ISO 27001 Annex A controls — the full 93, in plain English

Annex A of ISO 27001:2022 lists 93 controls across four themes. This is the full list, grouped and demystified — plus practical, SME-focused implementation tips and Statement of Applicability guidance.

Michael McCarroll Updated June 2026

How Annex A works (in 90 seconds)

Annex A is a reference set of information security controls. It is not a checklist you must implement — it is a menu you draw from after your risk assessment. For each control you choose to include, you document an owner, evidence and a review cadence. For each control you exclude, you justify the exclusion in the Statement of Applicability (SoA). Certification auditors read the SoA first and use it to plan the audit trail.

The 2022 revision reorganised the 2013-era 114 controls into 93, grouped under four themes — Organisational, People, Physical and Technological — and added 11 new controls reflecting modern practice (cloud services, threat intelligence, data leakage prevention, secure coding and more).

Theme 1 — Organisational controls (A.5.1 – A.5.37)

The largest theme. Governance, policies, roles, supplier relationships, incident management and compliance sit here. This is where most SMEs spend the first four weeks of implementation because it forces documented decisions.

ControlName
A.5.1Policies for information security
A.5.2Information security roles and responsibilities
A.5.3Segregation of duties
A.5.4Management responsibilities
A.5.5Contact with authorities
A.5.6Contact with special interest groups
A.5.7Threat intelligence (NEW)
A.5.8Information security in project management
A.5.9Inventory of information and other associated assets
A.5.10Acceptable use of information and other associated assets
A.5.11Return of assets
A.5.12Classification of information
A.5.13Labelling of information
A.5.14Information transfer
A.5.15Access control
A.5.16Identity management
A.5.17Authentication information
A.5.18Access rights
A.5.19Information security in supplier relationships
A.5.20Addressing information security within supplier agreements
A.5.21Managing information security in the ICT supply chain
A.5.22Monitoring, review and change management of supplier services
A.5.23Information security for use of cloud services (NEW)
A.5.24Information security incident management planning and preparation
A.5.25Assessment and decision on information security events
A.5.26Response to information security incidents
A.5.27Learning from information security incidents
A.5.28Collection of evidence
A.5.29Information security during disruption
A.5.30ICT readiness for business continuity (NEW)
A.5.31Legal, statutory, regulatory and contractual requirements
A.5.32Intellectual property rights
A.5.33Protection of records
A.5.34Privacy and protection of PII
A.5.35Independent review of information security
A.5.36Compliance with policies, rules and standards for information security
A.5.37Documented operating procedures

Theme 2 — People controls (A.6.1 – A.6.8)

Short but load-bearing. Screening, employment terms, awareness, disciplinary process, remote working and event reporting. Most SMEs already do most of this — they just need to write it down.

ControlName
A.6.1Screening
A.6.2Terms and conditions of employment
A.6.3Information security awareness, education and training
A.6.4Disciplinary process
A.6.5Responsibilities after termination or change of employment
A.6.6Confidentiality or non-disclosure agreements
A.6.7Remote working
A.6.8Information security event reporting

Theme 3 — Physical controls (A.7.1 – A.7.14)

Perimeter, entry, equipment, clear desk, off-premises assets, disposal. Cloud-first SMEs can scope large parts of this to "office only" — but you must still evidence the decision, and any office where staff handle information is in scope.

ControlName
A.7.1Physical security perimeters
A.7.2Physical entry
A.7.3Securing offices, rooms and facilities
A.7.4Physical security monitoring (NEW)
A.7.5Protecting against physical and environmental threats
A.7.6Working in secure areas
A.7.7Clear desk and clear screen
A.7.8Equipment siting and protection
A.7.9Security of assets off-premises
A.7.10Storage media
A.7.11Supporting utilities
A.7.12Cabling security
A.7.13Equipment maintenance
A.7.14Secure disposal or re-use of equipment

Theme 4 — Technological controls (A.8.1 – A.8.34)

The technical heart of the standard. Endpoint, access, cryptography, backup, logging, monitoring, network security, secure development. This theme has the most new controls — configuration management, information deletion, data masking, DLP, monitoring activities, web filtering and secure coding are all 2022 additions.

