Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

5 Min

ISO 27001 Annex A Controls - A Detailed Guide

ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their info-sec processes, formalise operations and build trust among customers and stakeholders.

Though not compulsory, it is a widely used and internationally recognised certification that demonstrates a commitment to the protection of confidential information. The ISO 27001 framework spans across all domains of an organisation, focusing on its people, processes and technology through a carefully chosen list of security controls.

This article provides you with an understanding of the 14 different categories of ISO 27001 controls and the focus of each category in relation to your organisation’s ISMS.

In this Article

What is the ISO 27001 Annex A?

ISO 27001 Annex A is arguably the most well-known annex of all the ISO standards, as it contains an essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen the security of information assets.

The ISO 27001 controls are outlined in ISO 27001 Annex A, also known as ISO 27002. These are standard controls that should be simple to put in place because they are all outlined in the ISO 27001 standard.

A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from – you can pick and select from the 114 measures specified in Annex A that are relevant to your organisation’s scope.

Is there a difference between ISO 27001 and ISO 27002?

ISO 27001's Annex A does not go into great depth regarding each control. In general, each control has a one line explanation, which provides you an idea of what you need to accomplish but not how to execute it.

This is why ISO 27002 was created. It follows the same format as ISO 27001 Annex A. Each control from Annex A is included in ISO 27002, but it includes a far more extensive description of how to put it into practice. However, when it comes to managing information security, ensure your organisation follows both ISO 27001 and ISO 27002 standards.

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

How many ISO 27001 controls are there?

The ISO 27001 Annex A Controls are separated into 14 categories – and within those 14 categories are 114 ISO 27001 controls outlined as tools for effective risk management.

These control sets can be selectively applied to your organisation, based on the results of a risk assessment.

The overall objective of the ISO 27001 framework is to protect the confidentiality, integrity, and availability of information. Implementation enables organisations to:

  • Comply with ever-changing legal requirements through a single framework
  • Demonstrate prioritised information security and gain a competitive advantage
  • Prevent security incidents and avoid paying fines
  • Define processes and job roles and improve organisational structure

Each category can be attributed to a particular focus area within your organisation. Contrary to popular belief, they are not all IT-related. The following is a breakdown of what each section is focused on.

Before we explore each category of ISO 27001 certification, here is a quick breakdown of Annex A control sets and which areas of your organisation they relate to:

Focus Area Annex A control category
Organisational issues (24 controls)





HR (6 Controls)








IT  (61 Controls)








Physical Security (15 Controls) A.11
Legal Issues (8 controls) A.18


What are the 14 categories of ISO 27001 controls?

The 14 categories of Annex A controls cover different security areas and dictate the objective of each control in improving your information security. Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories:

  1. Information Security Policies
  2. Organisation of Information Security
  3. Human Resources Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operational Security
  9. Communications Security
  10. Systems Acquisition, Development and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security aspects of Business Continuity Management
  14. Compliance

Here is a comprehensive list of the 14 control categories:

1. Annex A.5 - Information Security Policies | 2 controls


  • To ensure that policies regarding information security are written in accordance with your organisation's requirements.

2. Annex A.6 - Organisation of Information Security | 7 controls


  • To establish a management framework and assign information security roles for how the controls will be implemented.
  • To adopt security guidelines for when employees access, process and store information while working out-of-office.

3. Annex A.7 - Human Resource Security | 6 controls


  • To ensure that all parties (employees and contractors) understand their requirements and responsibilities before, during and after their term of employment.
  • This involves conducting background checks, adhering to information security policies, conducting necessary training and implementing a formal disciplinary process in order to protect the organisation’s interests.

4. Annex A.8 - Asset Management | 10 controls


  • To identify, classify and prevent the disclosure of information and assets.
  • This involves defining acceptable use, implementing a classification scheme, outlining procedures for handling assets and implementing procedures to securely dispose of media.

5. Annex A.9 - Access Control | 14 controls


  • To limit access to and prevent unauthorised access of information, and hold individuals accountable for protecting authentication information (such as PINs and passwords).
  • This involves implementing an access control policy, controlling access rights, defining the use of secret authentication information and restricting any programs with override capabilities.

6. Annex A.10 - Cryptography | 2 controls


  • To ensure encryption and key management is used to maintain the confidentiality, integrity and authenticity of important information.
  • This involves outlining, through a cryptographic policy, the use and validity period of cryptographic keys.

