If you’re among the ranks of companies looking to get ISO 27001 certified — or recertified — then it’s essential that your controls are effective so your information security management system (ISMS) meets ISO 27001 requirements.

To help you establish or improve your ISMS and prepare for an audit, we’ll take a closer look at the ISO 27001:2022 controls below.

What are ISO 27001 Annex A controls?

Information security controls are processes and policies you put in place to mitigate risk. ISO/IEC 27001 requires organizations to implement controls that meet its standards for an information security management system. 

The ISO 27001:2022 international standard document includes Annex A, which outlines all 93 ISO 27001 controls and groups them into 4 themes. Annex A outlines each objective and control to help organizations decide which ones they should use. 

The ISO 27002 standard acts as a complementary resource. It goes into more detail, providing a full page of information on the purpose of each control, how it works, and how to implement it. 

How many controls are there in ISO 27001?

ISO 27001:2022 Annex A includes 93 controls, divided into four categories. 

• Clause 5: Organizational Controls (37 controls)
• Clause 6: People Controls (8 controls)
• Clause 7: Physical Controls (14 controls)
• Clause 8: Technological Controls (34 controls)

When the International Organization for Standardization updated the ISO 27001:2013 standard in 2022, they added 11 new controls. They are: 

• A.5.7: Threat intelligence
• A.5.23: Information security for use of cloud services
• A.5.30: ICT readiness for business continuity
• A.7.4: Physical security monitoring
• A.8.9: Configuration management
• A.8.10: Information deletion
• A.8.11: Data masking
• A.8.12: Data leakage prevention
• A.8.16: Monitoring activities
• A.8.23: Web filtering
• A.8.28: Secure coding

In addition to meeting Annex A control requirements, organizations must meet the requirements from clauses 4-10 of the standard to achieve ISO 27001 certification:

• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement

How you satisfy the ISO 27001 clauses and Annex A controls will depend on your unique organization. The ISO 27001 standard is written so that different types of organizations can meet the legal, regulatory, and contractual requirements in their own way. 

Using your internal ISO 27001 risk assessment as a guide, select the controls that apply to your organization. If you choose not to include an Annex A control, explain why within your Statement of Applicability. For example, if you chose to exclude A.6.7 because none of your employees work remotely, your certification auditor will want to know.

What are the 4 themes of ISO 27001?

What are ISO 27001 themes? You can think of them as the broad topics covered by ISO 27001. 

Topics like: how do you treat company security? How do you handle asset management? How do you address physical security and cybersecurity? 

Each theme focuses on general best practices for that area of information security and its control objectives. 

A 5.1-5.37: Organizational controls

The first theme in the ISO 27001 Annex A controls is all about how your organization approaches data security, from the policies and processes you put in place to the structure of your company. 

Does your organization have a clear set of policies about keeping its ISMS secure? Are information security roles and responsibilities clearly defined and effectively communicated? Are proper access controls in place?

These are the issues the organizational controls are designed to address. The controls encompass:

Information security policies

The strength of your information security policies directly influences every other category. 

Auditors will be looking for: 

• High-level documentation of information security policies
• A regular process to review and update those policies
• A clear explanation for how those policies work with the other needs of the business

Organization of information security

It’s all well and good for the CISO to put security policies in place, but that’s not sufficient for ISO 27001. Specifically defined security roles at every level of the organization are a must. 

In each department, there should be zero ambiguity about information security responsibilities. There should also be plans for how any remote workers or vendors fit into the environment.

It’s far easier for a single infosec professional to implement policies in a smaller office. However, you should still have a plan for organizing data security as your company grows.

Supplier relationships

Most companies are dependent on outside partnerships to some degree. When seeking ISO 27001 certification, businesses often focus on internal operations and operational systems and can easily overlook supply chain and third-party risk management.

It’s harder to implement controls here because you can’t control how someone else operates. Present the auditor with proof that you hold all third-party vendors to a rigorous standard and have completed a thorough risk treatment plan for third-party risk. You should also refuse to work with anyone who won’t meet those standards.

Access controls

Put simply, employees at your organization should not be able to view information that isn’t relevant to their jobs.

Access control encompasses who receives authentication information — like login credentials —and what privileges that information comes with. The more people with user access to corporate information, the more risk is introduced. 

These controls address how to keep employee user IDs and passwords secure and limit non-essential access to applications through a formal access management process. They should be supported by documented procedures and user responsibilities.

Asset management

Any information asset is a potential security risk — if it’s valuable to you, it’s probably valuable to somebody else.

ISO 27001 certification requires your business to identify its information assets, classify them, and apply management processes based on those classifications.

For the controls in this domain, you should know: 

• What is acceptable use of an information asset?
• Who is authorized to receive and share each asset?
• How to track an asset’s location
• How to dispose of the asset, if necessary 

Controls also cover how to safely store assets on removable media, such as USB drives.

Communications security

These controls cover information transfer, including how you exchange information, how you protect it when using electronic messaging like email, and how you use non-disclosure agreements.

