Annex A — Controls

ISO 27001 tells you which controls you need. ISO 27002 tells you how to implement them. Annex A of ISO 27001 lists 93 controls as a reference — short one-liners defining what each control should achieve. The actual implementation guidance lives in ISO 27002:2022, the companion standard. There you will find a dedicated section for each control with purpose, guidance and supplementary information.

The 93 controls are organised into four themes: organisational (policies, processes, responsibilities), people (training, screening, employment terms), physical (buildings, equipment, environment) and technological (systems, networks, cryptography, development). This structure is new since the 2022 revision — the previous 2013 version had 114 controls in 14 groups.

Risk treatment determines which controls you need — Annex A is the checklist, not the obligation list. ISO 27001 Clause 6.1.3 requires you to compare the controls from Annex A with your risk treatment. The result is the Statement of Applicability (SoA): a table documenting for each of the 93 controls whether it applies, why (or why not), and how it is implemented.

In practice this works in three steps. First, identify risks to your information assets. Then decide for each risk how to treat it — avoid, transfer, accept, or reduce through controls. Finally, check against Annex A to ensure nothing was missed. Controls you do not need (e.g. A.8.28 Secure Coding if you do not develop software) are marked as not applicable — with justification.

The most common mistake: marking all 93 controls as applicable without linking them to your risk landscape. This produces an SoA that cannot be defended in an audit. Better: fewer controls, well justified and demonstrably implemented.