The ISO 27001 Annex A Security Controls: A Strategic Framework
Understanding ISO 27001 Annex A: The Ultimate Security Control List
If the main body of the ISO 27001 standard is the "Why" and the "How-to-Manage," then Annex A is the "What." It is the legendary list of security controls that often intimidates newcomers but is actually your best friend in building a secure business.
How Annex A is Structured
The controls in Annex A are organized into 4 themes to make them easier to manage:
- Organizational controls (37 controls)
- People controls (8 controls)
- Physical controls (14 controls)
- Technological controls (34 controls)
Why Decision Makers Care About Annex A
In the 2022 version of the standard, Annex A was streamlined from 114 controls down to 93. Let’s break down what they are and how you should use them.
The 4 Categories of Controls
The 2022 update reorganized the controls into four logical themes. This makes it much easier for business leaders to assign responsibility to different departments:
1. Organizational Controls (37 Controls)
These deal with the "rules of the game." They include policies, cloud service usage, and how you handle information security in your relationships with suppliers.
- Responsibility: Management, Legal, and HR.
2. People Controls (8 Controls)
Security is about people. These controls cover background screening, terms of employment, and the all-important security awareness training.
- Responsibility: HR and Team Leads.
3. Physical Controls (14 Controls)
Old-school security matters too. These controls cover office security, clear desk and clear screen policies, and the physical protection of your equipment.
- Responsibility: Facilities and Operations.
4. Technological Controls (34 Controls)
This is where the IT magic happens. It includes encryption, network security, secure coding practices, and monitoring for unusual activity.
- Responsibility: IT and Engineering.
The Statement of Applicability (SoA)
Crucially, you don't have to implement all 93 controls. You only implement the ones that are relevant to your risks.
This selection process is documented in the Statement of Applicability (SoA). For every control, you must state:
- Is it applicable?
- If yes, is it implemented?
- If no, why not? (e.g., "We don't have physical servers, so controls for server room cooling are not applicable.")
How to Choose the Right Controls
The biggest mistake is "over-securing." If a control costs $10,000 to implement but it only protects against a $1,000 risk, skip it. Use your Risk Assessment as your primary guide.
Common "Must-Have" Controls for SaaS:
- A.8.24 Use of Cloud Services: Ensuring your providers (AWS, Azure, etc.) are also secure.
- A.8.28 Secure Coding: Essential for any company building software.
- A.8.5 Secure Authentication: Implementing MFA (Multi-Factor Authentication) across the board.
FAQ: Frequently Asked Questions
Can we add our own controls?
Yes! Annex A is a minimum list. If your industry requires extra security (like PCI-DSS for payments), you can and should add those controls to your ISMS.
What happened to the 114 controls from the 2013 version?
Many were merged. For example, several independent controls about "mobile devices" and "teleworking" were combined into a single, more modern control.
Do we need a policy for every single control?
No. You can bundle related controls into single policies (e.g., an "Access Control Policy" can cover 5-10 different Annex A requirements).
Conclusion: Use the Tools That Fit Your Business
Annex A is a menu, not a mandate. By selecting the right controls for your specific risk profile, you build a security posture that is robust without being restrictive.
Need help selecting your controls? Our experts can help you draft a lean, audit-ready Statement of Applicability.
Download Our Annex A Checklist
Note: This article references the ISO 27001:2022 version, which is the current industry standard.