The four themes, briefly
- Organizational (A.5, 37 controls). Policies, roles, supplier management, incident management planning, legal and contractual compliance, and cloud service security. The governance spine.
- People (A.6, 8 controls). Screening, terms of employment, awareness and training, disciplinary process, remote working, and event reporting duties.
- Physical (A.7, 14 controls). Perimeters, entry, protecting against environmental threats, equipment siting, secure disposal, clear desk.
- Technological (A.8, 34 controls). The largest theme: access rights, authentication, malware, vulnerabilities, backup, logging and monitoring, cryptography, secure development, and network security.
What the 2022 revision changed
The old 2013 structure (114 controls, 14 domains) was reorganized into the four themes with extensive merging, and 11 new controls were added to reflect a decade of change: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Every control also carries attributes (control type, security properties, cybersecurity concepts) enabling mapping to other frameworks.
How selection actually works
No Annex A control is mandatory by default. Your risk assessment determines which controls are necessary; the Statement of Applicability records each inclusion and exclusion with justification. In practice, the large majority of controls apply to most organizations, and the honest work is in how each applies: "A.8.13 backup" for a SaaS company means tested restores of production data with defined objectives, not the existence of a backup checkbox at a cloud provider.
Where audits find the gaps
Recurring weak points across real ISO 27001:2022 audits: supplier and cloud service controls supported by contracts nobody reviewed, logging and monitoring that exists but alerts nobody, access reviews performed annually for systems that change weekly, secure development claimed but unenforced in the pipeline, and the new-in-2022 controls (threat intelligence, DLP, web filtering) marked implemented on the strength of a tool license rather than an operating process. Selecting controls is the easy half; operating them with evidence is the standard.