ISO 27001 Controls: Overview of all measures from Annex A

Navigating ISO 27001

ISO 27001 Annex A Controls

Get your free guide

Get your free guide

ISO 27001 Annex A controls – A detailed guide 

ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their information security processes, mitigate risks and build trust among customers and stakeholders.

With the help of this standard, companies protect their information assets and implement effective measures to keep their data safe. All risks considered - technological, organisational, physical and people.

To use the standard successfully, companies and managers must identify their own risks and know the proper measures to take. We have compiled a handy overview of all 93 controls and 4 categories of measures to help you get started. Learn more about the most important ways to protect your information.

Content overview

What is ISO 27001?

What is an ISMS?

What is the ISO 27001 Certification?

What is the ISO 27001:2022 standard?

Why is ISO 27001 important? Why should I consider getting an ISO 27001 Certification?

Who needs ISO 27001 Certification?

How hard is it to get ISO 27001 certified? 

How long does it take to get certified? 

Does the ISO 27001 Certification expire? 

What are the benefits of getting ISO 27001 certified? 

What are the certification steps? What exactly do I need to do to get ISO 27001 certified? 

Conducting a risk assessment

Implementing controls and a risk treatment plan to mitigate risks? 

Documenting your ISMS

What is an ISO 27001 audit, and why is it important?

Conducting internal audits: How to go about it? 

How long does it take to get ready for an ISO 27001 external audit?

What you can expect at an external audit

What are the ISO 27001 controls? 

The costs of ISO 27001 Certification

Is the investment worth it?

How to get started with ISO 27001 Certification? 

What is ISO 27001, and why should companies adopt it? 

ISO 27001 is a universal framework for managing information security. The certification is considered an international standard and guides your business’s information security management system (ISMS). It provides guidance for establishing, implementing, maintaining, and continuously improving a company’s ISMS, which helps organisations protect their information assets. In 2022, the standard was revised for the third time. The current version of the standard is ISO 27001:2022.

This framework, ISO 27001, safeguards the confidentiality, integrity and availability of the sensitive consumer information you collect. Compliance with ISO 27001 helps you prevent unauthorised access, breaches and regulatory fines.

Moreover, achieving ISO 27001 certification not only ensures robust information security but also aligns with the requirements of NIS2, the new EU Directive, emphasising its importance in the current digital landscape.

Achieve your first ISO 27001 certification in as little as 3 months.

Your ISO 27001 certification process made simple.

Download your free guide
DG Seal ISO 27001

What is the ISO 27001 Annex A? 

A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from – you can pick and select from 93 measures specified in Annex A that are relevant to your organisation’s scope.

ISO 27001 Annex A is arguably the most well-known annex of all the ISO standards, as it contains the essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen the security of information assets.

The 27001 Annex A lists all relevant controls and provides guidance on how to implement the standard measures.

ISO 27001 vs. ISO 27002: What is the difference? 

ISO 27001 is the framework that gives companies a basic understanding of the controls and clauses in Annex A. While it does not go into great depth regarding each control, it does provide you with an idea of what you need to accomplish, but not how to execute it. Each control has a one-line explanation of its aim.

The ISO 27000 standard additionally includes elaborations that focus more closely on the respective controls. ISO 27002, therefore, outlines the specific controls organisations can choose to implement to establish a compliant ISMS. While ISO 27001 includes Annex A and briefly discusses the separate controls, ISO 27002 goes into more detail. It covers the objective for each control, explains how it works and elaborates on how companies are expected to achieve compliance successfully.

Learn more about the differences between ISO 27001 and ISO 27002 in this blog article.

ISO 27001:2022 Annex A Controls 

The ISO 27001 framework includes Annex A, which incorporates the list of controls and measurements that can be taken to establish a strong information security framework depending on the company’s context.

The overall objective of the ISO 27001 framework is to protect the confidentiality, integrity, and availability of information. The implementation enables organisations to:

Comply with ever-changing legal requirements through a single framework

Demonstrate prioritised information security and gain a competitive advantage

Prevent security incidents and avoid costly fines

Define processes and job roles and improve organisational structure

But what are the controls, and how do you use them effectively?

ISO 27001:2022: Eleven new controls

Since 2022, eleven new controls have been added to ISO 27001, which are assigned to different categories. Organisations are required to:

A.5.7 Threat intelligence

Collect and analyse data on potential threats to maintain information security

A.5.23 Information security for the use of cloud services

Define and monitor information security for the use of cloud services.

