Understanding the Annex A Control Framework
Annex A of ISO 27001:2022 provides a reference set of 93 information security controls that organizations can select based on their risk assessment results. These controls represent international best practices for information security and cover the full spectrum of security concerns from governance and policy through technical implementation and physical protection. While not every control will be applicable to every organization, understanding the complete control set is essential for making informed decisions about your Statement of Applicability.
The 2022 version organizes controls into four intuitive themes that align with how organizations typically manage security responsibilities. This guide provides a practical overview of each theme and its controls, helping you understand what each control requires and how it can be implemented in real-world environments.
Organizational Controls (A.5) — 37 Controls
Organizational controls form the governance backbone of your ISMS. They address how your organization manages information security at a strategic and operational level through policies, processes, roles, and responsibilities.
Information security policies (A.5.1) and the information security policy itself (A.5.2) establish the foundation by requiring a management-approved policy framework that provides direction for your security program. Roles and responsibilities (A.5.2) ensure that security duties are clearly assigned and understood throughout the organization. Segregation of duties (A.5.3) prevents conflicts of interest and reduces fraud and error risks.
Management responsibilities (A.5.4) require leadership to actively promote and support information security. Contact with authorities (A.5.5) and contact with special interest groups (A.5.6) ensure your organization maintains relationships with external parties relevant to information security, including law enforcement and industry groups.
The new threat intelligence control (A.5.7) requires proactive collection and analysis of threat information. Information security in project management (A.5.8) ensures security is considered in every project regardless of its type. Asset management controls (A.5.9-A.5.13) address the inventory, classification, labeling, and acceptable use of information and associated assets.
Access control policies (A.5.15), identity management (A.5.16), authentication (A.5.17), and access rights (A.5.18) form a comprehensive framework for controlling who can access your information and systems. Supplier relationship controls (A.5.19-A.5.22) manage the security risks associated with third-party relationships. Cloud services security (A.5.23) is a new control addressing the specific risks of cloud computing.
Incident management controls (A.5.24-A.5.28) establish your capability to detect, report, assess, respond to, and learn from security incidents. Business continuity controls (A.5.29-A.5.30) ensure your organization can maintain operations during disruptions. Legal and compliance controls (A.5.31-A.5.36) address intellectual property, privacy, and regulatory obligations. The independent review control (A.5.35) requires periodic external assessment of your security practices.
People Controls (A.6) — 8 Controls
People controls recognize that humans are both the greatest asset and the greatest vulnerability in any security program. These controls address security throughout the employment lifecycle and in remote working situations.
Screening (A.6.1) requires background verification of candidates before employment. Terms and conditions of employment (A.6.2) ensure security responsibilities are clearly communicated and agreed upon. Information security awareness, education, and training (A.6.3) develops the security knowledge and skills of all personnel. Disciplinary process (A.6.4) provides consequences for security policy violations. Responsibilities after termination (A.6.5) protect information when employment ends. Confidentiality agreements (A.6.6) formalize non-disclosure obligations. Remote working (A.6.7) addresses security measures for working outside traditional office environments. Information security event reporting (A.6.8) ensures personnel know how to report security events.
Physical Controls (A.7) — 14 Controls
Physical controls protect facilities, equipment, and physical media from unauthorized access, damage, and interference. Physical security perimeters (A.7.1) define and protect the boundaries of secure areas. Physical entry (A.7.2) controls access to these areas. Securing offices, rooms, and facilities (A.7.3) addresses the protection of specific locations. Physical security monitoring (A.7.4) is a new control requiring continuous surveillance of premises.
Protection against physical and environmental threats (A.7.5) addresses natural disasters and environmental hazards. Working in secure areas (A.7.6) establishes rules for personnel in sensitive locations. Clear desk and clear screen (A.7.7) prevents unauthorized access to information left unattended. Equipment siting and protection (A.7.8) addresses the physical placement and protection of information processing equipment. Security of assets off-premises (A.7.9) protects equipment and information outside the organization’s facilities.
Storage media (A.7.10) addresses the lifecycle management of physical and digital storage media. Supporting utilities (A.7.11) protects against power failures and other utility disruptions. Cabling security (A.7.12) prevents interception or damage to network and power cabling. Equipment maintenance (A.7.13) ensures continued availability and integrity through proper maintenance. Secure disposal or reuse of equipment (A.7.14) prevents information leakage when equipment is retired.
Technological Controls (A.8) — 34 Controls
Technological controls address the technical security measures applied to information systems, networks, and applications. User endpoint devices (A.8.1) protects laptops, smartphones, and other devices. Privileged access rights (A.8.2) manages administrative access. Information access restriction (A.8.3) limits access based on business needs. Access to source code (A.8.4) protects software intellectual property.
Secure authentication (A.8.5) implements strong authentication mechanisms. Capacity management (A.8.6) ensures resources meet current and future needs. Protection against malware (A.8.7) deploys anti-malware defenses. Management of technical vulnerabilities (A.8.8) identifies and remediates system weaknesses. Configuration management (A.8.9) is a new control ensuring secure system configurations.
Information deletion (A.8.10), data masking (A.8.11), and data leakage prevention (A.8.12) are all new controls addressing data lifecycle management. Information backup (A.8.13) ensures recoverability. Redundancy (A.8.14) provides availability through redundant components. Logging (A.8.15) captures security-relevant events. Monitoring activities (A.8.16) is a new control for active security surveillance.
Clock synchronization (A.8.17) ensures accurate timestamps. Use of privileged utility programs (A.8.18) restricts powerful system tools. Installation of software (A.8.19) controls what software runs in your environment. Networks security (A.8.20), security of network services (A.8.21), and segregation of networks (A.8.22) protect your network infrastructure. Web filtering (A.8.23) is a new control blocking malicious web content.
Use of cryptography (A.8.24) protects information through encryption. Secure development lifecycle (A.8.25), application security requirements (A.8.26), secure system architecture (A.8.27), and secure coding (A.8.28) address security in software development. Security testing (A.8.29) validates security controls. Outsourced development (A.8.30) manages security risks in third-party development. Separation of environments (A.8.31) isolates development, test, and production systems. Change management (A.8.32) controls modifications to information systems. Test information (A.8.33) protects data used in testing. Protection of information systems during audit testing (A.8.34) ensures audits don’t compromise security.
Selecting and Implementing Controls
Your risk assessment drives control selection. Not every control will be applicable, but you must consider each one and document your decision in the Statement of Applicability. When selecting controls, consider the risk they address, the cost and effort of implementation, their interaction with other controls, and any legal or contractual requirements that mandate specific controls.
Easy Compliances provides detailed implementation guides for every Annex A control, complete with practical examples, configuration guidance, and documentation templates. Our training courses walk you through the control selection process and help you build an effective, efficient control framework for your organization.