ControlName
A.8.1User endpoint devices
A.8.2Privileged access rights
A.8.3Information access restriction
A.8.4Access to source code
A.8.5Secure authentication
A.8.6Capacity management
A.8.7Protection against malware
A.8.8Management of technical vulnerabilities
A.8.9Configuration management (NEW)
A.8.10Information deletion (NEW)
A.8.11Data masking (NEW)
A.8.12Data leakage prevention (NEW)
A.8.13Information backup
A.8.14Redundancy of information processing facilities
A.8.15Logging
A.8.16Monitoring activities (NEW)
A.8.17Clock synchronisation
A.8.18Use of privileged utility programmes
A.8.19Installation of software on operational systems
A.8.20Networks security
A.8.21Security of network services
A.8.22Segregation of networks
A.8.23Web filtering (NEW)
A.8.24Use of cryptography
A.8.25Secure development lifecycle
A.8.26Application security requirements
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding (NEW)
A.8.29Security testing in development and acceptance
A.8.30Outsourced development
A.8.31Separation of development, test and production environments
A.8.32Change management
A.8.33Test information
A.8.34Protection of information systems during audit and testing

The 11 new controls in 2022

If you are transitioning from ISO 27001:2013, these are the additions to plan for:

  • A.5.7 Threat intelligence — subscribe to a feed, review monthly, feed into risk register.
  • A.5.23 Cloud services security — document cloud provider selection, configuration and shared-responsibility split.
  • A.5.30 ICT readiness for business continuity — align backups, DR and RTO/RPO with the BCM programme.
  • A.7.4 Physical security monitoring — CCTV, alarms, access logs where applicable.
  • A.8.9 Configuration management — hardened baselines, drift detection.
  • A.8.10 Information deletion — secure deletion procedures on leavers, decommission and retention expiry.
  • A.8.11 Data masking — pseudonymisation for test environments and analytics.
  • A.8.12 Data leakage prevention — DLP tooling or compensating admin controls.
  • A.8.16 Monitoring activities — active monitoring of systems, apps and network for anomalies.
  • A.8.23 Web filtering — DNS filtering or secure web gateway.
  • A.8.28 Secure coding — coding standards, SAST/DAST, code review.

How to run Annex A without spreadsheets

The workflow that survives an audit: (1) risk-assess first; (2) mark each Annex A control include or exclude with a one-sentence justification; (3) assign an owner and review cadence to every included control; (4) attach at least one piece of evidence to every included control; (5) review the whole SoA at management review. That's it.

ISO-STANDARD.app ships the SoA pre-populated with all 93 controls, mapped to the risk register and evidence library so the audit trail assembles itself. Auditors love it because every control has an owner, a date and a link to evidence — one click each.

FAQ

How many Annex A controls are in ISO 27001:2022?
93. The 2022 revision reorganised the 114 controls from ISO 27001:2013 into four themes — Organisational (37), People (8), Physical (14) and Technological (34) — and added 11 new controls covering topics like threat intelligence, cloud services, ICT readiness for business continuity, physical monitoring, configuration management, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.
Do I need to implement every Annex A control?
No. Annex A is a menu, not a mandate. Your risk assessment drives selection. Every control you exclude must be justified in the Statement of Applicability (SoA); every included control must have an owner, evidence and a review cadence.
What is the difference between the four themes?
Organisational controls (5.x) cover policies, governance and supplier relationships. People controls (6.x) cover onboarding, awareness and disciplinary process. Physical controls (7.x) cover premises, equipment and secure disposal. Technological controls (8.x) cover access management, cryptography, logging, network security and secure development.
What are the 11 new controls in ISO 27001:2022?
5.7 Threat intelligence · 5.23 Information security for use of cloud services · 5.30 ICT readiness for business continuity · 7.4 Physical security monitoring · 8.9 Configuration management · 8.10 Information deletion · 8.11 Data masking · 8.12 Data leakage prevention · 8.16 Monitoring activities · 8.23 Web filtering · 8.28 Secure coding.
How does this map to my Statement of Applicability?
The SoA lists all 93 controls, marks each as in or out of scope, links each in-scope control to the risks it treats and points to the evidence that demonstrates it. ISO-STANDARD.app ships the SoA pre-populated so you just answer include/exclude and attach evidence.

Skip the spreadsheet Annex A

Load our pre-populated Statement of Applicability, link controls to risks and evidence in minutes, and walk into your ISO 27001 audit with the trail already assembled.

ISO-STANDARD.app ships a ready-to-adopt ISO 27001 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Free downloads for this topic

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Trust & security
ISO 27001 aligned
Controls mapped to Annex A
Encryption in transit & at rest
TLS 1.3 · AES-256
MFA enforced
TOTP required for all admins
GDPR & UK GDPR
DPA on request · EU/UK data
SOC 2 ready posture
Audit-grade logging
RLS-isolated tenants
Row-level data separation
← All guidesHome →