7. Annex A.11 - Physical and Environmental Security | 15 controls


  • To prevent unauthorised access to information that may cause loss or interruption to operations.
  • To prevent the compromise of assets through loss, damage or theft.
  • This involves defining and implementing a physical security perimeter, securing areas involved in transport (such as loading bays), regularly servicing equipment and protecting equipment when taken off office premises.

8. Annex A.12 - Operational Security | 14 controls


  • To ensure the integrity of information processing facilities and operational systems, protecting these facilities from malware, preventing the loss of data, maintaining consistency across activity logs, mitigating potential technical risks and minimising disruptions brought on by audit activities.
  • This involves documenting operating procedures (such as changes to organisational processes), separating operational environments, implementing anti-malware software and making users aware of what constitutes acceptable use, following an agreed backup policy, monitoring software installation and regularly evaluating risks.

9. Annex A.13 - Communications Security | 7 controls


  • To monitor the internal and external transfer of information.
  • This involves implementing information transfer policies across all communication facilities (such as email, social media and internal messaging platforms).

10. Annex A.14 - System Acquisition, Development and Maintenance | 13 controls


  • To ensure that information security requirements are established across the lifecycle of information systems and included when updating existing systems or implementing new systems.
  • To ensure that data being used for testing is only accessed by authorised personnel.
  • This involves protecting information that passes through public networks to prevent misrouting, alteration or unauthorised disclosure, establishing secure development areas and regularly testing security facilities.

11. Annex A.15 - Supplier Relationships | 5 controls


  • To ensure that any valuable assets that can be accessed by suppliers remain protected, and maintain an agreed level of information security.
  • This involves establishing formal agreements that address potential risks and regularly monitoring and auditing suppliers.

12. Annex A.16 - Information Security Incident Management | 7 controls


  • To ensure that any information security incidents are managed effectively and consistently.
  • This involves reporting any weaknesses through the appropriate management channels as quickly as possible, responding to these incidents in line with established procedures and preserving evidence.

13. Annex A.17 - Information Security Aspects of Business Continuity Management | 4 controls


  • To ensure the continuation of information security and that these measures are in line with your organisation's continuity plans.
  • To ensure the availability of information processing facilities.

14. Annex A.18 - Compliance | 8 controls


  • To avoid information security breaches of a legal, statutory, regulatory or contractual nature, and ensure that information security is carried out according to organisational requirements
  • This involves identifying compliance requirements, protecting against any implications (loss, theft etc) according to these requirements, ensuring the protection of sensitive information and regularly reviewing the compliance of information systems.

Download our Whitepaper 'Top 4 most failed ISO 27001 controls' and learn how to avoid the same mistakes.

How can I implement ISO 27001 Annex A controls?

Annex A can be used as a checklist of ISO 27001 controls. Organisations are not required to implement all 114 controls, but are expected to identify and apply the most suitable controls for their organisation. The process of selecting applicable controls begins with risk assessment and treatment, after which you are required to measure how successful the controls were in achieving information security objectives.

Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of persons.

The process of gathering all required documentation and becoming ISO 27001 compliant can be difficult, which is why you and your organisation may benefit from the expertise of an ISO 27001 consultant.

Why should an organisation adopt ISO 27001?

Not all organisations choose to adopt ISO 27001 certification, but many use it as a framework to keep their ISMS safe from the risk of information security breaches.

ISO 27001 compliance proves to parties involved (such as customers and stakeholders) that an organisation has prioritised the implementation of information security best-practices.

Essentially, an ISO 27001 certification makes it simpler to satisfy regulatory obligations, demonstrates your organisation’s reliability to partners, and demonstrates your dedication to maintaining the highest standards of information security. It increases the value of your brand, resulting in win-win situations.

How can an organsiation become ISO 27001 certified?

It is a two-stage process that takes around three months on average. With over 25 proven ISO 27001 policies and over 25 industry best practices ISO 27001 papers, DataGuard gives you a comprehensive information security management system suited to your particular needs.

Read our comprehensive guide to ISO 27001 for insight into its advantages, processes, costs involved and how to get certified.



An airtight ISMS consists of security measures that cover all aspects of an organisation: its people, processes and technology.

Selecting and implementing the right Annex A controls takes time and our consultants are equipped with the industry expertise to ensure the success of your ISMS.

Sign up for a free, no-obligation consultation and begin the process of ISO 27001 compliance. Get in touch with one of our experts today.

Book an appointment



whitepaper-download whitepaper-download




About the author