Annex A
The appendix to ISO 27001 that contains a reference set of 93 information security controls organized into four themes: Organizational, People, Physical, and Technological. Organizations use Annex A as a checklist to ensure their ISMS addresses all relevant control areas.
Annex A is the control catalogue of ISO 27001:2022. It provides 93 controls grouped into four categories: Organizational controls (37 controls covering policies, roles, asset management, and supplier relationships), People controls (8 controls covering screening, awareness, training, and disciplinary processes), Physical controls (14 controls covering physical security, equipment protection, and environmental threats), and Technological controls (34 controls covering access management, encryption, logging, network security, and secure development).
In the 2022 revision of ISO 27001, Annex A was significantly restructured from the previous 14-domain, 114-control structure to the current 4-theme, 93-control structure. Some controls were merged, and 11 new controls were added to address modern concerns like threat intelligence, cloud security, data masking, and monitoring activities.
Organizations are not required to implement every Annex A control. Instead, the risk assessment determines which controls are necessary, and the Statement of Applicability documents the decisions. However, auditors expect organizations to have considered every control and to justify any exclusions. In practice, most organizations find the majority of Annex A controls applicable to their environment.
Related frameworks
Related terms
Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Control Objective
A statement describing what a specific security control is intended to achieve. Control objectives define the desired outcome — such as preventing unauthorized access or ensuring data integrity — while allowing organizations flexibility in how they implement the control to meet that objective.
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Statement of Applicability
A key ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable to the organization, along with justification for inclusion or exclusion and a description of how applicable controls are implemented.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment