ISO 27001:2022 · Annex A Reference
All 93 Annex A Controls, Explained by Auditors
ISO 27001:2022 restructured Annex A into 93 controls across four themes — organizational, people, physical, and technological — including 11 controls that are entirely new. Every control below links to a full implementation guide: what it means, how to implement it, what auditors check, and where teams go wrong.
Organizational Controls (A.5.1 – A.5.37)
Governance, policy, supplier, incident, and continuity controls — the management layer of the ISMS.
Policies for information security
How to define, approve, publish, and review your information security policy and topic-specific policies — the governing documents of the ISMS.
Information security roles and responsibilities
Assigning and communicating ownership for every security duty in the ISMS, from the CISO to individual asset and risk owners.
Segregation of duties
Separating conflicting duties and areas of responsibility so no single person can initiate, approve, and conceal a sensitive action.
Management responsibilities
Making managers actively require their teams to apply security policies and procedures — visible enforcement, not passive endorsement.
Contact with authorities
Establishing and maintaining channels with regulators, law enforcement, and supervisory bodies for incident reporting and legal obligations.
Contact with special interest groups
Staying connected to security forums, CERTs, and professional communities for early warning, shared intelligence, and expertise.
Threat intelligence
Collecting and analyzing threat information from internal and external sources and turning it into actionable defensive decisions.
Information security in project management
Embedding security requirements and risk assessment into every project lifecycle — not just IT projects.
Inventory of information and other associated assets
Building and maintaining an accurate inventory of information and supporting assets, each with a designated owner.
Acceptable use of information and other associated assets
Defining the rules for acceptable use and handling of information and assets, and making every user acknowledge them.
Return of assets
Ensuring employees and contractors return all organizational assets when their employment, contract, or agreement ends or changes.
Classification of information
Classifying information by confidentiality, integrity, and availability needs so protection effort matches business value.
Labelling of information
Applying classification labels to information across formats and systems so handling rules travel with the data.
Information transfer
Securing information in transit through transfer rules, agreements, and controls covering electronic, physical, and verbal channels.
Access control
Establishing the rules that govern who gets logical and physical access to what, based on business and security requirements.
Identity management
Managing the full lifecycle of identities — creation, change, deactivation — so every identity maps to one accountable entity.
Authentication information
Controlling how passwords, keys, and other authentication secrets are allocated, distributed, stored, and changed.
Access rights
Provisioning, reviewing, adjusting, and revoking access rights in line with the access control policy and joiner-mover-leaver events.
Information security in supplier relationships
Managing the security risks that come with suppliers accessing your information and systems, across the whole relationship lifecycle.
Addressing information security within supplier agreements
Writing security requirements — controls, SLAs, audit rights, breach duties — directly into supplier contracts.
Managing information security in the ICT supply chain
Extending security requirements beyond direct suppliers to the products, components, and sub-suppliers in the ICT supply chain.
Monitoring, review and change management of supplier services
Continuously monitoring supplier service delivery, reviewing performance, and managing changes to services and agreements.
Information security for use of cloud services
Setting requirements for acquiring, using, managing, and exiting cloud services — shared responsibility made explicit.
Information security incident management planning and preparation
Building incident management capability before you need it: roles, procedures, communication channels, and competence.
Assessment and decision on information security events
Triage discipline: assessing security events against defined criteria and deciding which ones are actual incidents.
Response to information security incidents
Responding to incidents according to documented procedures — containment, eradication, recovery, escalation, and communication.
Learning from information security incidents
Converting incident experience into stronger controls, updated risk assessments, and sharper awareness.
Collection of evidence
Identifying, collecting, and preserving incident evidence so it remains intact and admissible for disciplinary, regulatory, or legal action.
Information security during disruption
Maintaining an appropriate level of information security when business is disrupted — security woven into continuity plans.
ICT readiness for business continuity
Ensuring ICT can recover to meet business continuity objectives — RTOs, RPOs, failover, and tested recovery plans.
