ISO 27001 Controls Featured Snippet

ISO 27001:2022 Controls: Annex A list

megha
Technical Content Writer at Scrut Automation

Megha Thakkar has been weaving words and wrangling technical jargon since 2018. With a knack for simplifying cybersecurity, compliance, AI management systems, and regulatory frameworks, she makes the complex sound refreshingly clear. When she’s not crafting content, Megha is busy baking, embroidering, reading, or coaxing her plants to stay alive—because, much like her writing, her garden thrives on patience. Family always comes first in her world, keeping her grounded and inspired.

ISO 27001 is a globally recognized standard for information security management systems (ISMS), providing a systematic approach to securing sensitive information. At the heart of ISO 27001 are its controls—specific measures designed to mitigate risks and ensure data protection. 

The concept of ISO 27001 controls first appeared in 2005 with 133 controls structured to address the key security challenges of the time. Fast-forward to the latest revision, ISO 27001:2022: the number of controls has been streamlined to 93, organized under four main themes, reflecting modern-day security risks and evolving technological needs.

The relationship between ISMS and ISO 27001 controls is critical. An ISMS provides the overarching framework for managing information security, while the ISO 27001 controls—particularly those outlined in Annex A—serve as actionable steps to achieve the framework’s objectives. 

Organizations meeting these standards ensure compliance with best practices, improve their risk posture, and build trust with customers and stakeholders. Additionally, adhering to the ISO 27001 controls enhances resilience against cyber threats and ensures continual improvement in security management.

Deep dive into the Annex A controls or read more below to explore the full ISO 27001:2022 controls list and understand how each category supports a robust security posture.

What are ISO 27001 Controls?

ISO 27001 controls are structured measures designed to identify, manage, and mitigate information security risks, ensuring the confidentiality, integrity, and availability of data. Serving as the backbone of an organization’s Information Security Management System (ISMS), these controls play a crucial role in protecting sensitive information from evolving threats. Typically updated every 7–10 years, ISO 27001 evolves to stay aligned with advancements in technology and emerging security challenges.

Under the ISO 27001:2022 standard, the controls are categorized into four domains, addressing both organizational and technological risks. These measures are implemented by security teams, monitored through regular audits, and maintained to ensure their continued effectiveness in safeguarding information assets.

The transition from ISO 27001:2013 to ISO 27001:2022 resulted in a reduction and restructuring of controls—from 114 controls across 14 domains to 93 controls aligned under a modernized framework. These updates reflect the need to tackle contemporary risks more effectively. 

For organizations in industries such as technology, finance, healthcare, and manufacturing that prioritize securing sensitive data and mitigating risks, ISO 27001 specifies 11 clauses (0-10). Of these, implementing mandatory clauses (Clause 4 to Clause 10) is essential. These clauses cover areas like defining the ISMS scope, risk assessments, and continual improvement processes, ensuring an organization’s commitment to maintaining a robust security posture. 

What is the Annex A controls list of ISO 27001:2022?

The Annex A controls in ISO 27001:2022 are divided into four main themes: 

  • Organizational, 
  • People, 
  • Physical, and 
  • Technological controls. 

These themes make it easier for organizations to manage and mitigate risks across all areas of their operations. Whether it’s securing sensitive data, protecting physical infrastructure, or managing employee access, these controls cover it all.

The goal here is simple—help organizations strengthen their information security posture and ensure that data remains confidential, accurate, and available when needed. It’s not just about ticking boxes; these controls are practical tools that businesses of any size can use to safeguard their systems, comply with regulations, and build trust with customers and partners. By organizing the controls under these four categories, ISO 27001:2022 ensures a more streamlined and modern approach to tackling today’s security challenges.

What were the newly updated controls from ISO 27001:2013 to 27001:2022?

ISO 27001:2022 introduced 11 new controls to address emerging security challenges and evolving technologies. These new controls are categorized under four themes and contribute to a streamlined structure of 93 controls, reduced from 114 in the 2013 version.

