Annex A is the part of ISO 27001 most people picture when they think of ‘the controls’. In the 2022 edition it contains 93 controls grouped into four themes, replacing the older 14-domain structure. It is a menu, not a mandate: your risk assessment decides which controls apply, and you record those decisions in the Statement of Applicability.
This guide walks through the four themes, explains how selection works, and shows how to turn the Annex A list into a focused, defensible control set on the way to iso 27001 certification.
What Annex A is (and is not)
Annex A is a reference catalogue of information security controls. Each entry gives a control a title and a short statement of its purpose; the detailed implementation guidance lives in the companion standard ISO 27002. Annex A tells you what the controls are; ISO 27002 tells you how to implement them.
Critically, Annex A is not a mandatory checklist. You are not required to implement all 93 controls — you implement those your risk assessment justifies and document any exclusions with reasons. This risk-based selection is central to how ISO 27001 works.
Treating Annex A as a tick-everything list is a classic mistake that wastes effort on controls your organisation does not need.
The 2022 restructure into four themes
The 2022 revision reorganised Annex A from 14 domains into four themes, consolidating overlaps and adding modern controls. The themes are Organizational, People, Physical, and Technological, and the total settled at 93 controls.
The new structure is more intuitive: it groups controls by what they protect and who operates them, rather than by abstract domains. It also aligns with how organisations actually divide security responsibilities.
If you encounter older material referencing 114 controls in 14 domains, it predates this change — the substance largely carried over, but the numbering and grouping did not.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Theme A.5: Organizational controls (37)
The largest theme, with 37 controls, covers the organisational backbone of security: information security policies, roles and responsibilities, segregation of duties, and management direction. It also includes supplier and cloud-service security, threat intelligence, and the handling of information through classification and labelling.
Incident management, business continuity, and legal and compliance obligations also sit here. In short, this theme is about governance and the relationships and processes that surround your technology.
Because it is so broad, it is where many of the management-oriented controls that complement the clauses are found.
Theme A.6: People controls (8)
The People theme contains 8 controls addressing the human element behind most security incidents. They cover screening before employment, terms and conditions that set security expectations, and security awareness, education, and training.
It also includes the disciplinary process for security breaches, responsibilities that continue after employment ends, confidentiality agreements, and arrangements for remote working — increasingly important in a hybrid world.
Though few in number, these controls are high-impact: the best technology is undermined by untrained or careless people, so auditors take them seriously.
Theme A.7: Physical controls (14)
The Physical theme’s 14 controls protect the tangible side of security. They cover secure areas and physical entry controls, protection against environmental threats, and the security of equipment, cabling, and supporting utilities.
They also address clear desk and clear screen practices, the secure disposal or reuse of equipment, and the handling of storage media. Even cloud-first companies have physical concerns — offices, laptops, and the data centres their providers operate.
For organisations that outsource infrastructure, much of this theme is satisfied through supplier assurance, but the controls still apply to your own premises and devices.
Theme A.8: Technological controls (34)
The Technological theme, with 34 controls, is the technical core. It covers access control and identity management, authentication, and privileged access, plus cryptography and key management. It addresses secure configuration, protection against malware, and management of technical vulnerabilities.
Logging and monitoring, network security, secure development, and data protection measures such as masking and leakage prevention also live here. This theme is where most engineers will spend their time.
Several of the eleven new 2022 controls — secure coding, data masking, data leakage prevention, web filtering — sit in this theme, reflecting the modern, cloud-and-code reality of security.
How control selection actually works
Selection is driven by your risk assessment, not by the catalogue. For each risk you identify, you choose the Annex A controls that treat it, and you record the decision. Controls that address none of your risks — or that simply do not apply to your context — can be excluded with a justification.
The result is a tailored control set: comprehensive enough to treat your real risks, but not bloated with controls you do not need. This is what keeps an ISMS efficient and defensible.
Auditors verify the linkage: they expect each implemented control to trace to a risk, and each exclusion to have a sound reason.
The Statement of Applicability
The mechanism for recording selection is the Statement of Applicability (SoA). It lists all 93 Annex A controls and, for each, states whether it is included or excluded, why, and (for included controls) its implementation status.
The SoA is one of the most important documents in the entire ISMS and a focal point of the Stage 1 audit. A clear SoA tells the auditor the whole story of your control environment at a glance.
Because it ties risks to controls to evidence, the SoA is effectively the index of your security program — worth getting right and keeping current.
Implementing controls well
Choosing controls is only half the job; implementing them so they actually work — and produce evidence — is what matters at Stage 2. For each control, use ISO 27002 guidance to design a sound implementation, assign an owner, and ensure it generates records that prove it operates.
The common failure is ‘paper controls’: documented but not followed. Auditors test operation through evidence and staff interviews, so adoption matters more than polish. A simple control everyone follows beats an elaborate one that is ignored.
Continuous evidence collection, ideally automated, keeps each control demonstrably alive across the whole audit period.
The bottom line
Annex A is a 93-control menu across four themes — Organizational (37), People (8), Physical (14), and Technological (34) — from which your risk assessment selects what you actually need. It is guidance to choose from, not a mandate to implement in full.
Select controls from real risks, record decisions in the Statement of Applicability, implement them so they operate and produce evidence, and you have a control environment that is both effective and certifiable.
ISpectra helps you select, implement, and evidence the right Annex A controls for your risks — with ISO 27002-grade implementation, free VAPT, and a multi-framework discount — so the catalogue becomes a focused, working program.
Common selection mistakes to avoid
Two opposite mistakes are common. The first is treating Annex A as a checklist and trying to implement all 93 controls regardless of relevance, which wastes effort and produces shallow, hard-to-evidence controls. The second is excluding controls carelessly to reduce work, which leaves real risks untreated and invites findings.
The remedy is discipline: let the risk assessment drive every inclusion and require a genuine, documented reason for every exclusion. ‘Not applicable because we operate no on-premise data centres’ is sound; ‘too much effort’ is not.
A well-justified SoA, neither bloated nor hollowed out, is the clearest sign of a mature, risk-based approach to controls. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.