Legal, statutory, regulatory and contractual requirements
Identifying and keeping current every legal, regulatory, and contractual security obligation — and documenting how you satisfy each.
Intellectual property rights
Protecting intellectual property — yours and others’ — through licensing compliance, usage policies, and asset controls.
Protection of records
Protecting records against loss, destruction, falsification, and unauthorized access through their full retention lifecycle.
Privacy and protection of PII
Meeting privacy obligations for personal data — identification, protection, and lawful processing across every applicable law.
Independent review of information security
Having your security program independently reviewed at planned intervals and after significant change.
Compliance with policies, rules and standards for information security
Regularly verifying that security policies, rules, and standards are actually followed — and correcting deviations.
Documented operating procedures
Documenting operating procedures for security-relevant activities so they survive staff turnover and stand up in audits.
People Controls (A.6.1 – A.6.8)
Controls covering the human lifecycle: screening, contracts, awareness, discipline, remote work, and reporting.
Screening
Background verification proportionate to role risk — identity, employment history, qualifications — within legal and ethical limits.
Terms and conditions of employment
Embedding information security responsibilities into employment contracts and agreements before day one.
Information security awareness, education and training
Running a security awareness program that actually changes behavior — role-based, measured, and continuously refreshed.
Disciplinary process
A formal, communicated process for handling information security policy violations fairly and consistently.
Responsibilities after termination or change of employment
Defining which security duties — confidentiality, IP, data return — survive termination or role change, and enforcing them.
Confidentiality or non-disclosure agreements
Identifying, documenting, and regularly reviewing the confidentiality and NDA terms that protect your information.
Remote working
Securing information when people work from home or anywhere outside the office — devices, networks, and the physical environment.
Information security event reporting
Giving every person a clear, fast channel to report observed or suspected security events — and the culture to use it.
Physical Controls (A.7.1 – A.7.14)
Perimeters, entry, secure areas, equipment, media, and utilities — protecting information in physical space.
Physical security perimeters
Defining physical perimeters around areas holding information and assets, with barriers proportionate to the risk inside.
Physical entry
Controlling who enters secure areas — entry controls, visitor management, and protection of delivery and loading areas.
Securing offices, rooms and facilities
Designing and applying physical security for offices, rooms, and facilities against unauthorized access and observation.
Physical security monitoring
Continuously monitoring premises with surveillance, intruder detection, and alarm response to detect unauthorized physical access.
Protecting against physical and environmental threats
Designing protection against fire, flood, earthquake, power events, and other physical or environmental threats to infrastructure.
Working in secure areas
Rules of conduct for working inside secure areas — supervision, device restrictions, and confidentiality of activities.
Clear desk and clear screen
Keeping sensitive material off desks and screens when unattended — simple rules that close the most common exposure gaps.
Equipment siting and protection
Siting equipment to reduce environmental threats, unauthorized access, and unintended observation of sensitive output.
Security of assets off-premises
Protecting devices and media used outside the office — custody, tracking, and protection wherever assets travel.
Storage media
Managing removable and fixed storage media through their lifecycle — acquisition, use, transport, and secure disposal.
Supporting utilities
Protecting operations from failures in power, cooling, telecom, and other supporting utilities — UPS, generators, and redundancy.
Cabling security
Protecting power and telecommunications cabling against interception, interference, and physical damage.
Equipment maintenance
Maintaining equipment correctly — authorized servicing, maintenance records, and security checks before equipment returns to use.
Secure disposal or re-use of equipment
Verifying storage media are sanitized or destroyed before equipment is disposed of or reused — no data walks out the door.
Technological Controls (A.8.1 – A.8.34)
Endpoint, access, cryptography, development, network, and monitoring controls — security in the technology stack.
User endpoint devices
Protecting laptops, phones, and other endpoint devices — hardening, encryption, MDM, and clear rules for BYOD.
Privileged access rights
Restricting and tightly managing admin-level access — allocation, PAM tooling, monitoring, and regular revalidation.
