‍

ISO 27001 is an industry-accepted international standard that helps organizations build and document an effective information security management system (ISMS). If you want to meet the standard’s requirements and explore the benefits of certification for your business, you should first understand the ISO 27001 Annex A controls (aka ISO 27002).

‍

The goal with these controls is to overcome a common challenge security and compliance teams face—continuous compliance. ISO 27001 compliance controls help identify timely updates to an organization’s security framework, enabling ongoing insight into information security and more streamlined program upgrades.

‍

In this guide, we’ll cover:

‍

• Definition and purpose of ISO 27001 Annex A
• A detailed breakdown of Annex A with control examples
• Tips for selecting the applicable Annex A controls

‍

What are the ISO 27001 Annex A controls

ISO 27001 Annex A controls are specific practices that help you meet the requirements of the standard’s clauses, which outline the process of building and maintaining your ISMS. The controls are prescriptive and laid out clearly enough to ensure implementation without guesswork.

‍

To get ISO 27001-certified, you must select the controls that apply to your organization and implement them fully. If you need support, you can leverage ISO 27002—the standard’s accompanying document that also serves as an ISO 27001 implementation guide.

‍

{{cta_withimage2="/cta-modules"}}  | ISO 27001 compliance checklist

‍

What are the controls in ISO 27001 designed to do?

ISO/IEC 27001 Annex A controls aim to protect an organization’s IT infrastructure and data through proactive risk management. Specifically, the primary focus of ISO 27001 Annex A controls is to help achieve the following goals:

‍

• Alignment with ISO 27001’s core principles: Known as the CIA (confidentiality, integrity, and availability) triad, the core principles of ISO 27001 serve as the overarching goals your ISMS should meet
• Maintain operational resilience: Annex A in ISO 27001 provides various controls that help organizations understand and improve their security posture to enable enhanced operational resilience
• Extend best practices to employees and external partners: ISO 27001 Annex A controls outline the accountability requirements organizations should meet to safeguard data alongside the processes for securing third-party relationships
• Continuous monitoring and improvement: ISO 27001 requires organizations to implement and maintain continuous monitoring operations, and Annex A outlines the controls necessary for doing so

‍

How many controls does ISO 27001 Annex A have?

ISO 27001 Annex A has 93 controls mapped to the standard’s corresponding clauses. The previous version (ISO 27001:2013) had 114, but the standard was updated in 2022 to account for the changes in the security landscape. This resulted in reduced redundancies compared to the previous version through the consolidation of some of the standard’s controls.

‍

The 93 controls of ISO 27001 also include some new security measures and policies that weren’t in the 2013 version. The new ISO/IEC 27001 controls mainly revolve around critical cybersecurity hygiene, most notably:

‍

• Proper information disposal
• Data masking and leakage prevention
• Comprehensive monitoring activities

‍

ISO 27001 Annex A controls: An overview

ISO 27001 Annex A controls are divided into four domains, outlined in the following table:

‍

‍

Below we’ll cover each domain in more detail with example controls based on the complete ISO 27001:2022 Annex A control list.

Annex A.5: Organizational controls

Annex A.5 addresses policies and procedures your organization implements to ensure robust information security. It covers everything from access controls to managing information security throughout the supply chain, supporting protection measures for both internal and external threats.

‍

The domain has 37 controls, including:

‍

‍

Besides controls that weren’t available in the previous version of ISO 27001 (e.g., A 5.7), some controls condense multiple measures found in it. For example, ISO 27001 Annex A 5.31: Legal, Statutory, Regulatory and Contractual Requirements combines two controls from the 2013 version:

1. Annex A 18.1.1
2. Annex A 18.1.5

‍

This contributes to the standard’s clarity and helps organizations achieve more with fewer individual controls, potentially shortening the certification time.

‍

{{cta_withimage2="/cta-modules"}}  | ISO 27001 compliance checklist

‍

Annex A.6: People controls

Annex A.6 is the least comprehensive domain of ISO 27001, including eight controls in total. Some of the most notable ones include:

‍

‍

The main goal of Annex A.6 controls is to build a culture of security awareness from the moment a new employee enters an organization and long after leaving it. It prescribes industry-standard policies and processes you should implement and specific initiatives like security training.

