ISO 27001:2022 Annex A Controls

---

name: iso27001-annexa description: "ISO 27001:2022 Annex A controls reference for implementing an Information Security Management System (ISMS) with 93 controls across four themes." tags: [compliance, security]

ISO 27001:2022 Annex A Controls

Overview

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Annex A provides a reference set of 93 information security controls organized into four themes. The 2022 revision consolidated the previous 114 controls (from 2013) and introduced 11 new controls reflecting modern threats and practices.

Organizations use Annex A to select controls based on their risk assessment results, documenting applicability and justification in the Statement of Applicability (SoA). ISO 27001 certification requires an accredited audit of both the ISMS processes (clauses 4-10) and the Annex A control implementation.

Key changes in 2022:

• Reduced from 14 domains to 4 themes.
• Added 11 new controls (threat intelligence, cloud security, data masking, etc.).
• Introduced 5 attribute types for each control: control type, information security properties, cybersecurity concepts, operational capabilities, and security domains.

When to Use This Skill

• Implementing an ISMS from scratch or transitioning from ISO 27001:2013.
• Completing a Statement of Applicability (SoA) for certification.
• Performing a risk treatment plan and selecting appropriate controls.
• Mapping ISO 27001 controls to SOC 2, NIST CSF, or other frameworks.
• Responding to customer or regulatory requirements for ISO 27001 certification.
• Conducting internal audits of Annex A control effectiveness.

How It Works

Step 1: Context of the Organization

Establish the scope of the ISMS by understanding:

• Internal and external issues relevant to information security.
• Interested parties and their requirements (customers, regulators, partners).
• The scope boundary -- which business processes, systems, and locations are included.

Step 2: Risk Assessment

Perform a systematic risk assessment to identify threats and vulnerabilities:

• Identify information assets and their owners.
• Assess threats, vulnerabilities, and potential impacts.
• Determine risk levels using likelihood and impact ratings.
• Compare against risk acceptance criteria.

Step 3: Statement of Applicability (SoA)

Create the SoA by evaluating all 93 Annex A controls:

• For each control, document whether it is applicable or not.
• Justify exclusions based on risk assessment results.
• Reference existing controls or planned implementations.
• The SoA is a mandatory document for ISO 27001 certification.

Step 4: Control Implementation

Implement selected controls according to the risk treatment plan:

• Assign control owners responsible for implementation and monitoring.
• Define implementation timelines and resource requirements.
• Develop or update policies, procedures, and technical configurations.
• Ensure controls are proportionate to the identified risks.

Step 5: Internal Audit and Management Review

Evaluate ISMS effectiveness through:

• Regular internal audits covering all ISMS clauses and applicable Annex A controls.
• Management review meetings with defined inputs and outputs per clause 9.3.
• Corrective actions for nonconformities with root cause analysis.
• Continual improvement based on monitoring, measurement, and audit findings.

Annex A Control Themes

Theme A.5: Organizational Controls (37 controls)

Policies, roles, and management-level controls.

Control	Title	Implementation Guidance
A.5.1	Policies for information security	Publish, approve, communicate, review annually
A.5.2	Information security roles and responsibilities	RACI matrix, job descriptions include security
A.5.3	Segregation of duties	Prevent single person from controlling end-to-end
A.5.7	Threat intelligence	New -- Collect, analyze, act on threat intel feeds
A.5.9	Inventory of information and associated assets	CMDB, data classification, asset owners
A.5.12	Classification of information	Define levels (public, internal, confidential, restricted)
A.5.23	Information security for use of cloud services	New -- Cloud security policy, shared responsibility
A.5.29	Information security during disruption	BCP integration with security requirements
A.5.30	ICT readiness for business continuity	New -- IT DR plans, RTO/RPO definitions

Theme A.6: People Controls (8 controls)

Controls related to personnel before, during, and after employment.

Control	Title	Implementation Guidance
A.6.1	Screening	Background checks proportionate to role sensitivity
A.6.2	Terms and conditions of employment	Security obligations in contracts
A.6.3	Information security awareness, education, training	Role-based training, phishing simulations
A.6.4	Disciplinary process	Documented process for policy violations
A.6.5	Responsibilities after termination	NDA enforcement, knowledge transfer
A.6.6	Confidentiality or NDA agreements	Signed before access to sensitive information
A.6.7	Remote working	New -- Secure remote work policy and controls
A.6.8	Information security event reporting	All personnel know how to report incidents

Theme A.7: Physical Controls (14 controls)

Protection of physical premises, equipment, and media.

