ISO 27001:2022

Annex A Controls

Complete Guide to All 93 ISO 27001:2022 Controls

Comprehensive breakdown of all Annex A controls across 4 categories with practical implementation guidance for organizations in Mumbai, Delhi, Bangalore, Hyderabad, Gurgaon, and Pune.

Total Controls

What Changed in ISO 27001:2022?

The 2022 revision reorganized Annex A from 114 controls (14 categories) to 93 controls (4 categories). Here are the 11 new controls added to address emerging threats:

A.5.7 - Threat intelligence

Organizational Controls

A.5.23 - Information security for use of cloud services

Organizational Controls

A.5.30 - ICT readiness for business continuity

Organizational Controls

A.7.4 - Physical security monitoring

Physical Controls

A.8.9 - Configuration management

Technological Controls

A.8.10 - Information deletion

Technological Controls

A.8.11 - Data masking

Technological Controls

A.8.12 - Data leakage prevention

Technological Controls

A.8.16 - Monitoring activities

Technological Controls

A.8.23 - Web filtering

Technological Controls

A.8.28 - Secure coding

Technological Controls

The 4 Control Categories

ISO 27001:2022 organizes all 93 controls into 4 thematic categories for easier implementation and management.

Organizational Controls

37 Controls

Policies, procedures, and organizational structures for information security management.

Key Controls:

A.5.1 - Policies for information security

Define and approve information security policies

A.5.7 - Threat intelligence

Collect and analyze threat intelligence information

A.5.23 - Information security for use of cloud services

Secure acquisition, use, and management of cloud services

A.5.30 - ICT readiness for business continuity

Ensure ICT systems availability during disruptions

Implementation Examples:

Information Security Policy documentRisk assessment and treatment proceduresSupplier security requirementsBusiness continuity and disaster recovery plans

People Controls

8 Controls

Controls related to personnel security, training, and awareness.

Key Controls:

A.6.1 - Screening

Background verification for employees and contractors

A.6.2 - Terms and conditions of employment

Security responsibilities in employment contracts

A.6.3 - Information security awareness, education and training

Regular security training for all personnel

A.6.4 - Disciplinary process

Formal process for security policy violations

Implementation Examples:

Background verification processSecurity awareness training programAcceptable use policyConfidentiality agreements

Physical Controls

14 Controls

Controls for physical security of facilities, equipment, and assets.

Key Controls:

A.7.1 - Physical security perimeters

Define and protect physical security boundaries

A.7.2 - Physical entry

Control access to secure areas

A.7.4 - Physical security monitoring

Monitor premises for unauthorized access

A.7.7 - Clear desk and clear screen

Protect information when not in use

Implementation Examples:

Access control systems (biometric, card readers)CCTV surveillanceVisitor management systemClean desk policy

Technological Controls

34 Controls

Technical security controls for systems, networks, and applications.

Key Controls:

A.8.1 - User endpoint devices

Protect information on user endpoint devices

A.8.2 - Privileged access rights

Restrict and control privileged access

A.8.3 - Information access restriction

Restrict access based on business requirements

A.8.9 - Configuration management

Maintain security configurations

A.8.16 - Monitoring activities

Monitor networks, systems, and applications

A.8.23 - Web filtering

Control access to external websites

A.8.28 - Secure coding

Apply secure coding principles

Implementation Examples:

Multi-factor authentication (MFA)Encryption for data at rest and in transitIntrusion detection/prevention systemsVulnerability scanning and patch managementSecurity information and event management (SIEM)

Implementation Guidance

Applicability Assessment

Not all 93 controls are mandatory. Conduct a Statement of Applicability (SoA) to determine which controls apply to your organization.

Review each control against your risk assessment
Document justification for exclusions
Get management approval for SoA

Prioritization Strategy

Implement controls based on risk priority and business impact. Start with high-risk areas first.

Focus on critical assets and high-risk areas
Implement quick wins for early momentum
Plan phased rollout over 6-12 months

Evidence Collection

Maintain comprehensive evidence of control implementation for audit purposes.

Document policies and procedures
Collect screenshots and configuration exports
Maintain audit logs and reports

Need Help Implementing Annex A Controls?

Our ISO 27001 experts can help you implement all applicable controls efficiently and achieve certification faster.

Schedule Consultation Back to ISO 27001 Hub