Annex A is the part of ISO 27001 that most organisations spend the most time on — and the part most often misunderstood. It is a reference set of information security controls. The main body of the standard (Clauses 4-10) tells you to manage risk and implement controls; Annex A tells you what those controls look like in practice. Understanding the structure and logic of Annex A is essential before you begin selecting controls for your Statement of Applicability.
What Changed in the 2022 Revision
The 2013 version of ISO 27001 had 114 controls across 14 domains. The 2022 revision consolidated and restructured this into 93 controls across 4 themes. Controls were merged, updated, and in some cases rewritten substantially. Eleven completely new controls were added to reflect the modern threat and technology landscape. If you are transitioning from a 2013-certified ISMS, you need to map your existing controls to the new structure and assess whether any gaps have opened up.
The four themes are: Organisational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The logic is intuitive — controls are grouped by the nature of the measure rather than by the asset or process they protect. This makes the selection process more structured than the 2013 domain-based approach.
A.5: Organisational Controls (37 controls)
Organisational controls are governance-level measures — things your organisation does as a whole rather than actions taken by individuals or embedded in systems. This is the largest theme, covering policies, roles, processes, and relationships.
Key controls in this theme include:
- A.5.1 Policies for information security — the top-level policy and supporting documentation
- A.5.2 Information security roles and responsibilities — who owns what
- A.5.7 Threat intelligence — one of the 11 new 2022 controls
- A.5.19 to A.5.22 — supplier relationship management, including monitoring and change management
- A.5.23 Information security for use of cloud services — new in 2022, critical for cloud-first organisations
- A.5.24 to A.5.28 — incident management, from planning through to evidence collection and post-incident learning
- A.5.29 Information security during disruption — business continuity for your ISMS
- A.5.36 Compliance with policies — internal review of security practices
Most organisations can implement nearly all organisational controls — the exceptions are typically controls around specific types of supplier relationships or sector-specific requirements that do not apply.
A.6: People Controls (8 controls)
People controls address the human factors in information security. This is a compact theme with only 8 controls, but they have a disproportionate impact on security outcomes — most breaches involve a human element.
- A.6.1 Screening — pre-employment background checks appropriate to the role and data accessed
- A.6.2 Terms and conditions of employment — security obligations in contracts
- A.6.3 Information security awareness, education, and training — mandatory for all staff
- A.6.4 Disciplinary process — what happens when people violate security policies
- A.6.5 Responsibilities after termination or change of employment
- A.6.6 Confidentiality or non-disclosure agreements
- A.6.7 Remote working — new as a standalone control in 2022, reflecting post-pandemic realities
- A.6.8 Information security event reporting — how staff report suspected incidents
A.7: Physical Controls (14 controls)
Physical controls govern access to and security of physical spaces, equipment, and media. For organisations that do not run their own servers or data centres, a significant portion of physical controls are inherited from cloud providers and co-location facilities. You still need to document this — the control is applicable; you are just relying on a supplier to implement it.
- A.7.1 Physical security perimeters — defined secure areas
- A.7.2 Physical entry controls — who can access which areas
- A.7.4 Physical security monitoring — CCTV and surveillance (new in 2022)
- A.7.6 Working in secure areas
- A.7.7 Clear desk and clear screen
- A.7.9 Security of assets off-premises — laptops and devices outside the office
- A.7.10 Storage media — secure handling and disposal
- A.7.14 Secure disposal or re-use of equipment
A.8: Technological Controls (34 controls)
Technological controls are system and infrastructure-level measures. This theme covers the technical implementation of security — access management, encryption, network security, application security, and operational security. For technology companies, this theme will generate the most implementation work.
- A.8.2 Privileged access rights — management of admin accounts
- A.8.5 Secure authentication
- A.8.7 Protection against malware
- A.8.8 Management of technical vulnerabilities — patching and vulnerability scanning
- A.8.9 Configuration management — new in 2022
- A.8.10 Information deletion — new in 2022, particularly relevant to data retention
- A.8.11 Data masking — new in 2022
- A.8.12 Data leakage prevention — new in 2022
- A.8.16 Monitoring activities — system and event logging
- A.8.23 Web filtering — new in 2022
- A.8.24 Use of cryptography
- A.8.28 Secure coding — new in 2022, critical for software development organisations
The 11 New Controls Added in 2022
The 2022 revision added 11 entirely new controls that did not exist in the 2013 version. These reflect how security threats and organisational practices have evolved over the past decade:
11 New Controls in ISO 27001:2022
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
How to Handle Exclusions in the Statement of Applicability
The Statement of Applicability (SoA) is the document where you declare, for each of the 93 controls, whether it is applicable to your organisation and, if applicable, how it is implemented. Exclusions are legitimate — but they must be justified. The justification needs to be based on your risk assessment, not on convenience.
Common legitimate exclusions include: physical data centre controls for a fully cloud-hosted organisation (inherited from the cloud provider, not excluded), secure coding controls for a company with no software development, and media handling controls for a paperless organisation. The key test is whether a risk exists that the control would address. If no such risk exists, exclusion with documented justification is valid.
Common Mistakes with Annex A
The most common mistake is treating Annex A as a checklist to complete rather than a menu to select from. Organisations that try to implement every control regardless of relevance create unnecessary work and produce an ISMS that does not reflect their actual risk profile. Auditors are experienced enough to spot over-engineered documentation that does not match the organisation's actual operating environment.
The second common mistake is completing the SoA without grounding control selections in the risk register. The SoA should flow directly from your risk treatment plan — each control you select should be traceable to a risk you identified and decided to treat. If your risk register and SoA are not connected, your auditor will surface this immediately.
Our Statement of Applicability template is pre-populated with all 93 controls and includes justification fields for each one, making the process considerably faster than building from scratch.