A.5.30 ICT readiness for business continuity

Create an ICT (information and communications technology) continuity plan to maintain business resilience.

A.7.4 Physical security monitoring

Implement appropriate monitoring tools to detect and prevent external and internal intrusions.

A.8.9 Configuration management

Establish policies for documenting, implementing, monitoring and auditing configurations across their network.

A.8.10 Information deletion

Manage data deletion to comply with laws and regulations.

A.8.11 Data masking

Use data masking techniques for personal identifiable information (PII) to comply with laws and regulations.

A.8.12 Data leakage prevention

Take technical measures to identify and prevent the disclosure and/or extraction of information.

A.8.16 Monitoring activities

Improve network monitoring activities to detect anomalous behaviour and respond to security events and incidents.

A.8.23 Web filtering

Enforce access controls and measures to restrict and control access to external websites.

A.8.28 Secure coding

Implement proven principles of secure coding to prevent vulnerabilities that could be caused by inadequate coding methods.

ISO 27001: 4 Control sets

To make things easier, controls in Annex A are categorised into different groups. That divides the context of the controls and the domain of the applicable risks. But what are the relevant categories and where do they apply?

There are 93 ISO 27001 Annex A controls that cover multiple areas of an organisation, and these controls are segmented into four different categories (domains).

These control sets can be selectively applied to your organisation based on the risk assessment results.

Each category can be attributed to a particular focus area within your organisation. Contrary to popular belief, they are not all IT-related.

Grouping the controls into four themes helps organisations decide who is responsible for implementing the measures and which measures apply to their respective organisation. For example, technical controls can be carried out by the IT department, while organisational controls can be carried out by your system operations team.

To achieve a better overview, here is a list of the four different categories of controls:

Organisational Controls: Measurements for organisational safety

Organisational controls typically cover everything that does not fall under the topics of people, technology, or physical security. This includes things like identity management, responsibilities, and evidence collection.

New organisational controls include:

5.7: Threat Intelligence

5.23: Information security for use of cloud services

5.30: ICT readiness for business continuity

Threat Intelligence in particular is an exciting innovation in this area - as this measure goes beyond detecting malicious domain names. Threat intelligence helps organisations better understand how they can be attacked.

People controls: Staff-related measures to protect staff.

The people controls section comprises only eight controls. It focuses on how employees handle sensitive information during their daily work. This includes topics like remote work, nondisclosure agreements and screenings. Onboarding and offboarding processes, as well as responsibilities for reporting incidents, are also relevant.

Physical Controls: Physical measures for the physical protection of the organisation.

Physical controls include security monitoring, maintenance, facility security and storage media. This category is about how you protect against physical and environmental threats such as theft, natural disasters, and deliberate destruction.

The new physical controls include: 7.4: Physical security monitoring.

Technological Controls: Technological measures for technical security.

Technological controls cover the areas of authentication, encryption, and data leakage prevention. Technology must be properly secured to protect data. Various approaches, such as access rights, network security and data masking, help to achieve this.

New technology controls include:

8.1: Data masking

8.9: Configuration management

8.10: Information deletion

8.12: Data leakage prevention

8.16: Monitoring activities

8.23: Web filtering

8.28: Secure coding

In this area, one innovation is particularly important - data leakage prevention. However, web filtering is also noteworthy: this control describes how organisations should filter online traffic to prevent users from visiting potentially harmful websites.

Achieve your first ISO 27001 certification in as little as 3 months.

Your ISO 27001 certification process made simple.

Download your free guide
DG Seal ISO 27001

93 Controls in ISO 27001: An overview 

How many ISO 27001 controls are there?

The full version of ISO 27001:2022 contains 93 controls, which are assigned to four categories: organisational, people, physical and technological. This allows responsibilities and areas to be divided according to company division.

To strengthen your company's information security, it is helpful to have an overview of the individual controls. We have provided you with a list of all 93 controls and their respective areas in the Annex A.