‍

Overall, the domain acknowledges that while technology processes data, it's the people who are often the weakest link in information security. That’s why it outlines stringent measures to minimize the risk of incidental or intentional security threats.

‍

Annex A.7: Physical controls

Annex A.7 contains 14 controls aimed at ensuring comprehensive physical protection of assets through measures like security perimeters, equipment maintenance, and secure equipment disposal.

‍

The key controls from this domain include:

‍

‍

You can choose the controls that apply to your organization based on your physical infrastructure. For example, if you don’t have any assets off-premises, Annex A 7.9 won’t apply to you, so you can even omit it.

‍

Annex A.8: Technological controls

This comprehensive set of 34 controls focuses on safeguarding the technical IT infrastructure. Starting with user endpoint devices, the controls move to establish stringent protocols for privileged access and information access restriction, targeting the most sensitive avenues of data flow.

‍

While there are numerous important controls in this domain, the main ones include:

‍

‍

Most new controls added to ISO 27001:2022 come from Annex A.8, so you’ll likely select quite a few to ensure robust IT asset protection.

‍

Who is responsible for implementing ISO 27001 Annex A controls?

Contrary to popular belief, ISO 27001 control implementation isn’t only the responsibility of your IT team. While they’ll surely take over more tasks than other departments, complete ISO 27001 compliance will likely involve organization-level effort.

‍

For example, many people controls will be implemented by human resources and department heads. Similarly, organizational controls might be delegated to specific team members or team leads. 

‍

This is why developing a culture of compliance and security awareness is crucial. When team members at all levels are aware of and implement the best security practices, your ISMS stays resilient against evolving threats without extensive monitoring effort.

‍

Tips for ISO 27001 controls selection

You can hand-pick the ISO 27001 controls you wish to implement based on your security needs and program maturity, which you’ll include in your statement of applicability.

‍

{{sme_quote_5="/testimonials"}}

‍

If you’re unsure where to start, follow these tips:

‍

• Review your organization’s IT ecosystem: List and inventory your IT assets to understand the size of your infrastructure and identify critical assets. You should also factor in your sector and industry regulations to choose the most impactful controls.
• Involve stakeholders across key departments: Bring all relevant departments, such as IT and legal, together and have them review Annex A to provide input on the most valuable controls.
• Factor in the available budget for control updates: Some Annex A controls might expose you to considerable costs, so review your budget and conduct a cost-benefit analysis to avoid overspending.
• Understand your growth goals for scaling controls: Outline a plan for upgrading your security program maturity in the long run and select the ISO 27001 controls that are aligned with it.

‍

As ISO 27001 compliance must be continuously maintained, you’ll need a streamlined workflow supported by the right compliance software. The ideal solution should automate and support ISO 27001 compliance at any scale to keep your ISMS effective.

‍

Bonus read: Want to learn more about effective ISO 27001 compliance? Take a look at these guides:

• How GDPR and ISO 27001 work together
• ISO 27001 vs. SOC 2: What’s the difference?
• Everything you need to know about ISO 27001 consultants
• Your guide to internal ISO 27001 audits

‍

Plan your ISO 27001 certification end-to-end with Vanta

Vanta is a robust compliance and trust management platform that automates up to 80% of ISO 27001 compliance processes. It reduces admin workload and frees up resources for your team, allowing them more time to focus on strengthening your ISMS.

‍

Vanta offers a dedicated ISO 27001 product built around ISO 27001:2022 to help you implement the latest controls effortlessly. Your team can improve efficiency through features like:

‍

• Automated evidence collection supported by 375+ integrations
• Centralized compliance documentation
• Checklists, templates, and tests for developing and implementing your ISMS 
• Streamlined access review features
• Comprehensive risk management built around ISO 27005 guidelines
• Built-in resources like templates and tests

‍

You can also browse Vanta’s partner network to find reputable ISO 27001 auditors who will support you throughout the certification process.

‍

Schedule a custom demo of Vanta’s ISO 27001 product for a personalized, hands-on overview.

‍

{{cta_simple2="/cta-modules"}} | ISO 27001 product page

‍