ISO 27001 Controls from Annex A: What Changed in ISO 27001:2022?
ISO 27001 Annex A contains 93 mandatory security controls organised into four themes: Organisational, People, Physical and Technical. These ISO 27001 controls provide a framework for managing Information Security risks and are essential for compliance with ISO 27001:2022. The structure supports a systematic approach to risk treatment.
ISO 27001 Controls have always been the trusted blueprint for building strong Information Security. However, the 2022 update brings a fresh wave of transformation. Annex A controls have been reshaped and streamlined to keep pace with a world where risks evolve faster than ever.
Whether you're refining your Information Security Management System (ISMS) or starting your certification journey, understanding what changed is the key to staying ahead. This blog will help you explore how ISO 27001:2022 Controls list reshape security for a smarter, more resilient future. So read on!
What is Annex A, and What Has Changed?
Annex A in ISO 27001 provides a reference set of information security controls that organisations can select to manage risks effectively. In the 2022 update, Annex A was significantly restructured to improve clarity and usability. The number of controls was reduced from 114 to 93, grouped into four themes: Organisational, People, Physical, and Technological.
Several controls were merged, updated, or newly introduced to reflect modern risks such as cloud security, threat intelligence, and data masking. This makes the framework more aligned with current security practices.
What is a Statement of Applicability (SoA)?
A Statement of Applicability (SoA) is a mandatory document in ISO 27001 that acts as a clear record of an organisation’s information security control decisions. It lists every control from Annex A and shows whether each control is applicable, not applicable, or already implemented, along with the justification for that decision.
The SoA is linked to risk assessment and shows how identified risks are treated through selected controls, helping demonstrate to auditors that security measures are risk-based. It also supports consistency and accountability by helping teams understand responsibilities, track implementation and review whether controls remain suitable as business needs change.
Discover the core of Information Security with ISO 27001. Sign up for our ISO 27001 Foundation Training now!
The Unique Structure of the ISO 27001 Standard
ISO 27001 stands out because of its dual structure, which separates mandatory requirements from security controls. The main body of the standard, Clauses 4–10, defines how an organisation must establish, implement, maintain, and improve its Information Security Management System (ISMS). These clauses cover areas such as leadership, risk management, operational control, and continual improvement.
What makes the structure unique is that the requirements are kept separate from the controls. While the clauses explain what must be done to run an ISMS, Annex A provides a reference list of 93 controls that organisations can select based on their specific risks and business environment.
What is the Purpose of Annex A?
The purpose of Annex A is to provide a reference set of security controls that organisations can use to treat identified risks. It supports consistency by offering a recognised control framework while still allowing flexibility.
Annex A helps organisations:
Strengthen protection of sensitive information
Reduce the likelihood of security incidents
Demonstrate a structured approach to information security
Align security practices with business risks
Support audit and governance requirements
Turn complex frameworks into simplified insights with Lead Auditor proficiency. Register for our ISO 27001 Lead Auditor Training now!
The List of ISO 27001 Annex A Controls
The Annex A controls are grouped into four clear categories: Organisational, People, Physical, and Technological. Each category addresses a different aspect of information security management. Let’s discuss them in detail:
1) ISO 27001 Annex A 5 Organisational Controls
There are 37 controls from A.5.1 to A.5.37. These controls focus on how an organisation manages Information Security as a whole. They include policies, procedures, rules, roles and governance structures that guide how information is protected.
2) ISO 27001 Annex A 6 People Controls
There are 8 controls from A.6.1 to A.6.8. These controls address the human side of Information Security. They cover areas such as secure HR practices, personnel responsibilities, awareness and training.
3) ISO 27001 Annex A 7 Physical Controls
There are 14 controls from A.7.1 to A.7.14. Physical controls protect buildings, equipment and other tangible assets. Examples include access controls, Visitor Management, secure disposal of assets, storage media handling and clear desk practices.
4) ISO 27001 Annex A 8 Technological Controls
There are 34 controls from A.8.1 to A.8.34. These controls relate to IT and digital security. They cover areas such as Access Management, system configuration, backup and recovery, logging, monitoring and other technical measures needed to run a secure IT environment.
Conclusion
ISO 27001:2022 reshapes Annex A with higher clarity and relevance, thus turning complex security expectations into practical, modern controls. By streamlining categories and aligning with today’s cyber risks, the update helps organisations manage threats with confidence. Understanding the changes in ISO 27001 Controls is not just about compliance; it’s about building future-ready Information Security practices that evolve alongside technology and business needs.
Embrace the mindset that turns security risks into opportunities – Sign up for our ISO 27001 Training now!
Search Smarter
Quickly search through our blog content for what interests you
- Top ISO 9001 Internal Audit Questions and Answers in 2026
- ISO 27005 vs ISO 31000: How to Choose the Right Risk Framework
- Challenges of ISO 14001 and How to Overcome Them
- Top 14 Benefits of ISO 45001 Certification
- What are the ISO 27001 Requirements: A Complete 2026 Guide
- 12 Benefits of ISO 27001 Certification for Business
- ISO 27001 vs ISO 27002: Key Difference and Uses Cases
- ISO 17025 vs ISO 9001: Key Differences and Similarities
- ISO 45001 Requirements for Occupational Health & Safety
- ISO 9001, 14001, and 45001: Key Differences and Similarities
- ISO 27001 vs SOC 2: Understanding Key Differences
- ISO 17025 Requirements: Explained in Detail
- What is ISO 27001 Gap Analysis? A Complete Overview
- ISO 17025: An Overview of Laboratory Accreditation
- What is ISO 27001: An Overview of the Information Security Standard
- What is ISO 50001: Meaning, Requirements & Clauses Explained
- Top 10 Benefits of ISO 50001: A Detailed Explanation
- What is a Quality Management System (QMS): A Comprehensive Overview
- ISO 22000: Food Safety Management System Explained
- What is the Statement of Applicability (SoA) in ISO/IEC 27001?
- What is ISO 31000? The Risk Management Standard Explained
- What Is ISO 13485? Understanding Its 8 Key Sections
- ISO 56000: A Comprehensive Guide to Innovation Management
- What is ISO 14064? Components, Execution, and Benefits Explained
- Carbon Footprint: Definition, Types, and How to Calculate It
- ISO 22301: Requirements, Benefits and How to Implement It?
- ISO 9001 vs ISO 9002: Key Differences You Should Know
- Carbon Accounting: Meaning, Benefits, and Challenges
- Ecological Footprint: Meaning, Importance, and Purpose
- Compliance Management System: Components and How to Implement
- What is Competency Management? Benefits, Tips and Best Practices
- ISO 9001 and 27001: Quality Management vs Information Security Management
No match found
Frequently Asked Questions
No FAQs available for this blog.