How the controls are categorized:

  1. Organizational – 37 controls
  2. People – 8 controls
  3. Physical – 14 controls
  4. Technological – 34 controls

This categorization helps organizations focus on specific areas of information security, ensuring a holistic approach to mitigating risks, maintaining compliance, and strengthening their ISMS.

The 11 newly introduced controls:

  1. A.5.7: Threat intelligence – Helps organizations proactively identify and address emerging security threats.
  2. A.5.23: Information security for use of cloud services – Ensures secure usage and governance of cloud-based environments.
  3. A.5.30: ICT readiness for business continuity – Prepares organizations to maintain critical ICT services during disruptions.
  4. A.7.4: Physical security monitoring – Enhances protection of physical locations through monitoring systems.
  5. A.8.9: Configuration management – Establishes secure and consistent system configurations.
  6. A.8.10: Information deletion – Defines secure deletion processes for sensitive information.
  7. A.8.11: Data masking – Protects sensitive data by obfuscating it during processing or storage.
  8. A.8.12: Data leakage prevention – Minimizes risks of unauthorized data exposure or transfer.
  9. A.8.16: Monitoring activities – Enhances visibility and detection of security incidents.
  10. A.8.23: Web filtering – Protects against web-based threats by controlling access to unsafe sites.
  11. A.8.28: Secure coding – Promotes secure software development practices to prevent vulnerabilities.

These additions are particularly beneficial for industries heavily reliant on cloud services, advanced technologies, and stringent data protection requirements, such as finance, healthcare, and IT. By adopting these controls, organizations can enhance their readiness to tackle evolving threats while aligning with global compliance standards.

What are the 4 themes of ISO 27001 controls?

The 4 themes of ISO/IEC 27001 controls are divided into categories that address key areas of information security, ensuring organizations can effectively manage risks and safeguard their assets.

  • Organizational controls: Focus on policies, procedures, and governance to manage information security risks at an organizational level.
  • People controls: Address the roles, responsibilities, and actions of individuals to ensure secure behavior and reduce human-related risks.
  • Physical controls: Protect physical assets like buildings, equipment, and infrastructure from unauthorized access or damage.
  • Technological controls: Safeguard systems, networks, and data through technical measures like encryption, access controls, and monitoring.

Clause 5: Organization control

Clause 5 focuses on organizational controls that establish the foundation for managing information security risks within an organization. Its purpose is to ensure that policies, responsibilities, and processes are clearly defined and implemented to address risks effectively. The goal is to promote accountability, governance, and structured management of information security practices across all levels of an organization.

Key controls under Annex A5 include:

  • A.5.1: Policies for information security
  • A.5.2: Information security roles and responsibilities
  • A.5.7: Threat intelligence
  • A.5.9: Inventory of information and other associated assets
  • A.5.12: Classification of information
  • A.5.23: Information security for use of cloud services
  • A.5.30: ICT readiness for business continuity
  • A.5.37: Documented operating procedures

These controls ensure that organizations can effectively govern their information security management and align their strategies with ISO 27001 requirements.

Annex A6: People controls

Annex A6 focuses on people controls, which aim to address the human aspect of information security. This annex ensures that employees, contractors, and other relevant parties are aware of their roles and responsibilities in safeguarding information. The goal is to minimize risks caused by human error, negligence, or intentional actions through proper management, awareness, and training.

Key controls under Annex A6 include:

  • A.6.1: Screening of employees and contractors
  • A.6.2: Terms and conditions of employment related to information security
  • A.6.3: Awareness, education, and training on information security
  • A.6.6: Disciplinary process for non-compliance with security policies

These controls help organizations build a security-conscious workforce while ensuring individuals are equipped with the knowledge and accountability to support overall information security objectives.

Annex A7: Physical controls

Annex A7 focuses on physical controls, which are designed to protect an organization’s physical assets and environments from unauthorized access, damage, or interference. The purpose of this annex is to ensure that physical security measures are in place to safeguard critical facilities, equipment, and infrastructure. The goal is to prevent physical threats such as theft, vandalism, or natural disasters from impacting information security and business continuity.

