ISO 27001 Annex A Controls: Everything You Need to Know

20-Jun-2026

Gary Moore

Data breaches, cyber threats, and human errors can put sensitive information at risk, making information security a top priority for modern organisations. To address these challenges more effectively, businesses need a systematic framework for identifying and managing security risks. This is where ISO 27001 Controls become essential.

ISO 27001 Controls provide a set of safeguards that help organisations protect information, strengthen security practices, and support compliance requirements. In this blog, you will be learning about ISO 27001 Annex A Controls, their key categories, how to implement them, and more. Let’s get started!

What are ISO 27001 Controls?

ISO 27001 Controls are the security measures, policies, and procedures organisations use to manage and mitigate information security risks. They are designed to protect sensitive information and ensure its confidentiality, integrity, and availability while addressing various security threats and vulnerabilities.

ISO 27001 Controls form the foundation of an Information Security Management System (ISMS). By implementing appropriate controls, organisations can strengthen their security posture, support compliance requirements, and reduce the likelihood of security incidents.

ISO 27001 Controls: 2022 Control Categories

The ISO 27001:2022 Annex A controls were reorganised to better address modern information security challenges. This latest version consolidates them into four broader categories, helping organisations implement and manage controls effectively within their ISMS. Let’s explore these categories below:

1) Annex A.5: Organisational Controls (37 Controls)

Organisational Controls establish the governance framework for information security. They include policies, procedures, rules, roles, responsibilities, and risk management activities that guide how an organisation protects its information assets.

Number of Controls: 37

Control Numbers: Annex A 5.1–5.37

2) Annex A.6: People Controls (8 Controls)

People Controls focuses on the human aspect of information security. They cover areas such as personnel security, awareness training, and employee responsibilities to ensure that individuals handle information securely and follow established security practices.

Number of Controls: 8

Control Numbers: Annex A 6.1–6.8

3) Annex A.7: Physical Controls (14 Controls)

Physical Controls protect facilities, equipment, and other tangible assets from unauthorised access, theft, damage, or disruption. Some examples include entry controls, visitor management, secure asset disposal, and clear desk policies.

Number of Controls: 14

Control Numbers: Annex A 7.1–7.14

4) Annex A.8: Technological Controls (34 Controls)

Technological Controls focus on securing digital systems and IT infrastructure. They include measures such as access control, authentication, encryption, monitoring, logging, backup, and other technical safeguards that help maintain a secure and resilient environment.

Number of Controls: 34

Control Numbers: Annex A 8.1–8.34

Learn to strengthen compliance through effective audits with the ISO 27001 Internal Auditor Training – Sign up today!

A Step-by-step Approach to Implementing ISO 27001 Controls

Implementing ISO 27001:2022 Controls requires a structured approach that aligns security measures with organisational risks and objectives. The following steps can help organisations effectively implement and maintain controls within their Information Security Management System. Let’s look at them below:

Step 1: Identify Security Gaps and Catalogue Information Assets

Begin by assessing your present security posture against ISO 27001:2022 requirements to identify gaps and areas for improvement. At the same time, create an inventory of information assets to ensure all critical resources are considered during risk assessments.

a) Identify existing security controls and safeguards already in place

b) Document areas where current practices do not meet security requirements

Step 2: Define the Scope of Applicable Controls Through the SoA

The Statement of Applicability (SoA) defines which controls are relevant to the organisation and explains any exclusions. It serves as a key document that links identified risks to the controls selected for risk treatment.

a) Link each selected control to a specific risk treatment plan

b) Record the implementation status of controls for audit and review purposes

Step 3: Deploy Security Measures and Assign Access Management Responsibilities

Implement technical safeguards to protect systems, applications, and data. Measures such as Multi-factor Authentication (MFA) and Identity and Access Management (IAM) help ensure users have appropriate access based on their roles and responsibilities.

a) Implement web filtering to block malicious websites and content

b) Configure Data Loss Prevention (DLP) measures to monitor sensitive information

Step 4: Develop Governance Policies and Rules of Engagement Documentation

Establish clear policies, procedures, and Rules of Engagement (RoE) to support information security operations. Regular awareness training ensures employees understand their responsibilities and follow security requirements.

a) Create policies for remote working and mobile device usage

b) Define security requirements for suppliers and third-party vendors

Step 5: Remove Excessive Privileges and Maintain Ongoing Security Oversight

Regularly review access rights and remove unnecessary privileges to reduce security risks. Continuous monitoring, audits, and management reviews help ensure controls remain effective and aligned with evolving threats.

a) Monitor logs for suspicious activity and unauthorised access attempts

b) Conduct regular management reviews and update controls when required

Build and manage robust security frameworks by signing up for the ISO 27001 Lead Implementer Training today!

Are all ISO Controls Mandatory? 

No, not all ISO 27001 Controls are mandatory. ISO 27001 follows a risk-based approach, meaning organisations need to implement the controls that are relevant to their specific risks, business activities, and security requirements. This makes sure that security efforts are focused on addressing the risks that matter most to the organisation.

ISO 27001 Controls selected for implementation are documented in the Statement of Applicability (SoA), along with any exclusions and their justifications. Therefore, achieving ISO 27001 certification is not about implementing all 93 Annex A Controls, but about demonstrating that the chosen controls effectively address the organisation’s identified risks.

What are the Benefits of Implementing ISO 27001 Controls?

Implementing ISO 27001 Controls helps organisations strengthen information security, improve risk management, and build trust with stakeholders. Let’s learn some of its key benefits below:

a) Reduces the Risk of Data Breaches: ISO 27001 Controls help organisations identify, assess, and address security vulnerabilities before they can be exploited. This proactive approach reduces the possibility of potential of data breaches and other security incidents.

b) Supports Regulatory Compliance: ISO 27001 Controls help organisations meet legal, regulatory, and contractual requirements related to information security and data protection. This leads to more effective compliance management.

c) Improves Internal Processes: Implementing ISO 27001 Controls encourages consistent documentation, governance, and risk management practices. This leads to more efficient and well-structured business operations.

d) Builds Client and Partner Trust: Implementing ISO 27001 Controls demonstrates a commitment to protecting sensitive information. This can increase confidence among customers, business partners, and other stakeholders.

e) Enhances Business Opportunities: Strong information security practices can simplify security assessments during procurement processes and support participation in tenders, contracts, and new business opportunities.

f) Protects Organisational Reputation: Effective ISO 27001 Controls help prevent security incidents that could damage an organisation’s reputation, customer relationships, and brand image.

g) Strengthens Security Awareness: Regular training and clearly defined responsibilities help employees understand their role in protecting information and maintaining security best practices.

h) Improves Incident Response: Established procedures, roles, and responsibilities enable organisations to respond to security incidents more effectively and recover more quickly.

i) Provides Global Recognition: As an internationally recognised information security standard, ISO 27001 Controls helps organisations demonstrate credibility and strengthen their position in global markets.

Conclusion

ISO 27001 Controls provide a structured approach to managing information security risks and protecting sensitive data. By implementing the right controls, organisations can strengthen security, support compliance, and improve resilience. As cyber threats continue to evolve, ISO 27001 Annex A Controls help businesses build trust and maintain a strong security posture.

Turn your security knowledge into organisational strength with the ISO 27001 Training Courses – Sign up now!