Information access restriction
Enforcing access to information per the access control policy — need-to-know by default, with dynamic restriction techniques.
Access to source code
Controlling read and write access to source code, development tools, and software libraries across the development estate.
Secure authentication
Implementing authentication strong enough for what it protects — MFA, secure log-on flows, and failure handling.
Capacity management
Monitoring and projecting compute, storage, network, and people capacity so availability never fails for predictable reasons.
Protection against malware
Layered malware defense: prevention, detection, and recovery controls, completed by the user awareness that makes them work.
Management of technical vulnerabilities
Identifying, evaluating, and remediating technical vulnerabilities — inventory-driven scanning, patching SLAs, and managed exceptions.
Configuration management
Defining, enforcing, and monitoring secure baseline configurations for hardware, software, services, and networks.
Information deletion
Deleting information when it is no longer required — in systems, devices, and cloud services — to limit exposure and meet retention law.
Data masking
Masking, pseudonymizing, or anonymizing data so non-production and limited-privilege uses never expose the real thing.
Data leakage prevention
Detecting and preventing unauthorized exfiltration of sensitive information across systems, networks, and endpoints.
Information backup
Maintaining and testing backups that match the agreed scope, frequency, and recovery objectives of the business.
Redundancy of information processing facilities
Building redundancy — components, systems, and sites — sufficient to meet the availability requirements you have committed to.
Logging
Producing, protecting, and analyzing event logs covering user activities, exceptions, faults, and security events.
Monitoring activities
Monitoring networks, systems, and applications for anomalous behavior — and acting on what you find.
Clock synchronization
Synchronizing system clocks to approved time sources so logs correlate across systems and evidence holds up.
Use of privileged utility programs
Restricting and controlling utility programs capable of overriding system and application controls.
Installation of software on operational systems
Controlling what software gets installed on production systems, by whom, under what approval — and how it gets rolled back.
Networks security
Securing networks and network devices — protected management interfaces, traffic controls, and segregation-ready architecture.
Security of network services
Defining and enforcing security requirements for network services, in-house or outsourced — features, service levels, and monitoring.
Segregation of networks
Segregating groups of services, users, and systems into network domains with controlled traffic between them.
Web filtering
Managing access to external websites to cut exposure to malicious content and enforce acceptable use.
Use of cryptography
Rules for effective cryptography: algorithm selection, key management, and lifecycle controls for data at rest and in transit.
Secure development life cycle
Building security into the software development lifecycle — rules applied from design through deployment.
Application security requirements
Identifying, specifying, and approving information security requirements when applications are developed or acquired.
Secure system architecture and engineering principles
Establishing secure-by-design engineering principles and applying them to every information system implementation.
Secure coding
Applying secure coding principles — standards, tooling, and review — across in-house and third-party code.
Security testing in development and acceptance
Defining and executing security test plans in development pipelines and acceptance — SAST, DAST, and pre-release verification.
Outsourced development
Directing, monitoring, and reviewing outsourced software development so external code meets your security requirements.
Separation of development, test and production environments
Separating development, test, and production — environments, access, and data — to protect the live estate.
Change management
Putting changes to information systems and processing facilities through defined, recorded change control.
Test information
Selecting, protecting, and managing test data — production data never leaves production unprotected.
Protection of information systems during audit testing
Planning audits and technical tests so live systems stay protected — agreed scope, timing, and access.
Keep Exploring
Related Reading
ISO 27001 Knowledge Hub
All 93 Annex A controls, all clauses, every guide in the cluster.
Read moreAnnex A Controls Overview
All 93 controls across organizational, people, physical and tech domains.
Read moreISO 27001 Clauses (4–10)
All 23 ISMS clauses explained — from context to continual improvement.
Read moreISO 27001 Certification Guide
The step-by-step path from gap assessment to certificate.
Read moreISO 27001 Implementation
The phased ISMS build, from scoping to surveillance audits.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours