ISO 27001 Annex A Controls Explained: Complete Overview

Understanding Annex A

Annex A of ISO 27001 provides a reference set of information security controls. Unlike the mandatory requirements in Clauses 4-10, Annex A controls are selected based on your risk assessment - you don't have to implement all 93 controls, only those relevant to your identified risks.

What Changed in ISO 27001:2022

The 2022 update significantly restructured Annex A:

The reduction from 114 to 93 controls came from merging overlapping controls, not removing security requirements. All original concepts remain; they're just organized differently.

5. Organizational Controls (37 Controls)

These controls address governance, policies, and organizational processes for information security.

Policy and Governance

• 5.1 Policies for information security: Establish and maintain an information security policy framework
• 5.2 Information security roles and responsibilities: Define and allocate security responsibilities
• 5.3 Segregation of duties: Prevent conflicts of interest and fraud
• 5.4 Management responsibilities: Ensure management actively supports security

Example: Document an information security policy signed by the CEO, assign an Information Security Officer, and separate system administration from security monitoring roles.

Asset Management

• 5.9 Inventory of information and other associated assets: Maintain an asset register
• 5.10 Acceptable use of information and other associated assets: Define acceptable use rules
• 5.11 Return of assets: Ensure assets are returned when employment ends
• 5.12 Classification of information: Classify information based on sensitivity
• 5.13 Labelling of information: Label information according to classification

Example: Maintain an IT asset inventory in a CMDB, classify data as Public/Internal/Confidential/Restricted, and label documents with classification headers.

Access Control

• 5.15 Access control: Establish access control policy and rules
• 5.16 Identity management: Manage identity lifecycle
• 5.17 Authentication information: Control authentication credentials
• 5.18 Access rights: Manage user access rights appropriately

Example: Implement role-based access control, use a centralized identity provider (Azure AD, Okta), enforce strong password policies, and conduct quarterly access reviews.

Threat Intelligence (New in 2022)

• 5.7 Threat intelligence: Collect and use threat intelligence

Example: Subscribe to industry threat feeds (CISA, sector ISACs), monitor vulnerability databases, and integrate threat data into risk assessments.

Supplier Relationships

• 5.19 Information security in supplier relationships: Manage supplier security
• 5.20 Addressing information security within supplier agreements: Include security in contracts
• 5.21 Managing information security in the ICT supply chain: Manage supply chain risks
• 5.22 Monitoring, review and change management of supplier services: Ongoing supplier oversight
• 5.23 Information security for use of cloud services (New): Cloud-specific governance

6. People Controls (8 Controls)

Controls related to human resources security, awareness, and remote working.

• 6.1 Screening: Background verification checks for employees
• 6.2 Terms and conditions of employment: Security responsibilities in contracts
• 6.3 Information security awareness, education and training: Security training programs
• 6.4 Disciplinary process: Process for security violations
• 6.5 Responsibilities after termination or change of employment: Ongoing obligations
• 6.6 Confidentiality or non-disclosure agreements: NDA requirements
• 6.7 Remote working: Security for remote workers
• 6.8 Information security event reporting: Incident reporting by staff

Example: Conduct background checks during hiring, include security clauses in employment contracts, deliver annual security awareness training, define disciplinary procedures for policy violations, and implement remote working security policies covering home network requirements and device management.

7. Physical Controls (14 Controls)

Controls for physical security of premises, equipment, and media.

Secure Areas

• 7.1 Physical security perimeters: Define and protect physical boundaries
• 7.2 Physical entry: Control access to secure areas
• 7.3 Securing offices, rooms and facilities: Physical security design
• 7.4 Physical security monitoring (New): Continuous monitoring of premises
• 7.5 Protecting against physical and environmental threats: Fire, flood, etc.
• 7.6 Working in secure areas: Rules for working in sensitive areas

Equipment Security

• 7.7 Clear desk and clear screen: Protect information when unattended
• 7.8 Equipment siting and protection: Secure equipment location
• 7.9 Security of assets off-premises: Protection of mobile equipment
• 7.10 Storage media: Manage removable media securely
• 7.11 Supporting utilities: Protect power, cooling, communications
• 7.12 Cabling security: Protect cabling from interference
• 7.13 Equipment maintenance: Maintain equipment securely
• 7.14 Secure disposal or re-use of equipment: Sanitize before disposal

Example: Install badge access at building entrances, deploy CCTV with monitoring, implement clean desk policy, use cable locks for laptops, and use certified data destruction services.

8. Technological Controls (34 Controls)

Technical security measures for systems, networks, and applications.

Access and Authentication

• 8.2 Privileged access rights: Restrict and control privileged access
• 8.3 Information access restriction: Enforce access based on policy
• 8.4 Access to source code: Control access to source code
• 8.5 Secure authentication: Strong authentication mechanisms

Malware and Vulnerabilities

• 8.7 Protection against malware: Anti-malware controls
• 8.8 Management of technical vulnerabilities: Vulnerability management

Configuration and Monitoring (New/Enhanced)

• 8.9 Configuration management (New): Manage system configurations
• 8.15 Logging: Capture and protect logs
• 8.16 Monitoring activities (New): Monitor for anomalies

Network Security

• 8.20 Networks security: Manage and control networks
• 8.21 Security of network services: Secure network services
• 8.22 Segregation of networks: Network segmentation
• 8.23 Web filtering (New): Control web access

Cryptography

• 8.24 Use of cryptography: Encryption standards and use

Data Protection (New Controls)

• 8.10 Information deletion (New): Secure data deletion
• 8.11 Data masking (New): Protect sensitive data
• 8.12 Data leakage prevention (New): DLP controls

Development Security

• 8.25 Secure development life cycle: Security in SDLC
• 8.26 Application security requirements: Security requirements for apps
• 8.27 Secure system architecture and engineering principles: Security by design
• 8.28 Secure coding (New): Secure coding practices
• 8.29 Security testing in development and acceptance: Security testing
• 8.30 Outsourced development: Security for outsourced development
• 8.31 Separation of development, test and production environments: Environment separation
• 8.32 Change management: Control changes to systems
• 8.33 Test information: Protect test data
• 8.34 Protection of information systems during audit testing: Audit security

Selecting Your Controls

You don't implement controls arbitrarily - selection is driven by your risk assessment:

1. Identify Risks: Through your risk assessment process
2. Determine Necessary Controls: Select controls that treat identified risks
3. Compare with Annex A: Check you haven't overlooked relevant controls
4. Document in SoA: Record applicable controls and exclusion justifications

Not every control applies to every organization. A fully remote company with no physical premises might legitimately exclude many physical controls. A company with no software development might exclude secure coding. The key is having a valid, documented justification.