ISO 27001 Annex A controls — the full 93, in plain English
Annex A of ISO 27001:2022 lists 93 controls across four themes. This is the full list, grouped and demystified — plus practical, SME-focused implementation tips and Statement of Applicability guidance.
Michael McCarroll— Founder · 20+ yrs GRC, ISO 27001 lead implementer Updated June 2026
How Annex A works (in 90 seconds)
Annex A is a reference set of information security controls. It is not a checklist you must implement — it is a menu you draw from after your risk assessment. For each control you choose to include, you document an owner, evidence and a review cadence. For each control you exclude, you justify the exclusion in the Statement of Applicability (SoA). Certification auditors read the SoA first and use it to plan the audit trail.
The 2022 revision reorganised the 2013-era 114 controls into 93, grouped under four themes — Organisational, People, Physical and Technological — and added 11 new controls reflecting modern practice (cloud services, threat intelligence, data leakage prevention, secure coding and more).
The largest theme. Governance, policies, roles, supplier relationships, incident management and compliance sit here. This is where most SMEs spend the first four weeks of implementation because it forces documented decisions.
Control
Name
A.5.1
Policies for information security
A.5.2
Information security roles and responsibilities
A.5.3
Segregation of duties
A.5.4
Management responsibilities
A.5.5
Contact with authorities
A.5.6
Contact with special interest groups
A.5.7
Threat intelligence (NEW)
A.5.8
Information security in project management
A.5.9
Inventory of information and other associated assets
A.5.10
Acceptable use of information and other associated assets
A.5.11
Return of assets
A.5.12
Classification of information
A.5.13
Labelling of information
A.5.14
Information transfer
A.5.15
Access control
A.5.16
Identity management
A.5.17
Authentication information
A.5.18
Access rights
A.5.19
Information security in supplier relationships
A.5.20
Addressing information security within supplier agreements
A.5.21
Managing information security in the ICT supply chain
A.5.22
Monitoring, review and change management of supplier services
A.5.23
Information security for use of cloud services (NEW)
A.5.24
Information security incident management planning and preparation
A.5.25
Assessment and decision on information security events
A.5.26
Response to information security incidents
A.5.27
Learning from information security incidents
A.5.28
Collection of evidence
A.5.29
Information security during disruption
A.5.30
ICT readiness for business continuity (NEW)
A.5.31
Legal, statutory, regulatory and contractual requirements
A.5.32
Intellectual property rights
A.5.33
Protection of records
A.5.34
Privacy and protection of PII
A.5.35
Independent review of information security
A.5.36
Compliance with policies, rules and standards for information security
A.5.37
Documented operating procedures
Theme 2 — People controls (A.6.1 – A.6.8)
Short but load-bearing. Screening, employment terms, awareness, disciplinary process, remote working and event reporting. Most SMEs already do most of this — they just need to write it down.
Control
Name
A.6.1
Screening
A.6.2
Terms and conditions of employment
A.6.3
Information security awareness, education and training
A.6.4
Disciplinary process
A.6.5
Responsibilities after termination or change of employment
A.6.6
Confidentiality or non-disclosure agreements
A.6.7
Remote working
A.6.8
Information security event reporting
Theme 3 — Physical controls (A.7.1 – A.7.14)
Perimeter, entry, equipment, clear desk, off-premises assets, disposal. Cloud-first SMEs can scope large parts of this to "office only" — but you must still evidence the decision, and any office where staff handle information is in scope.
Control
Name
A.7.1
Physical security perimeters
A.7.2
Physical entry
A.7.3
Securing offices, rooms and facilities
A.7.4
Physical security monitoring (NEW)
A.7.5
Protecting against physical and environmental threats
A.7.6
Working in secure areas
A.7.7
Clear desk and clear screen
A.7.8
Equipment siting and protection
A.7.9
Security of assets off-premises
A.7.10
Storage media
A.7.11
Supporting utilities
A.7.12
Cabling security
A.7.13
Equipment maintenance
A.7.14
Secure disposal or re-use of equipment
Theme 4 — Technological controls (A.8.1 – A.8.34)
The technical heart of the standard. Endpoint, access, cryptography, backup, logging, monitoring, network security, secure development. This theme has the most new controls — configuration management, information deletion, data masking, DLP, monitoring activities, web filtering and secure coding are all 2022 additions.
