ISO 27001 Annex A Controls

ISO 27001 Annex A controls: A detailed guide

ISO 27001 is a framework of best practices implemented through an information security management system (ISMS). ISO 27001 certification can help businesses improve their information security processes, mitigate risks, and build trust among customers and stakeholders.

With the help of this standard, companies protect their information assets and implement effective measures to keep their data safe against a variety of risks: technological, organizational, physical, and people.

To use the standard successfully, companies and managers must identify their own risks and know the proper measures to take. We have put together a handy overview of all 93 controls and 4 categories of measures to help you get started.

Learn more about the most important ways to protect your information.

What is ISO 27001, and why should companies adopt it?

ISO 27001 is a universal framework for managing information security. The certification is considered an international standard and guides your business's information security management system (ISMS). It provides guidance for establishing, implementing, maintaining, and continuously improving a company's ISMS, which helps organizations protect their information assets.

In 2022, the standard was revised for the third time. The current version of the standard is ISO 27001:2022.

What is the ISO 27001 Annex A?

A simple approach to think of Annex A is as a portfolio of information security controls that you can choose from. From 93 measures specified in Annex A, you can select the ones that are relevant to your organization's scope.

ISO 27001 Annex A is arguably the most well-known annexes of all the ISO standards because it contains the essential instrument for managing information security risks: a list of security controls (or safeguards) that should be used to strengthen your information assets' security.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the framework that gives companies a basic understanding of the controls and clauses in Annex A. While it does not go into great depth regarding each control, it does provide an idea of what you need to accomplish. Each control has a one-line explanation of its objective.

The ISO 27000 family of standards includes more detailed explanations that focus more closely on the respective controls. ISO 27002, as an example, includes additional information about the specific controls organizations can implement to establish a compliant ISMS.

Learn more about the differences between ISO 27001 and ISO 27002 in this blog article.

What are the ISO 27001:2022 Annex A controls?

There are 93 ISO 27001 Annex A controls that cover multiple areas of operations. These controls are organized into four different categories (domains).

Each category can be attributed to a particular focus area within your organization. Contrary to popular belief, they are not all IT-related.

Grouping the controls into four themes helps decide who is responsible for implementing the measures and which measures even apply to your organization in the first place.

For example, technical controls can be carried out by the IT department, while organizational controls can be carried out by your System Operations team.

What are the four ISO 27001 control sets?

As an overview, here is a list of the four different categories of controls:

• Organizational controls (37 measures)
• People controls (8 measures)
• Physical controls (14 actions)
• Technological controls (34 measures)

Organizational controls: Measurements for organizational safety

Organizational controls typically cover everything that does not fall under the topics of people, technology, or physical security. This includes things like identity management, responsibilities, and evidence collection.

New organizational controls from ISO 27001:2022 include:

• 5.7: Threat intelligence
• 5.23: Information security for use of cloud services
• 5.30: ICT readiness for business continuity

People controls: Staff-related measures to protect employees

The People controls section has only eight controls. It focuses on how employees handle sensitive information during their daily work.

This includes topics like remote work, nondisclosure agreements, and screenings. Onboarding and offboarding processes, as well as responsibilities for reporting incidents, are also relevant.

Physical controls: Measures for the physical protection of the organization

Physical controls include security monitoring, maintenance, facility security, and storage media.

This category is about how you protect against physical and environmental threats such as theft, natural disasters, and deliberate destruction.

The new physical controls include: 7.4: Physical security monitoring.

Technological controls: Measures for technical security

Technological controls cover the areas of authentication, encryption, and data leakage prevention. Various approaches, such as access rights, network security, and data masking, help to achieve stronger data protection.

New technological controls in ISO 27001:2022 include:

• 8.1: Data masking
• 8.9: Configuration management
• 8.10: Information deletion
• 8.12: Data leakage prevention
• 8.16: Monitoring activities
• 8.23: Web filtering
• 8.28: Secure coding

In this area, one innovation is particularly important, which is data leakage prevention. However, web filtering is also noteworthy: this control describes how organizations should filter online traffic to prevent users from visiting potentially harmful websites.