Organisational Controls:

Organisational Controls

Annex A 5.1

Policies for Information Security

Organisational Controls

Annex A 5.2

Information Security Roles and Responsibilities

Organisational Controls

Annex A 5.3

Segregation of Duties

Organisational Controls

Annex A 5.4

Management Responsibilities

Organisational Controls

Annex A 5.5

Contact with Authorities

Organisational Controls

Annex A 5.6

Contact with Special Interest Groups

Organisational Controls

Annex A 5.7

Threat Intelligence

Organisational Controls

Annex A 5.8

Information Security in Project Management

Organisational Controls

Annex A 5.9

Inventory of Information and Other Associated Assets

Organisational Controls

Annex A 5.10

Acceptable Use of Information and Other Associated Assets

Organisational Controls

Annex A 5.11

Return of Assets

Organisational Controls

Annex A 5.12

Classification of Information

Organisational Controls

Annex A 5.13

Labelling of Information

Organisational Controls

Annex A 5.14

Information Transfer

Organisational Controls

Annex A 5.15

Access Control

Organisational Controls

Annex A 5.16

Identity Management

Organisational Controls

Annex A 5.17

Authentication Information

Organisational Controls

Annex A 5.18

Access Rights

Organisational Controls

Annex A 5.19

Information Security in Supplier Relationships

Organisational Controls

Annex A 5.20

Addressing Information Security within Supplier Agreements

Organisational Controls

Annex A 5.21

Managing Information Security in the ICT Supply Chain

Organisational Controls

Annex A 5.22

Monitoring, Review and Change Management of Supplier Services

Organisational Controls

Annex A 5.23

Information Security for Use of Cloud Services

Organisational Controls

Annex A 5.24

Information Security Incident Management Planning and Preparation

Organisational Controls

Annex A 5.25

Assessment and Decision on Information Security Events

Organisational Controls

Annex A 5.26

Response to Information Security Incidents

Organisational Controls

Annex A 5.27

Learning From Information Security Incidents

Organisational Controls

Annex A 5.28

Collection of Evidence

Organisational Controls

Annex A 5.29

Information Security During Disruption

Organisational Controls

Annex A 5.30

ICT Readiness for Business Continuity

Organisational Controls

Annex A 5.31

Legal, Statutory, Regulatory and Contractual Requirements

Organisational Controls

Annex A 5.32

Intellectual Property Rights

Organisational Controls

Annex A 5.33

Protection of Records

Organisational Controls

Annex A 5.34

Privacy and Protection of PII

Organisational Controls

Annex A 5.35

Independent Review of Information Security

Organisational Controls

Annex A 5.36

Compliance With Policies, Rules and

Organisational Controls

Annex A 5.37

Documented Operating Procedures Standards for Information Security

People Controls

People Controls

Annex A 6.1


People Controls

Annex A 6.2

Terms and Conditions of Employment

People Controls

Annex A 6.3

Information Security Awareness, Education and Training

People Controls

Annex A 6.4

Disciplinary Process

People Controls

Annex A 6.5

Responsibilities After Termination or Change of Employment

People Controls

Annex A 6.6

Confidentiality or Non-Disclosure Agreements

People Controls

Annex A 6.7

Remote Working

People Controls

Annex A 6.8

Information Security Event Reporting

Physical Controls

Physical Controls

Annex A 7.1

Physical Security Perimeters

Physical Controls

Annex A 7.2

Physical Entry

Physical Controls

Annex A 7.3

Securing Offices, Rooms and Facilities

Physical Controls

Annex A 7.4

Physical Security Monitoring

Physical Controls

Annex A 7.5

Protecting Against Physical and Environmental Threats

Physical Controls

Annex A 7.6

Working In Secure Areas

Physical Controls

Annex A 7.7

Clear Desk and Clear Screen

Physical Controls

Annex A 7.8

Equipment Siting and Protection

Physical Controls

Annex A 7.9

Security of Assets Off-Premises

Physical Controls

Annex A 7.10

Storage Media

Physical Controls

Annex A 7.11

Supporting Utilities

Physical Controls

Annex A 7.12

Cabling Security

Physical Controls

Annex A 7.13

Equipment Maintenance

Physical Controls

Annex A 7.14

Secure Disposal or Re-Use of Equipment

Technological Controls

Technological Controls

Annex A 8.1

User Endpoint Devices

Technological Controls

Annex A 8.2

Privileged Access Rights

Technological Controls

Annex A 8.3

Information Access Restriction

Technological Controls

Annex A 8.4

Access to Source Code

Technological Controls

Annex A 8.5

Secure Authentication

Technological Controls

Annex A 8.6

Capacity Management

Technological Controls

Annex A 8.7

Protection Against Malware

Technological Controls

Annex A 8.8

Management of Technical Vulnerabilities

Technological Controls

Annex A 8.9

Configuration Management

Technological Controls

Annex A 8.10

Information Deletion

Technological Controls

Annex A 8.11

Data Masking

Technological Controls

Annex A 8.12

Data Leakage Prevention

Technological Controls

Annex A 8.13

Information Backup

Technological Controls

Annex A 8.14

Redundancy of Information Processing Facilities

Technological Controls

Annex A 8.15


Technological Controls

Annex A 8.16

Monitoring Activities

Technological Controls

Annex A 8.17

Clock Synchronization