Key controls under Annex A7 include:

  • A.7.1: Physical security perimeter controls to restrict unauthorized access
  • A.7.2: Entry controls to secure physical access points
  • A.7.4: Physical security monitoring, such as surveillance and alarm systems
  • A.7.7: Secure disposal or reuse of equipment to prevent data leakage

These controls ensure that organizations address the physical aspects of security, complementing technological and organizational measures for a comprehensive information security strategy.

Annex A8: Technological controls

Annex A8 focuses on technological controls, which are designed to protect information systems, networks, and data through technical measures. This annex ensures that organizations implement secure configurations, monitoring, and protective mechanisms to manage risks stemming from technology use. The goal is to safeguard the confidentiality, integrity, and availability of data while addressing threats such as cyberattacks, data breaches, and system vulnerabilities.

Key controls under Annex A8 include:

  • A.8.9: Configuration management to ensure secure system settings
  • A.8.10: Information deletion to prevent unauthorized data retention
  • A.8.11: Data masking to protect sensitive information
  • A.8.12: Data leakage prevention to avoid unauthorized data transfers
  • A.8.16: Monitoring activities for identifying and responding to security events
  • A.8.23: Web filtering to restrict access to harmful or inappropriate content
  • A.8.28: Secure coding to prevent software vulnerabilities

These controls help organizations leverage technology securely, mitigating risks while ensuring compliance with ISO 27001 standards.

What are the mandatory clauses to get ISO 27001 certification?

ISO 27001 certification demonstrates an organization’s commitment to information security, enhances customer trust, and ensures compliance with international standards by meeting mandatory clauses (Clause 4 to Clause 10):

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10: Improvement

These clauses are mandatory because they form the core framework of an Information Security Management System (ISMS). Completing all clauses ensures that the ISMS is systematically implemented, monitored, and continuously improved, enabling organizations to address risks, meet legal requirements, and achieve sustained information security resilience.

How to implement ISO 27001 controls 

To successfully implement ISO 27001 controls, organizations require a structured ISO implementation checklist to ensure risks are effectively identified, addressed, and managed.

  • Conduct a risk assessment to identify and prioritize information security risks.
  • Define the scope of the ISMS to clarify which assets and processes are covered.
  • Map controls to identified risks based on Annex A of ISO 27001.
  • Develop policies and procedures to implement and enforce the selected controls.
  • Assign roles and responsibilities to ensure accountability for control implementation.
  • Provide employee training and awareness on security policies and practices.
  • Deploy technical and physical measures to enforce controls, such as access management and monitoring.
  • Monitor and measure performance to evaluate the effectiveness of the controls.
  • Perform regular internal audits to identify gaps and ensure compliance.
  • Continuously improve the ISMS based on audit findings and changing risks.

How to measure the effectiveness of controls ISO 27001

To ensure ISO 27001 controls are functioning as intended, organizations must consistently measure their effectiveness using various methods and metrics.

  • Define key performance indicators (KPIs) to measure control performance against objectives.
  • Conduct regular internal audits to assess control implementation and identify gaps.
  • Perform management reviews to evaluate the overall effectiveness of controls.
  • Monitor incidents and breaches to determine if controls are mitigating risks as intended.
  • Collect and analyze metrics to measure the success of specific controls (e.g., access logs, response times).
  • Use automated monitoring tools to track compliance and control performance in real-time.
  • Evaluate user compliance through employee behavior assessments and policy adherence checks.
  • Benchmark against standards to ensure controls align with ISO 27001 requirements and industry best practices.
  • Gather stakeholder feedback to identify areas for improvement in control performance.
  • Review and update controls regularly based on audit findings, risk changes, and business needs.

How does Scrut help in implementing Annex A controls of ISO 27001?

You may not even notice how effortlessly Scrut manages your Annex A implementation, but here’s a quick overview of how the platform seamlessly addresses some of these Annex A controls:

A.5 – Organizational controls

  • Scrut Feature: Policy Library & Templates
    • Pre-built templates for information security policies, roles, and governance structure to meet organizational control requirements.

