Navigating ISO 27001

Technological controls of ISO 27001

The Essential Measures for Information Security

Get your free guide


Get your free guide

The digital world is changing rapidly. As a result, the requirements for handling information assets - and securing them - are also changing. Protecting sensitive data is more important today than ever before. Technology, in particular, is the focus of constant innovation. This is why Annex A of ISO 27001 contains a series of measures that have been specially developed for securing and handling technology and digital security in organisations.

ISO 27001 is an international standard for information security. It defines requirements for implementing, realising and maintaining an information security management system (ISMS) to protect the confidentiality, integrity and availability of information.

An information security management system certified by ISO 27001 is a globally recognised way of adequately protecting an organisation's information. An ISMS consists of a series of measures that help to ensure information security.

Technological controls are an important component of an ISMS. The measures in this category ensure that data is also adequately secured digitally and that access and networks are controlled.  

Control categories from Annex A: Technological, organisational, personnel-related and physical

Annex A of ISO 27001:2022 contains a list of 93 controls organised into four categories. Companies can select the appropriate measures from the relevant categories depending on the context. In this way, the controls are adapted to the current security requirements: 

  • Organisational controls: These controls relate to the overall structure, culture, and policies of the organisation, as well as its risk management and information security management system (ISMS).

  • People controls: These controls focus on the people who have access to the organisation's information assets, including their training, awareness, and responsibilities.

  • Physical controls: These controls protect the physical assets of the organisation, such as its buildings, equipment, and data storage facilities.

  • Technological controls: These controls protect the organisation's information systems and networks, including its software, hardware, and data encryption.

In this article, we focus on the technological  controls from Annex A of ISO 27001:2022. 


What are technological controls?

Technological controls include the authentication and encryption of data and the prevention of data loss. To protect the data, the technology must also be secured accordingly. Access rights, network security and data masking help to achieve this security.

In other words, these controls are designed to ensure that technical vulnerabilities are prevented and that software and systems are protected against malware. Access to software and services is regulated and documented for this purpose, and all information that is no longer used is deleted.

Technological controls include, among other things:

  • The deletion of all information that is no longer necessary

  • The management of technical vulnerabilities and the corresponding protection

  • Protective measures against malware

  • Measures for masking data

Get ready for the ISO 27001 audit with up to 75% less workload

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

ISO 27001: New technological controls

Compared to its predecessor, ISO 27001:2022 includes new technological measures that respond to the current challenges of information security:

The new technological controls include:

  • 8.1: Data masking

  • 8.9: Configuration management

  • 8.10: Information deletion

  • 8.12: Data leakage prevention

  • 8.16: Monitoring activities

  • 8.23: Web filtering

  • 8.28: Secure coding.


What technological controls are there?  

Technological controls are an important part of a comprehensive information security strategy, which focuses in particular on the appropriate security of technology, data, access and storage of information.

This area comprises 34 measures that you can implement. We have compiled a list with a comprehensive overview of all technological controls from Annex A of ISO 27001:

Technological Controls

Annex A 8.1

User Endpoint Devices 

Technological Controls

Annex A 8.2

Privileged Access Rights 

Technological Controls

Annex A 8.3

Information Access Restriction 

Technological Controls

Annex A 8.4

Access to Source Code 

Technological Controls

Annex A 8.5

Secure Authentication 

Technological Controls

Annex A 8.6

Capacity Management 

Technological Controls

Annex A 8.7

Protection Against Malware 

Technological Controls

Annex A 8.8

Management of Technical Vulnerabilities 

Technological Controls

Annex A 8.9

Configuration Management 

Technological Controls

Annex A 8.10

Information Deletion 

Technological Controls

Annex A 8.11

Data Masking 

Technological Controls

Annex A 8.12

Data Leakage Prevention 

Technological Controls

Annex A 8.13

Information Backup 

Technological Controls

Annex A 8.14

Redundancy of Information Processing Facilities 

Technological Controls

Annex A 8


Technological Controls

Annex A 8.16

Monitoring Activities 

Technological Controls

Annex A 8.17

Clock Synchronization 

Technological Controls

Annex A 8.18

Use of Privileged Utility Programs 

Technological Controls

Annex A 8.19

Installation of Software on Operational Systems 

Technological Controls

Annex A 8.20

Networks Security 

Technological Controls

Annex A 8.21

Security of Network Services 

Technological Controls

Annex A 8.22

Segregation of Networks 

Technological Controls

Annex A 8.23

Web filtering 

Technological Controls

Annex A 8.24

Use of Cryptography 

Technological Controls

Annex A 8.25

Secure Development Life Cycle 

Technological Controls

Annex A 8.26

Application Security Requirements 

Technological Controls

Annex A 8.27

Secure System Architecture and Engineering Principles 

Technological Controls

Annex A 8.28

Secure Coding 

Technological Controls

Annex A 8.29

Security Testing in Development and Acceptance 

Technological Controls

Annex A 8.30

Outsourced Development 

Technological Controls

Annex A 8.31

Separation of Development, Test and Production Environments 

Technological Controls

Annex A 8.32

Change Management 

Technological Controls

Annex A 8.33

Test Information 

Technological Controls

Annex A 8.34

Protection of Information Systems During Audit Testing 

How are technological controls implemented? 

The implementation of technological controls should be based on a risk assessment. The organisation should identify the potential threats to its information and information systems from technological attacks and then implement the appropriate controls to mitigate these threats.

The process of implementing technological controls can be broken down into the following steps:

Risk identification

The first stage is to identify the potential threats to the organisation's information and information systems from technological attacks. The following factors can be considered:

External threats: Cyberattacks, malware, phishing

Internal threats: Employee error, fraud, espionage

Control selection

After the risk assessment, the organisation can select the appropriate controls within the risk treatment to mitigate the identified threats. It is important to weigh up the costs and benefits of the controls.

Control design

In the third phase, the design of the controls is determined. This includes the specification of the technical and organisational measures required to implement the controls.

Control implementation

In the fourth phase, the controls are implemented. This includes the procurement and installation of the necessary hardware and software as well as the training of employees.

Control monitoring

The controls must be monitored regularly to ensure that they function properly and achieve the desired results. This includes regular audits and tests of the controls.


Technological controls to strengthen your information security

Technological controls are measures that improve the security of information and information systems. They help to protect information and information systems against unauthorised access, manipulation, destruction and loss.

The 2022 version of ISO 27001 considers the current challenges of information security and offers ways to establish an appropriate approach to current conditions.

Find the right controls for your organisation and use our ISO 27001 checklist to find out what you need to do to comply with ISO 27001.

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Book a demo




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.