Control	Title	Implementation Guidance
A.7.1	Physical security perimeters	Defined zones, access barriers
A.7.2	Physical entry	Badge access, visitor logs, reception
A.7.4	Physical security monitoring	New -- CCTV, intrusion detection systems
A.7.7	Clear desk and clear screen	Policy enforced, auto-lock screens
A.7.9	Security of assets off-premises	Encrypted laptops, mobile device management
A.7.10	Storage media	Encryption, secure disposal, tracking
A.7.14	Secure disposal or re-use of equipment	Data wiping standards (NIST 800-88)

Theme A.8: Technological Controls (34 controls)

Technical security controls for systems and data.

Control	Title	Implementation Guidance
A.8.1	User endpoint devices	MDM, disk encryption, patching
A.8.2	Privileged access rights	PAM solution, just-in-time access
A.8.3	Information access restriction	RBAC, attribute-based access control
A.8.5	Secure authentication	MFA, password policies, passwordless
A.8.8	Management of technical vulnerabilities	Scanning, patching SLAs by severity
A.8.9	Configuration management	New -- Hardened baselines, IaC, drift detection
A.8.10	Information deletion	New -- Retention policies, automated deletion
A.8.11	Data masking	New -- Anonymization, pseudonymization, tokenization
A.8.12	Data leakage prevention	New -- DLP tools, egress monitoring
A.8.15	Logging	Centralized logging, tamper protection, retention
A.8.16	Monitoring activities	New -- SIEM, anomaly detection, alerting
A.8.20	Networks security	Segmentation, firewalls, zero-trust principles
A.8.23	Web filtering	New -- DNS filtering, URL categorization
A.8.24	Use of cryptography	Encryption standards, key management
A.8.25	Secure development lifecycle	SSDLC, code review, SAST/DAST
A.8.28	Secure coding	New -- Secure coding standards, dependency scanning

Examples

Example 1: Statement of Applicability Template

statement_of_applicability:
  organization: "Acme Corp"
  isms_scope: "Cloud-based SaaS platform and supporting operations"
  iso_standard: "ISO/IEC 27001:2022"
  version: "1.0"
  approved_by: "CISO"
  approval_date: "2026-02-15"

  controls:
    - id: A.5.1
      title: "Policies for information security"
      applicable: true
      justification: "Required for ISMS governance"
      implementation_status: "implemented"
      control_owner: "CISO"
      evidence_ref: "POL-001 Information Security Policy v3.2"

    - id: A.5.7
      title: "Threat intelligence"
      applicable: true
      justification: "Risk assessment identified emerging threat landscape"
      implementation_status: "partial"
      control_owner: "Security Operations Lead"
      evidence_ref: "Threat intel feed subscription (AlienVault OTX, CISA)"
      gap: "No formal process to act on threat intel; implementing by Q2 2026"

    - id: A.7.1
      title: "Physical security perimeters"
      applicable: false
      justification: >
        Organization is fully remote with no physical offices.
        Cloud provider (AWS) SOC 2 Type II report covers data center
        physical security -- reviewed annually.
      exclusion_risk_ref: "RA-2026-042"

    - id: A.8.11
      title: "Data masking"
      applicable: true
      justification: "PII processing requires masking in non-production environments"
      implementation_status: "implemented"
      control_owner: "Data Engineering Lead"
      evidence_ref: "Data masking pipeline config, staging environment audit"

    - id: A.8.28
      title: "Secure coding"
      applicable: true
      justification: "Custom software development is core business activity"
      implementation_status: "implemented"
      control_owner: "VP Engineering"
      evidence_ref: "Secure coding standard v2.0, SAST tool config, PR review policy"

