Skip to main contentChat with us

ISO/IEC 27001:2022 · Annex A Controls

Annex A
Controls

Complete Guide to All 93 ISO 27001:2022 Controls. Comprehensive breakdown of all Annex A controls across 4 categories with practical implementation guidance for organizations in Mumbai, Delhi, Bangalore, Hyderabad, Gurgaon, and Pune.

The 2022 revision reorganized Annex A into 93 controls across 4 categories11 new controls added and 24 merged from the 2013 set.

Get Implementation HelpExplore the ISO 27001 Hub
93Total controls
4Categories
11New in 2022

ISO/IEC 27001:2022 · Accredited certification bodies (TÜV SÜD, BSI, DNV) · Last reviewed June 2026

ISO/IEC 27001:2022 Annex A contains 93 information security controls organized into four themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). These replaced the 114 controls and 14 domains of the 2013 version, with 11 new controls added for modern risks such as threat intelligence, cloud security, data masking, and secure coding. You do not implement every control by default — you select the controls that apply to your organization based on your risk assessment and record each decision, including justified exclusions, in the Statement of Applicability (SoA), which traces directly back to that risk assessment. Tranquility Cybersecurity (TCSA) helps you scope, select, and implement the right controls; the certificate itself is issued by an accredited certification body after Stage 1 and Stage 2 audits. The reference standard is ISO/IEC 27001.

Go Deeper

Every control has its own implementation guide

This page is the overview. Each of the 93 controls also has a dedicated deep-dive — paraphrased requirement, seven implementation steps, the evidence auditors sample, common pitfalls, and FAQs — written by certified lead auditors.

Browse All 93 Control GuidesMandatory Clauses 4–10

The 2022 Revision

What Changed in ISO 27001:2022?

The 2022 revision reorganized Annex A from 114 controls (14 categories) to 93 controls (4 categories). Here are the 11 new controls added to address emerging threats:

A.5.7 - Threat intelligence

Organizational Controls

A.5.23 - Information security for use of cloud services

Organizational Controls

A.5.30 - ICT readiness for business continuity

Organizational Controls

A.7.4 - Physical security monitoring

Physical Controls

A.8.9 - Configuration management

Technological Controls

A.8.10 - Information deletion

Technological Controls

A.8.11 - Data masking

Technological Controls

A.8.12 - Data leakage prevention

Technological Controls

A.8.16 - Monitoring activities

Technological Controls

A.8.23 - Web filtering

Technological Controls

A.8.28 - Secure coding

Technological Controls

Framework Structure

The 4 Control Categories

ISO 27001:2022 organizes all 93 controls into 4 thematic categories for easier implementation and management.

Organizational Controls

37 Controls

Policies, procedures, and organizational structures for information security management.

Key Controls:

A.5.1 - Policies for information security

Define and approve information security policies

A.5.7 - Threat intelligence

Collect and analyze threat intelligence information

A.5.23 - Information security for use of cloud services

Secure acquisition, use, and management of cloud services

A.5.30 - ICT readiness for business continuity

Ensure ICT systems availability during disruptions

Implementation Examples:

Information Security Policy documentRisk assessment and treatment proceduresSupplier security requirementsBusiness continuity and disaster recovery plans

People Controls

8 Controls

Controls related to personnel security, training, and awareness.

Key Controls:

A.6.1 - Screening

Background verification for employees and contractors

A.6.2 - Terms and conditions of employment

Security responsibilities in employment contracts

A.6.3 - Information security awareness, education and training

Regular security training for all personnel

A.6.4 - Disciplinary process

Formal process for security policy violations

Implementation Examples:

Background verification processSecurity awareness training programAcceptable use policyConfidentiality agreements

Physical Controls

14 Controls

Controls for physical security of facilities, equipment, and assets.

Key Controls:

A.7.1 - Physical security perimeters

Define and protect physical security boundaries

A.7.2 - Physical entry

Control access to secure areas

A.7.4 - Physical security monitoring

Monitor premises for unauthorized access

A.7.7 - Clear desk and clear screen

Protect information when not in use

Implementation Examples:

Access control systems (biometric, card readers)CCTV surveillanceVisitor management systemClean desk policy

Technological Controls

34 Controls

Technical security controls for systems, networks, and applications.

Key Controls:

A.8.1 - User endpoint devices

Protect information on user endpoint devices

A.8.2 - Privileged access rights

Restrict and control privileged access

A.8.3 - Information access restriction

Restrict access based on business requirements

A.8.9 - Configuration management

Maintain security configurations

A.8.16 - Monitoring activities

Monitor networks, systems, and applications

A.8.23 - Web filtering

Control access to external websites

A.8.28 - Secure coding

Apply secure coding principles

Implementation Examples:

Multi-factor authentication (MFA)Encryption for data at rest and in transitIntrusion detection/prevention systemsVulnerability scanning and patch managementSecurity information and event management (SIEM)

Best Practices

Implementation Guidance

Applicability Assessment

Not all 93 controls are mandatory. Conduct a Statement of Applicability (SoA) to determine which controls apply to your organization.

  • Review each control against your risk assessment
  • Document justification for exclusions
  • Get management approval for SoA

Prioritization Strategy

Implement controls based on risk priority and business impact. Start with high-risk areas first.

  • Focus on critical assets and high-risk areas
  • Implement quick wins for early momentum
  • Plan phased rollout over 6-12 months

Evidence Collection

Maintain comprehensive evidence of control implementation for audit purposes.

  • Document policies and procedures
  • Collect screenshots and configuration exports
  • Maintain audit logs and reports

Annex A Controls: FAQs

How the 93 ISO 27001:2022 controls work in practice.

How many controls are in ISO 27001:2022 Annex A?

There are 93 controls, grouped into 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). This replaced the 2013 structure of 114 controls across 14 domains.

Do we have to implement all 93 Annex A controls?

No. You select the controls applicable to your organization based on your risk assessment. The Statement of Applicability (SoA) records which controls apply and documents a justification for any control you exclude. Most organizations apply 70–85 controls.

What is the Statement of Applicability (SoA)?

The SoA is the mandatory document that lists every Annex A control, states whether it is applicable, and — for excluded controls — records the justification. It traces directly to your risk assessment and is a core artefact the certification-body auditor reviews.

What are the 11 new controls added in ISO 27001:2022?

The new controls are threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28).

Are the Annex A controls mandatory or guidance?

The mandatory requirements are Clauses 4–10 of ISO 27001. Annex A is a reference set of controls you draw from based on risk; selecting and justifying them in the SoA is mandatory, but which specific controls you implement is risk-driven. Tranquility Cybersecurity helps you scope and implement the right ones — the accredited certification body then audits and issues the certificate.

Continue from the ISO 27001 hub, see how we implement these controls through our ISO 27001 consulting service in India, or review delivered engagements on our proof page.

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

ISO 27001

ISO 27001 Knowledge Hub

All 93 Annex A controls, all clauses, every guide in the cluster.

Read more
ISO 27001

ISO 27001 Controls Library

Browse all 93 Annex A controls with implementation guidance.

Read more
ISO 27001

ISO 27001 Clauses (4–10)

All 23 ISMS clauses explained — from context to continual improvement.

Read more
ISO 27001

Mandatory Documents

The documents and records ISO 27001:2022 requires you to maintain.

Read more
ISO 27001

ISO 27001 Certification Guide

The step-by-step path from gap assessment to certificate.

Read more
ISO 27001

ISO 27001 Overview

The ISMS standard — the baseline certificate global buyers ask for.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations