ISO 27001 Annex A: the 93 controls in the 2022 revision

The four themes

ISO/IEC 27001:2022 groups Annex A controls into four themes. The theme is a high-level container; the substantive logic still lives inside individual controls.

• Organisational controls (37). Policies, roles, segregation of duties, supplier relationships, information security in project management, incident management arrangements, identity and access management policies, threat intelligence, classification of information.
• People controls (8). Screening, employment terms, security awareness, disciplinary process, responsibilities after termination or change of employment, confidentiality agreements, remote working.
• Physical controls (14). Physical security perimeters, physical entry, secure areas, securing offices, working in secure areas, clear desk and clear screen, equipment siting, security of assets off-premises, supporting utilities, cabling security, equipment maintenance, secure disposal or re-use of equipment, storage media, physical security monitoring.
• Technological controls (34). User endpoint devices, privileged access rights, access to information, authentication, capacity management, malware protection, technical vulnerability management, configuration management, information deletion, data masking, data leakage prevention, information backup, redundancy of information processing facilities, logging, monitoring activities, clock synchronisation, use of privileged utility programs, restriction of software installation, networks security, security of network services, segregation of networks, web filtering, use of cryptography, secure development life cycle, application security requirements, secure system architecture and engineering principles, secure coding, security testing in development and acceptance, outsourced development, separation of development, test and production environments, change management, test information, protection of information systems during audit testing.

New controls in the 2022 revision

Eleven controls are new compared to the 2013 version. Worth knowing because they typically need to be added to an existing ISMS during transition:

• Threat intelligence (5.7). A structured process for collecting and analysing threat intelligence relevant to the organisation.
• Information security for use of cloud services (5.23). Specific to cloud, formalises what most organisations were doing informally.
• ICT readiness for business continuity (5.30). The IT side of business continuity, separated from broader BCM.
• Physical security monitoring (7.4). CCTV, intrusion detection, monitoring of physical access logs.
• Configuration management (8.9). Baseline configurations, configuration change tracking.
• Information deletion (8.10). Secure deletion across data lifecycles.
• Data masking (8.11). Pseudonymisation, anonymisation, masking for non-production environments.
• Data leakage prevention (8.12). DLP across email, endpoints, cloud, network egress.
• Monitoring activities (8.16). Security monitoring across networks, systems, applications.
• Web filtering (8.23). Outbound web filtering at the perimeter or endpoint.
• Secure coding (8.28). Secure development practices, including SAST/DAST and code review.

Attributes: the underused taxonomy

Each Annex A control carries five attributes: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (identify, protect, detect, respond, recover, aligned with NIST CSF), operational capabilities (governance, asset management, identity and access management, etc.), and security domains (governance and ecosystem, protection, defence, resilience).

The attributes are not certification-relevant but they are useful for internal reporting and for mapping to other frameworks. The NIS 2 mapping in particular is easier via the cybersecurity-concepts attribute.

The Statement of Applicability

The Statement of Applicability (SoA) is the document that records which Annex A controls the organisation has selected, justifies any exclusions, and notes the implementation status of each included control. The SoA is mandatory and the auditor will inspect it at Stage 1.

Common SoA pitfall: copying Annex A wholesale and marking all 93 controls as applicable. Annex A is a reference list, not a mandatory checklist; controls should be selected based on the risk assessment. Excluding controls is allowed if the exclusion is justified and the risk is otherwise treated.