A.6 – People controls

  • Scrut Feature: Employee Awareness and Training Management
    • Manage training programs and track employee compliance with security awareness initiatives.

A.7 – Physical controls

  • Scrut Feature: Asset and Access Management
    • Track physical asset inventories and access control logs to ensure facilities and devices are secure.

A.8 – Technological controls

  • Scrut Feature: Continuous Control Monitoring
    • Automate technical control tracking, such as secure configurations, system monitoring, and data leakage prevention.
  • Scrut Feature: Risk Assessment Module
    • Identify vulnerabilities in systems and align them with configuration management and monitoring controls.

A.5.23 – Information security for cloud services

  • Scrut Feature: Cloud Security Monitoring
    • Integrate with cloud providers (e.g., AWS, Azure) to ensure compliance with cloud-specific security controls.

A.8.10 – Information deletion

  • Scrut Feature: Evidence Collection and Reporting
    • Automate evidence capture for data deletion processes to ensure compliance and audit readiness.

A.8.16 – Monitoring activities

  • Scrut Feature: Real-Time Monitoring & Dashboards
    • Monitor activities continuously and flag deviations to maintain control effectiveness.

A.8.28 – Secure coding

  • Scrut Feature: Integration with DevSecOps Tools
    • Scrut integrates with development tools to ensure secure coding practices are implemented and monitored.

FAQs

What’s the difference between ISO 27001 controls 2013 vs 2022?

The main difference between ISO 27001:2013 and ISO 27001:2022 controls is the reduction and reorganization of controls to address modern security challenges. The 2013 version had 114 controls across 14 domains, while the 2022 update consolidates them into 93 controls under 4 themes: Organizational, People, Physical, and Technological.

Additionally, 11 new controls were introduced, including threat intelligence (A.5.7) and cloud security (A.5.23), making the standard more relevant to today’s risks and technologies.

How many domains are there in ISO 27001 control?

ISO 27001:2013 has 14 domains that organize its controls:

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Aspects of Business Continuity Management
  14. Compliance

Who is responsible for implementing ISO 27001 Control?

The Information Security Team or CISO, supported by key stakeholders, typically leads the implementation of ISO 27001 controls. They design, implement, and monitor controls to ensure compliance, with audits conducted by internal teams or ISO 27001-certified consultants to identify gaps. Their expertise in security frameworks, risk assessments, and certifications like CISSP, ISO 27001 Lead Implementer, or Lead Auditor ensures effective alignment with organizational objectives and ISO standards.

Can we map ISO 27001 controls to other security standards?

Yes, ISO 27001 controls can be mapped to standards like NIST CSF, SOC 2, GDPR, and PCI DSS, enabling organizations to align compliance efforts. Popular mappings include ISO 27001 Annex A with NIST SP 800-53 or integrating ISO 27001 with SOC 2, streamlining audits, reducing redundancies, and ensuring broader compliance while maintaining a strong ISMS.

What are the objectives of ISO 27001?

  • Ensure confidentiality to protect sensitive information from unauthorized access.
  • Maintain integrity to ensure data is accurate, complete, and reliable.
  • Ensure availability so information and systems are accessible when needed.
  • Identify and manage risks through a systematic risk assessment and treatment process.
  • Establish a structured ISMS to manage information security effectively.
  • Comply with legal, regulatory, and contractual requirements related to information security.
  • Build stakeholder trust by demonstrating a commitment to protecting information assets.

Promote a culture of security through policies, training, and continuous improvement.

Related Posts

Welcome back to another episode of Risk Grustlers, the podcast aimed at […]

Risk refers to any unpredictable event that could disrupt operations or cause […]

The Payment Card Industry Data Security Standard (PCI DSS) underwent a major […]

ISO 27001 is a globally recognized standard for information security management systems[...]

ISO 27001 is a globally recognized standard for information security management systems[...]

ISO 27001 is a globally recognized standard for information security management systems[...]

See Scrut in action!