Instant downloadAuditor-writtenSecure Stripe checkout

ISO 27001 Annex A Controls Explained (2022)

The ISO 27001 Annex A controls are the catalogue of security safeguards you choose from when treating the risks your ISMS identifies. In the 2022 revision, the ISO 27001 Annex A controls were reorganised into 93 controls across four themes — Organizational, People, Physical, and Technological. You don’t implement all of them; you select the ones your risk assessment justifies and record that reasoning in your Statement of Applicability.

ISO 27001 Annex A controls mapping toolkit
A toolkit mapping the ISO 27001 Annex A controls to editable policies.

What are the ISO 27001 Annex A controls?

Annex A is a reference catalogue of controls you can use to treat the risks you identify in your risk assessment. The controls themselves are described in detail in the companion standard ISO/IEC 27002:2022. Annex A gives you the list; ISO 27002 explains how to implement each one.

The four control themes (2022)

The 2022 revision replaced the old 14 domains with four themes:

  • Organizational controls (37) — policies, roles, supplier relationships, cloud security, threat intelligence.
  • People controls (8) — screening, awareness training, disciplinary process, remote working.
  • Physical controls (14) — secure areas, equipment, physical monitoring, clear desk/screen.
  • Technological controls (34) — access control, cryptography, logging, secure development, data leakage prevention.

That’s 93 controls in total (down from 114 in the 2013 edition, mostly through consolidation).

What’s new in the 2022 controls

The 2022 revision introduced 11 new controls reflecting how security has changed, including:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion, data masking, and data leakage prevention
  • Web filtering and secure coding

Every control, ready to implement.

The ISO 27001 Toolkit maps to all 93 Annex A controls with ready-made policies and procedures — so you can populate your Statement of Applicability without writing each one from scratch.

Get the ISO 27001 Toolkit →

You don’t implement every control

This is the most misunderstood point about Annex A. You review each of the 93 controls against your risk assessment and decide whether it’s applicable. Your decisions — and your justification for anything you exclude — are recorded in the Statement of Applicability (SoA), the document your auditor will scrutinize most closely.

How Annex A fits the bigger picture

Annex A controls sit on top of the mandatory management requirements. For the full document set you’ll need alongside them, see the required documents checklist, and for the end-to-end process, our complete guide to ISO 27001 certification.

How the ISO 27001 Annex A controls fit your risk treatment

Annex A is deliberately a menu, not a mandate. Your risk assessment identifies what could go wrong; your risk treatment plan then selects the ISO 27001 Annex A controls that reduce those risks to an acceptable level. Every inclusion or exclusion is documented and justified in the Statement of Applicability, which auditors scrutinise closely. The 2022 revision, published by ISO, merged and modernised the older 114 controls and added new ones for areas like threat intelligence, cloud security, and secure coding. Mapping each control back to a specific risk is what turns a generic checklist into a defensible programme.

Frequently asked questions

How many Annex A controls are there in ISO 27001:2022?

93, grouped into Organizational (37), People (8), Physical (14), and Technological (34).

Do I have to apply all 93?

No. You apply the ones your risk assessment makes relevant and justify any exclusions in your Statement of Applicability.

In short, treat the ISO 27001 Annex A controls as options to be justified, not boxes to be ticked. Select what your risks demand, record the rest as excluded with a reason, and your Statement of Applicability will stand up to any auditor.

Shopping Cart