ReadSafety.com

ISO 27001 Questions, Answered

What are the Annex A controls in ISO 27001?

Quick answer

Annex A of ISO 27001:2022 is the reference set of 93 information security controls, organized into four themes: organizational (37 controls), people (8), physical (14), and technological (34). The 2022 revision consolidated the old 114 controls from 14 domains and added 11 new ones, including threat intelligence, cloud security, and data leakage prevention.

The four themes, briefly

  • Organizational (A.5, 37 controls). Policies, roles, supplier management, incident management planning, legal and contractual compliance, and cloud service security. The governance spine.
  • People (A.6, 8 controls). Screening, terms of employment, awareness and training, disciplinary process, remote working, and event reporting duties.
  • Physical (A.7, 14 controls). Perimeters, entry, protecting against environmental threats, equipment siting, secure disposal, clear desk.
  • Technological (A.8, 34 controls). The largest theme: access rights, authentication, malware, vulnerabilities, backup, logging and monitoring, cryptography, secure development, and network security.

What the 2022 revision changed

The old 2013 structure (114 controls, 14 domains) was reorganized into the four themes with extensive merging, and 11 new controls were added to reflect a decade of change: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Every control also carries attributes (control type, security properties, cybersecurity concepts) enabling mapping to other frameworks.

Key factThe transition period from ISO 27001:2013 ended on 31 October 2025. Certificates against the 2013 edition are no longer valid anywhere. If a supplier shows you a 2013-edition certificate today, it is expired regardless of the printed dates; ask for their 2022-edition certificate.

How selection actually works

No Annex A control is mandatory by default. Your risk assessment determines which controls are necessary; the Statement of Applicability records each inclusion and exclusion with justification. In practice, the large majority of controls apply to most organizations, and the honest work is in how each applies: "A.8.13 backup" for a SaaS company means tested restores of production data with defined objectives, not the existence of a backup checkbox at a cloud provider.

Where audits find the gaps

Recurring weak points across real ISO 27001:2022 audits: supplier and cloud service controls supported by contracts nobody reviewed, logging and monitoring that exists but alerts nobody, access reviews performed annually for systems that change weekly, secure development claimed but unenforced in the pipeline, and the new-in-2022 controls (threat intelligence, DLP, web filtering) marked implemented on the strength of a tool license rather than an operating process. Selecting controls is the easy half; operating them with evidence is the standard.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC