Annex A: 93 Controls Revealed
Annex A contains the security controls you'll implement in your ISMS. In ISO 27001:2022, these are organized into four themes with 93 total controls.
The Four Control Themes
A.5 Organizational Controls (37 controls)
These are your policies, procedures, and governance controls.
Key controls include:
- A.5.1 Policies for information security
- A.5.2 Information security roles and responsibilities
- A.5.3 Segregation of duties
- A.5.7 Threat intelligence ⭐ NEW
- A.5.15 Access control
- A.5.23 Information security for cloud services ⭐ NEW
- A.5.24 Incident management planning
- A.5.30 ICT readiness for business continuity ⭐ NEW
A.6 People Controls (8 controls)
Focus on human resources security throughout employment.
All 8 controls:
- A.6.1 Screening
- A.6.2 Terms and conditions of employment
- A.6.3 Information security awareness, education, training
- A.6.4 Disciplinary process
- A.6.5 Responsibilities after termination
- A.6.6 Confidentiality agreements
- A.6.7 Remote working
- A.6.8 Information security event reporting
A.7 Physical Controls (14 controls)
Protect your physical environment and assets.
Key controls include:
- A.7.1 Physical security perimeters
- A.7.2 Physical entry
- A.7.3 Securing offices, rooms, facilities
- A.7.4 Physical security monitoring ⭐ NEW
- A.7.5 Protecting against physical threats
- A.7.9 Security of assets off-premises
- A.7.10 Storage media
- A.7.14 Secure disposal or re-use of equipment
A.8 Technological Controls (34 controls)
Technical security measures for your systems.
Key controls include:
- A.8.1 User endpoint devices
- A.8.5 Secure authentication
- A.8.9 Configuration management ⭐ NEW
- A.8.10 Information deletion ⭐ NEW
- A.8.11 Data masking ⭐ NEW
- A.8.12 Data leakage prevention ⭐ NEW
- A.8.15 Logging
- A.8.16 Monitoring activities ⭐ NEW
- A.8.23 Web filtering ⭐ NEW
- A.8.24 Use of cryptography
- A.8.28 Secure coding ⭐ NEW
Control Attributes
ISO 27001:2022 introduced five attributes to categorize controls:
1. Control Type
- Preventive - Stop incidents before they happen
- Detective - Identify incidents when they occur
- Corrective - Fix issues after detection
2. Information Security Properties
- Confidentiality - Protect against unauthorized disclosure
- Integrity - Prevent unauthorized modification
- Availability - Ensure authorized access when needed
3. Cybersecurity Concepts
- Identify - Know your assets and risks
- Protect - Implement safeguards
- Detect - Discover incidents
- Respond - Take action
- Recover - Restore capabilities
4. Operational Capabilities
- Governance, Asset management, Information protection
- Human resource security, Physical security, System security
- Application security, Network security, Secure configuration
- Identity management, Threat management, Continuity
- Supplier relationships, Legal compliance, Event management
- Information assurance
5. Security Domains
- Governance and Ecosystem - Organizational and external factors
- Protection - Safeguard measures
- Defense - Detection and response
- Resilience - Recovery and continuity
Statement of Applicability (SoA)
For each control, you must document:
- Whether it's applicable to your organization
- If applicable, whether it's implemented
- If not applicable, justification for exclusion
- Implementation status and notes
How Controls Map to Clauses
The clauses (4-10) tell you WHAT to do. Annex A tells you HOW to protect information.
Your risk assessment (Clause 6) determines WHICH controls you need.
Implementation Priority
Consider implementing controls in this order:
- Quick wins - Easy to implement, immediate value
- Risk-based - Address highest risks first
- Compliance-driven - Meet regulatory requirements
- Foundation - Controls that enable others
Next Lesson: The complete certification journey from start to finish.