Example 2: Risk Treatment Plan Format

risk_treatment_plan:
  organization: "Acme Corp"
  version: "2.0"
  last_updated: "2026-02-20"
  approved_by: "Risk Committee"

  entries:
    - risk_id: "R-2026-015"
      risk_description: >
        Unauthorized access to production database containing customer PII
        due to overly broad IAM permissions.
      risk_owner: "Platform Engineering Lead"
      inherent_risk:
        likelihood: 3  # 1-5 scale
        impact: 5
        risk_level: "critical"  # 15/25
      treatment_option: "mitigate"
      selected_controls:
        - annex_a_ref: A.8.2
          control: "Implement PAM with just-in-time access for production DB"
          status: "in_progress"
          target_date: "2026-04-01"
        - annex_a_ref: A.8.3
          control: "Enforce row-level security and least-privilege DB roles"
          status: "implemented"
          completion_date: "2026-01-15"
        - annex_a_ref: A.8.15
          control: "Enable database query audit logging with 90-day retention"
          status: "implemented"
          completion_date: "2025-11-20"
      residual_risk:
        likelihood: 1
        impact: 5
        risk_level: "medium"  # 5/25
      residual_risk_accepted: true
      review_date: "2026-08-20"

    - risk_id: "R-2026-022"
      risk_description: >
        Data loss from ransomware attack on development workstations
        spreading to cloud environments.
      risk_owner: "IT Operations Manager"
      inherent_risk:
        likelihood: 3
        impact: 4
        risk_level: "high"
      treatment_option: "mitigate"
      selected_controls:
        - annex_a_ref: A.8.1
          control: "MDM with enforced disk encryption and EDR agent"
          status: "implemented"
        - annex_a_ref: A.8.7
          control: "Network segmentation between dev and production"
          status: "implemented"
        - annex_a_ref: A.5.30
          control: "Tested backup and recovery with 4-hour RTO"
          status: "in_progress"
          target_date: "2026-03-15"
      residual_risk:
        likelihood: 1
        impact: 2
        risk_level: "low"
      residual_risk_accepted: true

Best Practices

Do This

• Start with the risk assessment; let risk drive control selection, not the other way around.
• Use the SoA as a living document; update it whenever controls change.
• Leverage the new attribute types (control type, cybersecurity concepts) for gap analysis.
• Involve control owners in writing control descriptions; they understand the implementation best.
• Schedule internal audits to cover all controls within the certification cycle (typically 3 years).
• Use ISO 27002:2022 as the detailed implementation guide for each Annex A control.

Don't Do This

• Do not implement all 93 controls blindly; use risk assessment to justify selections.
• Do not confuse ISO 27001 (management system requirements) with ISO 27002 (control guidance).
• Do not write the SoA once and forget it; auditors check that it matches current state.
• Do not treat certification as the finish line; continual improvement is a core requirement.
• Do not exclude controls without documented risk justification in the SoA.
• Do not underestimate clause 4-10 requirements; many failed audits stem from ISMS process gaps.

Security Checklist

Organizational Controls (A.5):

• Information security policy published and communicated to all employees
• Roles and responsibilities for information security assigned
• Asset inventory maintained with classification and ownership
• Threat intelligence sources identified and monitored
• Cloud security policy covers shared responsibility model
• Supplier and third-party security requirements defined
• Business continuity plans address information security requirements

People Controls (A.6):

• Background screening performed for all new hires
• Security awareness training completed annually
• Confidentiality agreements signed before access is granted
• Remote working security controls implemented
• Offboarding process revokes all access within defined SLA

Physical Controls (A.7):

• Physical security perimeters defined (or cloud provider controls documented)
• Visitor access procedures in place (if applicable)
• Equipment disposal follows secure wiping standards
• Physical security monitoring operational (or cloud provider SOC reviewed)

Technological Controls (A.8):

• Endpoint protection deployed (MDM, EDR, encryption)
• Privileged access managed through PAM or just-in-time access
• MFA enforced for all user authentication
• Vulnerability management with defined patching SLAs
• Configuration management with hardened baselines and drift detection
• Data masking applied in non-production environments
• DLP controls monitoring sensitive data egress
• Centralized logging with tamper protection and defined retention
• SIEM operational with anomaly detection and alerting
• Secure development lifecycle integrated into CI/CD pipeline
• Encryption standards defined and key management procedures documented

Related Skills

• @nist-csf -- Map ISO 27001 Annex A controls to NIST CSF functions and subcategories.
• @soc2-controls -- Cross-reference Annex A controls with SOC 2 Trust Services Criteria.
• @compliance-crosswalk -- Build unified control mappings for organizations with multiple certifications.

Additional Resources

• ISO/IEC 27001:2022 -- Official standard (purchase required).
• ISO/IEC 27002:2022 -- Implementation guidance for Annex A controls.
• ISO 27001 Transition Guide -- Migration path from 2013 to 2022.
• ISMS Online Toolkit -- Templates and tools for ISO 27001 implementation.