ISO 27001 is a globally recognized standard that provides a systematic approach to information security. Its framework contains a list of controls that can help you protect sensitive data and mitigate the risk of data breaches.
These ISO 27001 controls are listed in full in Annex A of the standard.
Read our guide on ISO 27001 Annex A controls to learn more about each domain and find out which ones apply to your organization.
What are the ISO 27001 Annex A controls?
ISO 27001’s Annex A controls describe how an organization can protect sensitive data and systems. The 2022 version of the standard contains 93 controls, each providing a solution to a specific risk.
In this way, Annex A plays a pivotal role in ISO 27001 compliance. Whereas the rest of the standard sets out the specifications for building an ISMS (Information Security Management System), Annex A contains details on the security measures contained within that system.
You can use any relevant control from Annex A to build the three components of an ISMS:
- Policies are the principles or rules that outline the organization’s expectations, objectives, and responsibilities.
- Processes are step-by-step methods that explain how policy goals will be achieved.
- Technologies include tools, systems, hardware, or software that can address information security risks.
Although you aren’t required to implement every control, you must explain your decision-making throughout the process. This means documenting your adopted controls and explaining why you’ve omitted the others.
By carefully selecting and implementing controls from Annex A, you can enhance your security posture and ensure your safeguards are relevant to your requirements.
Please note that a new version of ISO 27001 was adopted in October 2022 and will take effect in 2025.
ISO 27001:2022 restructures its controls from 14 domains into 4 categories, and it reduces the total number of controls from 114 to 93. You can learn more about the differences by reading our ISO 27001:2022 Transition Guide.
This article looks at the updated version of ISO 27001.
This category contains 37 controls that cover:
- Information security policies
- Cloud service use
- Threat intelligence
This section sets the tone for your ISMS. It provides guidance for high-level policies that demonstrate your organization’s commitment to information security.
These policies establish that your organization takes a security-first approach to projects and that all stakeholders know their responsibilities. Additionally, it can highlight the need for regular policy reviews to ensure that documentation remains aligned with your information security goals.
This category contains 8 controls that cover:
- Remote work
At the heart of this category is the way you manage the people who use your ISMS. You are expected to assign responsibilities, define roles, and emphasize the importance of a workplace culture that prioritizes information security.
It streamlines two sections from the previous version of ISO 27001, which look at remote work and personnel management separately. Accounting for the rise in remote work in recent years, the updated version of Annex A contains more detailed controls on these topics.
This includes controls related to home working equipment and other mobile devices.
Elsewhere, this category covers the requirements of personnel management. As with the previous version of the standard, its controls mainly address the risks you might face when handling employees’ personal data.
Learn more about how to prepare for ISMS success with our ISO 27001 Checklist.
This category contains 14 controls that cover:
- Security monitoring
- Storage media
- Facilities security
Organizations often underestimate the importance of physical security when protecting their sensitive data. However, it plays a significant role in ISO 27001, and there are more than a dozen controls addressing a range of physical security risks.
This includes measures to protect the physical perimeter and the locations where valuable data or systems are kept. It also addresses assets within those locations, such as computers, cupboards, and networking equipment.
This category contains 34 controls that cover:
- Network security
- Access controls
- Data leak prevention
Technological defences are a crucial part of information security, and they’re often the controls that organizations lean on to protect their systems. But ISO 27001 recognizes that technologies should work alongside other controls, with organizations taking a holistic approach to information security.
Two of the most significant measures outlined in this category are access controls and encryption. These systems are each designed to ensure that only authorized individuals can access valuable data.
Access controls do so by authenticating individuals when they try to access sensitive data – whether that’s online or via a secure part of the facility.
By contrast, encryption scrambles digital data to make it unreadable unless you are authorized to view it.
For both technologies, you are expected to document management requirements and policies in addition to implementing the technology.
Annex A vs. ISO 27002
Although Annex A plays a crucial role in building your ISMS, it’s not the only place where you’ll encounter these controls. They’re also listed in ISO 27002, a supplementary standard that explores each control in more depth.
Whereas Annex A outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control. It explains how each one works, its objectives, and how you can implement it.
They are separated in this way to help organizations manage their implementation project.
- Annex A acts as a reference list of ISO 27001 Annex A controls and a reminder of where each one is and what it does.
- ISO 27002 serves as a guide for implementing each control.
How To Implement Annex A Controls
Your organization’s ISO 27001 implementation project culminates with selecting Annex A controls. The choices you make here shape your ISMS, outlining the actions you’ll take to address information security risks. It’s essential that you pick these controls carefully and don’t either under- or overcommit to your implementation project.
If you don’t select enough controls, you’ll still have risks that aren’t properly addressed, which can undermine your security practices. But if you select too many, you might be unable to give enough resources to each one. This can result in poorly implemented controls and an unnecessarily complex ISMS that’s impossible to manage.
Given these complexities, it’s often worth seeking expert advice when starting your ISO 27001 implementation project. This is where Orion Registrar can help. As an ANAB-accredited assessment body, we can support your project and ensure you pick the right Annex A controls.
Learn the difference between ISO 27001 Vs Soc 2 in our essential guide.