ISO 27001 Annex A Controls

ISO 27001 is the globally recognized standard for managing information security. Central to this standard is the concept of an Information Security Management System (ISMS), a systematic approach to managing and securing information. Annex A plays a pivotal role in ISO 27001 by offering a comprehensive catalog of security controls designed to address the risks identified during a risk assessment. These controls provide organizations with the tools to create tailored solutions for their risk status.

This guide dives deep into Annex A’s role, answering questions like:

• How does Annex A fit into ISO 27001?
• What are the changes in Annex A in the 2022 update?
• How should organizations select and implement Annex A ISO 27001 controls?
• What is the Statement of Applicability, and why is it essential?
• How does ISO 27002 complement Annex A?

Let’s explore these topics in detail.

Designed by Freepik

The Structure of ISO 27001

ISO 27001 is divided into two primary components:

1. Clauses 4–10: These form the core auditable requirements of the standard, outlining the process for establishing and managing an ISMS. They guide organizations in defining their context, assessing risks, setting objectives, and implementing a continual improvement process.

2. Annex A: While not part of the auditable requirements, Annex A provides a list of controls that organizations can reference to mitigate the risks identified during the ISMS process. Each control in Annex A aligns with the broader risk management framework outlined in Clauses 4–10.

This structure ensures that organizations not only establish a robust management system (Clauses 4–10) but also implement the necessary security measures (Annex A) to address identified vulnerabilities.

The Role of Annex A in ISO 27001

Annex A acts as a reference tool within ISO 27001.  It provides a list of specific security controls to address the risks identified during a risk assessment. However, it’s important to note that Annex A is not prescriptive—it doesn’t mandate the use of every ISO 27001 Annex A  control listed but serves as a framework for selecting those most relevant to your organization.

Key takeaways about Annex A

• It provides a comprehensive set of controls grouped into four themes: Organizational, People, Physical, and Technological.
• The controls are adaptable, allowing organizations to align them with specific risk scenarios and compliance needs.
• Its purpose is to ensure no critical areas of information security are overlooked.

What’s New in Annex A (ISO 27001:2022)?

The 2022 update to ISO 27001 introduced significant changes to Annex A:

• Simplified Structure: The 93 controls are now grouped into 4 themes, replacing the 14 domains and 114 controls of the 2013 version.
• Control Attributes: Each control now includes attributes to enhance understanding and implementation, such as:
  • Control Type: Preventive, Detective, or Corrective.
  • Information Security Properties: Confidentiality, Integrity, Availability.
  • Cybersecurity Concepts: Broader principles like resilience and attack surface management.
• Modernization: The updates reflect current security challenges, such as cloud security, threat intelligence, and secure software development practices.

How to Select Annex A Controls

Annex A provides a list of controls, but not all will be relevant to every organization. Selection is based on a detailed risk assessment that identifies specific vulnerabilities and threats. Here’s how to approach the process:

1. Conduct a Risk Assessment

• Identify information assets and assess potential risks.
• Evaluate the likelihood and impact of identified risks.

2. Map Risks to Controls

• Use Annex A to identify controls that mitigate the identified risks.
• Consider whether additional controls outside Annex A are necessary.

3. Customize Controls

• Tailor controls to fit the organization’s operational context, size, and industry requirements.

4. Document the Process

• Record the selected controls and justify any exclusions in the Statement of Applicability (SoA).

Understanding the Statement of Applicability (SoA)

The SoA is a cornerstone of ISO 27001 compliance, acting as the bridge between your risk assessment and the Annex A ISO 27001 controls you implement. It serves multiple purposes:

• Documentation: Includes and ISO 27001 Annex A controls list, noting whether they are included or excluded, with justifications for each decision.
• Auditing: Provides auditors with a clear view of how the organization addresses its risks.
• Accountability: Tracks the implementation status of each control.

Best practices for managing your SoA include:

• Treating it as a living document, updating it regularly to reflect changes in the organization or threat landscape.
• Using software tools for version control and efficient updates.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about ISO 27001 Annex A Controls
Click Here

How Many Annex A Controls Exist in ISO 27001?

The 2022 version of ISO 27001 includes 93 controls in Annex A, organized into four themes: Organizational, People, Physical, and Technological. This is a streamlined structure compared to the 2013 version, which had 114 controls grouped into 14 domains.

These 93 controls reflect modern security challenges, including new areas like threat intelligence and secure software development.

1. Organizational Controls (37 controls)

These controls define the governance and management framework for information security. 

Highlights include:

• Policies and Governance: Information security policies, governance structures, and defined responsibilities.
• Risk Management: Threat intelligence, monitoring, and risk treatment processes.
• Asset Management: Classification, labeling, and handling of information assets.

2. People Controls (8 controls)

Focused on managing human factors in security:

• Screening and Onboarding: Pre-employment checks and onboarding processes.
• Training and Awareness: Security training programs and awareness campaigns.
• Incident Reporting: Procedures for reporting and responding to security incidents.

3. Physical Controls (14 controls):

Targeting physical security aspects:

• Facilities Management: Securing physical perimeters and controlled access areas.
• Equipment Security: Maintenance, cabling, and clear desk policies.
• Utility Protection: Ensuring reliable power and environmental controls.

4. Technological Controls (34 controls):

Addressing technical safeguards:

• Network Security: Segmentation, firewalls, and secure communication.
• Application Security: Secure coding practices and vulnerability management.
• Monitoring and Recovery: Logging, monitoring, and backup systems.

ISO 27002: A Companion to Annex A

While Annex A lists the controls, ISO 27002 provides the practical guidance needed to implement them effectively. It explains the objectives, benefits, and examples for each control, making it an indispensable resource for organizations aiming to meet ISO 27001 requirements.

Key differences:

• ISO 27001: Focuses on the “what” requirements are needed for certification.
• ISO 27002: Focuses on the “how”—detailed guidance for implementation.

How Annex A Supports Broader Compliance Efforts

Annex A controls can be mapped to other frameworks, such as NIST CSF, COBIT, and GDPR. This alignment helps organizations:

• Streamline compliance across multiple standards.
• Reduce redundancy in implementing security measures.
• Build a cohesive risk management strategy.