Annex A: 93 Controls

Overview

Annex A of ISO 27001:2022 contains 93 reference controls organised into four categories. These controls are drawn from ISO 27002:2022, which provides detailed implementation guidance. Annex A is not a checklist to blindly implement — it is a reference set against which you compare your risk treatment controls to ensure nothing important has been overlooked.

The Four Control Categories

5.x Organisational Controls (37 controls)

These address how the organisation manages information security at a governance and policy level. They cover areas such as:

• Information security policies and roles (5.1-5.6)
• Threat intelligence and asset management (5.7-5.14)
• Identity and access management (5.15-5.18)
• Supplier relationships and cloud services (5.19-5.23)
• Incident management, business continuity, and compliance (5.24-5.37)

Notable new controls include 5.7 Threat intelligence (collecting and analysing information about threats) and 5.23 Information security for use of cloud services.

6.x People Controls (8 controls)

These focus on the human element of information security:

• Screening and terms of employment (6.1-6.2)
• Security awareness, education, and training (6.3)
• Disciplinary process (6.4)
• Responsibilities after termination or change (6.5)
• Confidentiality and non-disclosure agreements (6.6)
• Remote working and information security event reporting (6.7-6.8)

7.x Physical Controls (14 controls)

These protect against physical and environmental threats:

• Physical security perimeters and entry controls (7.1-7.2)
• Securing offices, rooms, and facilities (7.3-7.5)
• Clear desk and clear screen (7.7)
• Equipment siting, protection, and maintenance (7.8-7.13)
• Secure disposal or re-use of equipment (7.14)

8.x Technological Controls (34 controls)

These address technical security measures:

• User endpoint devices and privileged access (8.1-8.2)
• Information access restriction and source code access (8.3-8.4)
• Authentication, capacity, and malware protection (8.5-8.7)
• Vulnerability management, configuration, and data deletion (8.8-8.10)
• Data masking, data leakage prevention, and monitoring (8.11-8.16)
• Web filtering, secure coding, and cryptography (8.22-8.24)
• Secure development lifecycle, testing, and network security (8.25-8.34)

Notable new controls include 8.11 Data masking, 8.12 Data leakage prevention, and 8.23 Web filtering.

Applicability vs Implementation

There is an important distinction between whether a control is applicable and whether it is implemented:

• Applicable— the control is relevant to your organisation's context and risk profile. Most controls will be applicable, but some may not be (e.g. physical security controls may not apply to a fully remote organisation).
• Not applicable — the control is not relevant to your context. You must provide a justification for excluding it in the SoA.
• Implemented — the control is applicable and has been put into practice with evidence to demonstrate it is effective.
• Not implemented — the control is applicable but has not yet been put into practice. This represents a gap that needs to be addressed.

The Statement of Applicability (SoA) must document the status of every control, making it one of the most important documents in your ISMS.

How Standardise Helps

Standardise pre-loads all 93 Annex A controls into the Statement of Applicability module, organised into the four categories with tabbed navigation. For each control, you can set its applicability status, implementation status, and add justification notes. The compliance readiness ring on the dashboard shows your overall implementation progress at a glance, and the SoA can be exported as CSV for auditor review.