Annex A of ISO/IEC 27001:2022 is a reference set of 93 information security controls, grouped into four themes: organisational, people, physical and technological. You do not implement all 93. You select the controls your risk assessment justifies and record each decision, included or excluded, in the Statement of Applicability.
What are the ISO 27001 Annex A controls?
Annex A is the control catalogue at the back of ISO/IEC 27001:2022, set out in full in the complete ISO 27001 guide. The 2022 edition lists 93 controls, and they are the menu you choose from when you decide how to treat the risks your assessment found, not a list every certified organisation runs end to end. The management system that actually gets certified lives in clauses 4 to 10. Annex A is the reference those clauses point to, and the detail behind each control sits in a companion standard, ISO/IEC 27002:2022. A common mistake is treating Annex A as the standard. It is an annex. The certifiable requirements are the clauses. Annex A is the checklist that stops you forgetting a control you needed.
How are the 93 controls grouped into four themes?
The 2022 edition sorts the 93 controls into four themes, replacing the fourteen domains the 2013 version used. The split is deliberately uneven. Most security work is organisational and procedural, not physical, and the numbers show it.
| Theme | Controls | Annex clause | What it covers |
|---|---|---|---|
| Organisational | 37 | A.5 | Policies, supplier and cloud risk, threat intelligence, incident management |
| People | 8 | A.6 | Screening, awareness, responsibilities, remote and post employment |
| Physical | 14 | A.7 | Facilities, equipment, physical monitoring, clear desk and screen |
| Technological | 34 | A.8 | Access control, cryptography, logging, secure development, backups |
Each control carries a number inside its theme, from A.5.1 through to A.8.34, so A.8 is where most of the technical work sits.
What changed from ISO 27001:2013?
The control count fell from 114 to 93, but nothing was deleted. Most of the drop came from merging overlapping controls, with 57 of the 2013 controls combined into 24, alongside 35 left unchanged, 23 renamed and one split. Eleven controls are genuinely new, added to name work the 2013 set left implicit. If you certified under the 2013 edition, the transition closed on 31 October 2025, so every current certificate is now against the 2022 version. The certification timeline changes very little because of this, but the controls you evidence do.
The eleven new controls are:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
Do you have to implement all 93 Annex A controls?
No, and this is the most common misunderstanding about the standard. Annex A is a reference set you select from, not a checklist you tick top to bottom. Clause 6.1.3 asks you to compare the controls your risk treatment needs against Annex A, confirm you have not missed anything necessary, then record the result in the Statement of Applicability. For every one of the 93 you state whether it applies, whether it is implemented, and why. Excluding a control is allowed. Excluding it without a defensible reason is what gets written up at Stage 2. An organisation that writes no software can reasonably exclude secure coding. One that ships its own product cannot.
Where do the Annex A controls come from?
Annex A gives you titles and one line objectives. The implementation guidance lives in ISO/IEC 27002:2022, the companion standard. Put plainly, 27001 certifies you and 27002 tells you how. The 2022 version of 27002 also tagged every control with five attributes: control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability), cybersecurity concepts (the identify, protect, detect, respond and recover verbs that line up with the NIST Cyber Security Framework), operational capabilities, and security domains. The attributes are a filtering system. They let you pull every detective control, or every control mapped to a NIST function, which makes mapping ISO 27001 to another framework, or to the Essential Eight, far less manual than it was under the 2013 set.
Annex A is one piece of the standard. The clauses, the risk assessment, the Statement of Applicability and the audit cycle are the rest. If you are scoping a project, the readiness checklist and the cost drivers are the practical next reads. Cybernion runs ISO 27001 readiness and implementation through to certification.
Frequently asked questions
There are 93 controls, grouped into four themes: organisational (37), people (8), physical (14) and technological (34). This is down from 114 controls across fourteen domains in the 2013 edition.
No. Annex A is a reference set, not a mandatory checklist. You select the controls your risk assessment justifies and record each inclusion or exclusion, with reasons, in the Statement of Applicability.
ISO 27001 is the certifiable standard, and it includes Annex A as a reference control set. ISO 27002 is the companion guidance that explains how to implement each control. You certify against 27001, not 27002.
Threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, 2022
- ISO/IEC 27002:2022, 2022
Last updated: 21 June, 2026