Control
Name
A.8.1
User endpoint devices
A.8.2
Privileged access rights
A.8.3
Information access restriction
A.8.4
Access to source code
A.8.5
Secure authentication
A.8.6
Capacity management
A.8.7
Protection against malware
A.8.8
Management of technical vulnerabilities
A.8.9
Configuration management (NEW)
A.8.10
Information deletion (NEW)
A.8.11
Data masking (NEW)
A.8.12
Data leakage prevention (NEW)
A.8.13
Information backup
A.8.14
Redundancy of information processing facilities
A.8.15
Logging
A.8.16
Monitoring activities (NEW)
A.8.17
Clock synchronisation
A.8.18
Use of privileged utility programmes
A.8.19
Installation of software on operational systems
A.8.20
Networks security
A.8.21
Security of network services
A.8.22
Segregation of networks
A.8.23
Web filtering (NEW)
A.8.24
Use of cryptography
A.8.25
Secure development lifecycle
A.8.26
Application security requirements
A.8.27
Secure system architecture and engineering principles
A.8.28
Secure coding (NEW)
A.8.29
Security testing in development and acceptance
A.8.30
Outsourced development
A.8.31
Separation of development, test and production environments
A.8.32
Change management
A.8.33
Test information
A.8.34
Protection of information systems during audit and testing
The 11 new controls in 2022
If you are transitioning from ISO 27001:2013, these are the additions to plan for:
A.5.7 Threat intelligence — subscribe to a feed, review monthly, feed into risk register.
The workflow that survives an audit: (1) risk-assess first; (2) mark each Annex A control include or exclude with a one-sentence justification; (3) assign an owner and review cadence to every included control; (4) attach at least one piece of evidence to every included control; (5) review the whole SoA at management review. That's it.
ISO-STANDARD.app ships the SoA pre-populated with all 93 controls, mapped to the risk register and evidence library so the audit trail assembles itself. Auditors love it because every control has an owner, a date and a link to evidence — one click each.
FAQ
How many Annex A controls are in ISO 27001:2022?
93. The 2022 revision reorganised the 114 controls from ISO 27001:2013 into four themes — Organisational (37), People (8), Physical (14) and Technological (34) — and added 11 new controls covering topics like threat intelligence, cloud services, ICT readiness for business continuity, physical monitoring, configuration management, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.
Do I need to implement every Annex A control?
No. Annex A is a menu, not a mandate. Your risk assessment drives selection. Every control you exclude must be justified in the Statement of Applicability (SoA); every included control must have an owner, evidence and a review cadence.
What is the difference between the four themes?
Organisational controls (5.x) cover policies, governance and supplier relationships. People controls (6.x) cover onboarding, awareness and disciplinary process. Physical controls (7.x) cover premises, equipment and secure disposal. Technological controls (8.x) cover access management, cryptography, logging, network security and secure development.
What are the 11 new controls in ISO 27001:2022?
5.7 Threat intelligence · 5.23 Information security for use of cloud services · 5.30 ICT readiness for business continuity · 7.4 Physical security monitoring · 8.9 Configuration management · 8.10 Information deletion · 8.11 Data masking · 8.12 Data leakage prevention · 8.16 Monitoring activities · 8.23 Web filtering · 8.28 Secure coding.
How does this map to my Statement of Applicability?
The SoA lists all 93 controls, marks each as in or out of scope, links each in-scope control to the risks it treats and points to the evidence that demonstrates it. ISO-STANDARD.app ships the SoA pre-populated so you just answer include/exclude and attach evidence.
Skip the spreadsheet Annex A
Load our pre-populated Statement of Applicability, link controls to risks and evidence in minutes, and walk into your ISO 27001 audit with the trail already assembled.
ISO-STANDARD.app ships a ready-to-adopt ISO 27001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.