Information security incident management

You won’t be able to evade every security threat, regardless of how prepared you might be. This domain covers how your company will respond to security events and incidents.

If there’s a data breach, who gets informed first? Who has the power to make decisions? What will you do to minimize the impact?

This control set also accounts for what you do after the crisis has passed. How will you learn from the incident?

Information security aspects of business continuity management

When business is significantly disrupted, information security can fall by the wayside. 

Does your company have a plan to protect sensitive data during a serious operational upheaval?

Disruption can be anything from a natural disaster to a ransomware attack or political upheaval in the business’s home country. It can also be internal, like an acquisition or change in company leadership.

Redundancy measures — including maintaining an inventory of spare parts and duplicate hardware and software— can help maintain business continuity and smooth operations during times of disruption.

Compliance

The final section details how your organization complies with information security laws. 

Under laws like the EU’s General Data Protection Regulation (GDPR), businesses can face heavy fines for infosec failures. ISO 27001 auditors want to see that you have a plan for mitigating compliance risk.

A 6.1-6.8: People controls

People controls define how your personnel interact with data and information systems. They include practices like employee background checks and security awareness training. 

Human resources security

The controls in this section require every employee to be clearly aware of their information security responsibilities.

It covers the entire personnel relationship: 

1. How are employees vetted before being hired? This includes screening and background checks, and clear terms and conditions of employment.  
2. How will expectations surrounding information security be communicated to employees? This includes aspects like information security awareness education and training, the disciplinary process, security incident reporting, and non-disclosure agreements.
3. How will you make sure employees don’t compromise your information security after leaving the company? 

A 7.1-7.13: Physical controls

How will you protect physical information assets? These controls include clear desk policies, storage and disposal protocols, entry and access systems, and so on. 

Physical and environmental security

Your organization should be protecting any physical location where it stores sensitive data. That means offices, data centers, customer-facing premises, and anywhere else that could compromise your information security if breached.

Security is more than just locks and guards. It demands that you think about access rights, asking questions like, “How do you determine who can enter a secure area like a server room?” 

This theme also includes controls for ensuring employees implement physical safeguards. Someone leaving their laptop or mobile device behind in a cafe can be even worse than getting hacked. Remote as well as in-office workers should adopt a clear desk and clear screen policy so information cannot be accessed, seen, or taken by an unauthorized person.

Other controls in this series cover the risk of natural disasters. If your data center is damaged by a flood or earthquake, how will you ensure it remains protected against forced entry? If you can’t ensure that, what else will you do to protect your sensitive data?

A 8.1-8.34: Technological controls

Technological controls are all about maintaining a secure and compliant IT infrastructure. These controls cover a range of issues, from who can access source code and how to maintain network security to synchronizing clocks. 

Cryptography

Cryptography is just one tool in your security arsenal, but ISO 27001 considers it important enough to deserve its own control set. 

Your company should have a documented policy for managing encryption, with evidence that you’ve thought about the best type of encryption for your business needs. 

Make sure to pay special attention to how you manage cryptographic keys throughout their entire lifecycle, including a plan for what to do if a key becomes compromised.

Operations security

ISO 27001 requires your company to secure the information processing facilities and systems that make up its ISMS.

These technological controls cover documentation of ISMS operating procedures, including change management and review procedures. Other subdomains cover malware protection, data backups, penetration testing, technical vulnerability management, and more.

If your company is tech-heavy, you’ll also need to prove that your development and testing environments are secure.

Network security

Information is especially vulnerable while it’s on the move. ISO 27001 broadly defines communication as any transit of information from one node of your network to another. 

These controls prevent attackers from accessing sensitive information by exploiting flaws and vulnerabilities in your network security. 

System acquisition, development, and maintenance

This control set is interested in how your ISMS evolves over time. 

Whenever you introduce a new information security system or make changes to one you already use, information security should be at the forefront of your mind.

To meet these control requirements, you’ll need to hold any new system to specific security requirements, rejecting any changes that don’t meet your specifications. 

Who is responsible for implementing ISO 27001 controls?    

There’s a common misconception that IT should be solely responsible for implementing the ISO 27001 controls that are applicable to an organization. However, only some of these controls are technological. The rest are related to organizational issues, physical security, human resources, and legal protection. 

So implementing Annex A controls must be the responsibility of multiple stakeholders and departments within an organization. Who those individuals are exactly will depend on the size, complexity, and security posture of that organization. 

Understanding ISO 27001 controls

Like everything else about ISO 27001, the Annex A controls seem complicated at first. But once you dig a little deeper, the ISO 27001 control framework is fairly straightforward. 

The better you understand your information security risk landscape, the easier it will be to figure out which controls apply to you.

That said, we don’t blame you if the ISO 27001 certification process still feels daunting.

That’s why we built Secureframe. 

Our compliance automation platform makes it easier and faster to get ISO 27001 certified. With powerful automation features and a team of ISO 27001 experts, we'll help you build a compliant ISMS, monitor controls, manage vendor risk, complete a gap analysis, and get you 100% audit-ready.