidates before hiring, proportionate to the role and information access.

A.6.2 Terms and Conditions of Employment: Employment contracts should include information security responsibilities.

A.6.3 Information Security Awareness, Education and Training: All personnel must receive appropriate security awareness training. This is one of the most commonly audited controls.

A.6.5 Responsibilities After Termination: Information security duties that remain valid after employment ends (e.g., NDAs, return of assets).

Implementation Tip: Work closely with HR. Many people controls map directly to existing HR processes. The key additions are typically security-specific screening criteria, security clauses in contracts, and a formal awareness training program with records.

Physical Controls (A.7) — 14 Controls

Physical controls protect facilities, equipment, and physical information assets.

Key Controls Include:

A.7.1 Physical Security Perimeters: Define secure areas and implement appropriate entry controls (badge access, locks, reception).

A.7.4 Physical Security Monitoring: NEW in 2022. Monitor premises for unauthorized physical access using CCTV, sensors, or guards.

A.7.9 Security of Assets Off-Premises: Protect equipment and media when outside the organization (laptops, mobile devices, portable storage).

A.7.10 Storage Media: Manage storage media throughout its lifecycle — acquisition, use, transport, and disposal. Ensure secure erasure or destruction of media containing sensitive data.

Implementation Tip: For organizations with primarily cloud-based operations and remote workers, physical controls focus on endpoint device security (A.7.9), home working environments, and data center security (typically delegated to cloud providers with appropriate contractual controls).

Technological Controls (A.8) — 34 Controls

Technological controls are the technical measures that protect information systems and data.

Key Controls Include:

A.8.1 User Endpoint Devices: Secure laptops, desktops, and mobile devices with encryption, endpoint protection, and configuration management.

A.8.5 Secure Authentication: Implement strong authentication based on access requirements. Multi-factor authentication (MFA) is the baseline expectation for privileged and remote access.

A.8.9 Configuration Management: Establish and maintain secure configurations for hardware, software, services, and networks. Harden systems to reduce the attack surface.

A.8.12 Data Leakage Prevention: NEW in 2022. Apply measures to prevent unauthorized disclosure of sensitive information from systems, networks, and endpoints.

A.8.16 Monitoring Activities: Monitor systems and networks to detect anomalous behavior and potential security incidents. This typically involves centralized log management and SIEM.

A.8.23 Web Filtering: NEW in 2022. Manage access to external websites to reduce exposure to malicious content.

A.8.25 Secure Development Life Cycle: Apply security throughout the software development lifecycle — requirements, design, coding, testing, and deployment.

Implementation Tip: Prioritize controls based on your risk assessment. Not every organization needs every technological control at the same level of sophistication. A startup's implementation of A.8.16 (monitoring) will look very different from a large enterprise's. The auditor assesses proportionality to risk.

Building Your Statement of Applicability

The Statement of Applicability (SoA) is your master document that maps each of the 93 Annex A controls to your organization:

For each control, document: 1. Whether the control is applicable (yes/no) 2. Justification for inclusion or exclusion 3. Current implementation status 4. How the control is implemented (reference to policies, procedures, or technical measures)

The SoA is one of the first documents the certification auditor will review. It demonstrates that your control selection is driven by your risk assessment, not by a generic checklist.

A well-crafted SoA is both a compliance document and a practical management tool that helps you track your security posture across all 93 controls.

Key Takeaways

The Annex A controls provide a comprehensive catalog of security measures, but they are not a checklist to be blindly implemented. Your risk assessment determines which controls are necessary and to what depth they should be implemented.

Focus on understanding the intent behind each control theme, map controls to your actual risks, and implement proportionate measures. The goal is effective security management, not theoretical compliance.