Technological Controls

Annex A 8.18

Use of Privileged Utility Programs

Technological Controls

Annex A 8.19

Installation of Software on Operational Systems

Technological Controls

Annex A 8.20

Networks Security

Technological Controls

Annex A 8.21

Security of Network Services

Technological Controls

Annex A 8.22

Segregation of Networks

Technological Controls

Annex A 8.23

Web filtering

Technological Controls

Annex A 8.24

Use of Cryptography

Technological Controls

Annex A 8.25

Secure Development Life Cycle

Technological Controls

Annex A 8.26

Application Security Requirements

Technological Controls

Annex A 8.27

Secure System Architecture and Engineering Principles

Technological Controls

Annex A 8.28

Secure Coding

Technological Controls

Annex A 8.29

Security Testing in Development and Acceptance

Technological Controls

Annex A 8.30

Outsourced Development

Technological Controls

Annex A 8.31

Separation of Development, Test and Production Environments

Technological Controls

Annex A 8.32

Change Management

Technological Controls

Annex A 8.33

Test Information

Technological Controls

Annex A 8.34

Protection of Information Systems During Audit Testing

How to implement the Annex A controls? 

What is most useful when implementing new structures? Right – a checklist.

ISO 27001 serves as the perfect checklist of ISO controls. Organisations are not required to implement all 93 controls but are expected to identify and apply the most suitable controls for their needs. The process of selecting applicable controls begins with risk assessment and treatment. After the treatment of risks, you must measure how successful the controls were in achieving information security.

Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of people.

The process of gathering all required documentation and becoming ISO 27001 compliant can be challenging, which is why you and your organisation may benefit from the expertise of an ISO 27001 consultant.

Benefits of ISO 27001: Why should companies adopt ISO 27001?  

Identifying and addressing security risks is beneficial to any organisation. The ISO 27001 controls help to clearly categorise potential risks. But what are the tangible benefits of mitigating risks?

Not all organisations choose to adopt ISO 27001 certification, but many use it as a framework to keep their ISMS safe from the risk of information security breaches.

ISO 27001 compliance demonstrates to stakeholders (such as customers and shareholders) that an organisation has prioritised the implementation of information security best practices. This can lead to the following benefits:

  • Improved competitiveness

  • Reduced risks of fines and losses due to data protection breaches

  • Improved brand perception

  • Compliance with relevant business, legal, economic and statutory requirements

  • Improved structure and focus

  • Reduced number of required audits

  • Unbiased assessment of the organisation’s security posture

In short, ISO 27001 certification makes it easier to satisfy regulatory obligations, demonstrates your organisation’s reliability to partners, and shows your dedication to maintaining the highest standards of information security. It also increases the value of your brand, resulting in a win-win situations.

Our checklist: How to achieve ISO 27001 compliance   

Even if they are not seeking official certification, there is always the option for organisations to pursue compliance with the ISO 27001 standard requirements. The following list shows the best practices you can implement to achieve this and can be used very well as a checklist:

  • Talk to your stakeholders to understand their information security expectations.

  • Define the scope of your ISMS and the information security measures you will implement.

  • Define a clear security policy.

  • Conduct a risk assessment to identify any existing and potential risks to your information security.

  • Implement measures and risk management methods that set clear objectives.

  • Regularly evaluate the effectiveness of your information security practices and conduct risk assessments.

Gain practical insights from our work with FRÄNKISCHE, where we guided them through their internal audit, paving the way for successful external certification.


External Content: YouTube Video 

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis. 

You can find more information about the handling of your personal data in our privacy policy.

ISO 27001: Enhanced security with the right controls      

ISO 27001 certification makes it easier to comply with legal requirements, demonstrates your organisation's reliability to business partners and shows your commitment to meeting the highest information security standards.

Check out our ISO 27001 checklist to find out what measures you need to implement to achieve ISO 27001.

Need help with information security or in preparing for a certification audit? Contact our experts today.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants

Reduce Risks with ISO 27001

up to 50%

Reduce up to half of your company’s biggest risks

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

up to 75%

Less workload compared to doing it manually

ISO 27001 Certification creates trust

A ton of big-name brands trust us




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses