What is Annex A of ISO 27001?

Annex A is an appendix to the ISO 27001 standard, containing a complete list of controls (in English: controls). These are the practical measures you use to secure information: everything from a written policy to setting up encryption and screening new employees.

Since the standard update in 2022, Annex A contains 93 controls, divided into four themes. The old standard (from 2013) had 114 controls across fourteen chapters. These have been merged, shortened, and supplemented in a few areas.

Good to know: Annex A is a list. The explanation for each control, along with implementation advice, is found in a separate standard: ISO 27002. Annex A tells you what, ISO 27002 tells you how. Read here more about the differences.

ISO 27001 Requirements: The Four Themes in Annex A

The 93 controls are grouped into four themes. Below is a brief explanation for each theme, along with a few practical examples you might encounter.

A.5 Organizational measures (37 controls)

‍

This is all about agreements, policies, and responsibilities. This is by far the largest theme and the foundation of your information security.

‍

Practical examples:

• A.5.1 Information Security Policy — you have a document approved by management stating how you handle information.
• A.5.10 Acceptable Use (Acceptable Use Policy) — what an employee may and may not do with a company laptop, company email, or company data.
• A.5.19 Security in supplier relationships — you know which suppliers have access to what, and have made agreements on how they secure that data.
• A.5.30 ICT readiness for business continuity (new in 2022) — you have documented how to restore your IT systems after a major outage or cyberattack.
• A.5.34 Privacy and protection of personal data — you document how you protect personal data, in line with the GDPR.

‍

A.6 People-centric measures (8 controls)

‍

This theme is about your people: how you select and train them, and what agreements you make with them regarding information.

Examples:

• A.6.1 Screening — you check the background of new employees before they are granted sensitive access.
• A.6.3 Awareness and training — employees receive periodic security awareness training, so they can, for example, recognize a phishing email.
• A.6.7 Remote working (new in 2022) — clear agreements regarding, for example, VPN, private devices, and securing a home workstation.

‍

A.7 Physical measures (14 controls)

‍

Everything related to the physical security of buildings, workplaces, and equipment.

Examples:

• A.7.2 Physical access control — only authorized personnel can enter a server room or archive.
• A.7.7 Clear desk and clear screen — confidential documents are not left open on desks, screens lock automatically.
• A.7.10 Storage media — USB drives and hard drives are securely destroyed before disposal.

A.8 Technological measures (34 controls)

The most technical topics, such as encryption, logging, malware protection, and secure development.

Examples:

• A.8.5 Authentication — usernames, strong passwords, and increasingly multi-factor authentication.
• A.8.7 Protection against malware — antivirus, email filtering, browser protection.
• A.8.12 Prevention of data breaches (new in 2022) — technical measures that actively detect when data is at risk of leaving the company.
• A.8.28 Secure coding (new in 2022) — if you develop software yourself: built-in vulnerability checks during development.

‍

The 11 new controls in ISO 27001:2022

Clients preparing for their first audit under the 2022 standard primarily want to know: which controls are new, and do they need to do anything about them? The 2022 update added eleven new controls. Below is the complete list:

• A.5.7 Threat intelligence (actively monitoring which cyberattacks are targeting your type of organization)
• A.5.23 Information security for the use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Monitoring of physical security
• A.8.9 Configuration management
• A.8.10 Deletion of information
• A.8.11 Data masking
• A.8.12 Prevention of data leakage
• A.8.16 Monitoring of activities
• A.8.23 Web filters
• A.8.28 Secure coding

These eleven reflect the reality of 2022 and beyond: cloud is everywhere, data breaches are measurable, and as an organization, you can no longer ignore what's happening on your network.

ISO 27001 controls: do you have to implement them all?

No. And that's precisely where many ISO 27001 projects go off track. The standard requires you to assess each control based on your risk analysis: include with implementation, or exclude with justification. You document this in a mandatory document: the Statement of Applicability (Statement of Applicability, or SoA for short).

In the SoA, for each control, it states:

• Does this apply to our organization?
• If yes: how has it been implemented?
• If no: why not (for example, because we don't develop our own software, so A.8.28 is out of scope)?

The auditor reviews this SoA during the certification audit and asks critical questions. Not for every control that you do implement, but specifically for the controls that you do not implement. A solid justification makes the difference between a smooth audit and a list of findings.

Practical tip: don't view the SoA as a checklist, but as a communication document. It tells customers, auditors, and your own management why you have set up your information security in this way. That is ultimately what the standard is looking for.

How do you choose the right set for your organization?

The selection of controls is not a matter of taste. It stems from two other components of your ISMS (Information Security Management System): the risk analysis and the Statement of Applicability. A good risk analysis guides you to identify which controls you need. From there, you build your SoA with justification for each choice, and a brief preliminary gap analysis shows where you currently stand and where the biggest gaps are.

Frequently Asked Questions

What is the difference between Annex A and ISO 27002?

Annex A is a list of 93 controls within the standard itself. ISO 27002 is a separate standard that explains what each control means and how to implement it. For the audit, Annex A is binding; ISO 27002 is your workbook.

Do I need to demonstrate all 93 controls for every certification?

Only those you have marked as "applicable" in your SoA. The auditor will assess your chosen set against practical implementation.

What if I declare a control "not applicable"?

That is allowed, provided you can justify it based on your risk analysis. A good explanation ("we don't develop our own software, so A.8.28 is not relevant") is sufficient. No explanation will result in an audit finding.

What if I want to incorporate privacy strategically?

ISO 27701 is the privacy extension of ISO 27001: a separate certification that builds upon your existing ISMS. Suitable if you want to formally demonstrate GDPR compliance in addition to information security.

How does the audit itself proceed?

In two stages. Stage 1 is a documentation check: do you have all the necessary documents in order? Stage 2 is the practical assessment: do you actually do in practice what is stated in the documents? For recertification (after three years), it often becomes one integrated audit.

Will there be any further changes to Annex A after 2022?

The next standard update has not yet been announced. Interim changes are implemented via ISO 27002 or through technical reports.

Ready to refine your SoA?

The 93 controls are more manageable than they seem, as long as you know which ones apply to you and why. In a one-day GAP analysis, we'll help you identify which controls are truly relevant for your scope and risks, and what justification an auditor expects. This way, you'll know where you stand and what your priorities should be.

Learn more?
‍

• Learn more about ISO 27001
• ‍Schedule a free, no-obligation consultation.

‍