ISO 27001 Annex A control tables

What new controls does ISO 27001:2022 introduce?

Since 2022, eleven new controls have been added to ISO 27001, which are assigned to different categories. These are:

A.5.7 Threat intelligence: Collect and analyze data on potential threats to maintain information security.

A.5.23 Information security for the use of cloud services: Define and monitor information security for the use of cloud services.

A.5.30 ICT readiness for business continuity: Create an ICT (information and communications technology) continuity plan to maintain business resilience.

A.7.4 Physical security monitoring: Implement appropriate monitoring tools to detect and prevent external and internal intrusions.

A.8.9 Configuration management: Establish policies for documenting, implementing, monitoring, and auditing configurations across their network.

A.8.10 Information deletion: Manage data deletion to comply with laws and regulations.

A.8.11 Data masking: Use data-masking techniques for personally identifiable information (PII) to comply with laws and regulations.

A.8.12 Data leakage prevention: Take technical measures to identify and prevent the disclosure and/or extraction of information.

A.8.16 Monitoring activities: Improve network monitoring activities to detect anomalous behavior and respond to security events and incidents.

A.8.23 Web filtering: Enforce access controls and measures to restrict and control access to external websites.

A.8.28 Secure coding: Implement proven principles of secure coding to prevent vulnerabilities that could be caused by inadequate coding methods.

What's the best way to implement the Annex A controls?

Organizations are not required to implement all 93 controls but are expected to identify and apply the ones most suited to their needs.

The process of selecting applicable controls begins with a risk assessment and subsequent treatment. After risk treatment, you must measure how successful the controls were in strengthening your information security.

Information security is all about putting in place a set of strong rules that will mature over time. As a result, implementing the controls outlined in Annex A is and must always be the responsibility of a number of people.

The process of gathering all required documentation and becoming ISO 27001 compliant can be challenging, which is why you and your organization may benefit from the expertise of an ISO 27001 consultant.

What benefits do companies get from ISO 27001?

Identifying and addressing security risks is beneficial to any organization. The ISO 27001 controls help to clearly categorize potential risks. But what are the tangible benefits of mitigating risks?

ISO 27001 compliance demonstrates to stakeholders (such as customers and shareholders) that an organization has prioritized the implementation of information security best practices. This can lead to the following benefits:

• Improved competitiveness
• Reduced risks of fines and losses due to data-protection breaches
• Improved brand perception
• Compliance with relevant business, legal, economic, and statutory requirements
• Improved structure and focus
• Reduced number of required audits
• Unbiased assessment of the organization's security posture

In short, an ISO 27001 certification makes it easier to satisfy regulatory obligations, demonstrates your reliability to partners, and shows your dedication to maintaining the highest standards of information security.

What is the best way to achieve ISO 27001 compliance? [checklist]

Even if you're not looking for official certification, there is always the option to voluntarily comply with ISO 27001 requirements. Here are some best practices you can implement:

• Talk to your stakeholders to understand their information security expectations.
• Define the scope of your ISMS and the information security measures you will implement.
• Define a clear security policy.
• Conduct a risk assessment to identify any existing and potential risks to your information security.
• Implement measures and risk-management methods that set clear objectives.
• Regularly evaluate the effectiveness of your information security practices and conduct risk assessments.

Gain practical insights from our work with FRÄNKISCHE, where we guided them through their internal audit, paving the way for successful third-party certification.

ISO 27001: Enhanced security with the right controls

An ISO 27001 certification makes it easier to comply with broader legal requirements, demonstrates your organization's reliability to business partners, and shows your commitment to meeting the highest information security standards.

Check out our ISO 27001 checklist to find out what measures you need to implement to achieve ISO 27001.

Need help with information security or in preparing for a certification audit? Contact our experts today.

Frequently asked questions