ISO 27001 Annex A Controls Explained: Complete List with Examples

What Annex A Is and Why It Matters

ISO/IEC 27001:2022 is the international standard for information security management. The standard itself is a management system framework: it defines how to plan, do, check, and act on security risk. Annex A is the catalog of reference controls — specific safeguards that organizations select based on risk assessment outcomes.

You do not implement every Annex A control. You implement the controls your risk assessment identifies as necessary, justify any exclusions in your Statement of Applicability (SoA), and demonstrate ongoing operating effectiveness. That last part is where most organizations underinvest, and where audit findings cluster.

The 2022 revision restructured Annex A significantly. Where the 2013 version had 114 controls in 14 domains, the 2022 version has 93 controls in 4 themes. The reorganization is not a relaxation — it is a modernization that consolidates redundant controls and adds 11 new ones reflecting cloud, threat intelligence, and data leakage realities.

The Four Themes

Annex A 2022 organizes 93 controls under four themes. The split reflects who or what implements the control:

Theme Controls Range

Organizational controls 37 A.5.1 – A.5.37

People controls 8 A.6.1 – A.6.8

Physical controls 14 A.7.1 – A.7.14

Technological controls 34 A.8.1 – A.8.34

Each theme answers a different governance question. Organizational controls answer "what policies, processes, and roles must exist?" People controls answer "what must employees and contractors know and do?" Physical controls answer "what protects facilities and equipment?" Technological controls answer "what does the system itself enforce?"

Theme 1: Organizational Controls (A.5)

The 37 organizational controls cover information security policies, roles, threat intelligence, supplier relationships, incident management, and continuity. They are the connective tissue that links risk management to operational execution.

Notable controls:

A.5.1 Policies for information security — top-level information security policy, reviewed at planned intervals

A.5.7 Threat intelligence (new in 2022) — collect, analyze, and produce threat intelligence to inform decisions

A.5.19 Information security in supplier relationships — supplier due diligence, contractual security requirements

A.5.23 Information security for use of cloud services (new in 2022) — cloud service provider selection, ongoing risk management

A.5.30 ICT readiness for business continuity (new in 2022) — ICT continuity plans tested and maintained

A.5.37 Documented operating procedures — runbooks for security-relevant processes

Auditors evaluate organizational controls primarily through document review, interview, and sample testing of operational records. The strongest evidence is dated documentation showing the control operated repeatedly over time.

Theme 2: People Controls (A.6)

The 8 people controls govern how employees and contractors interact with information assets across the employment lifecycle.

Notable controls:

A.6.1 Screening — pre-employment background verification proportional to role

A.6.3 Information security awareness, education and training — ongoing training, not one-time onboarding

A.6.4 Disciplinary process — documented response to security violations

A.6.7 Remote working (consolidated in 2022) — security controls for hybrid and remote work

A.6.8 Information security event reporting — channels for employees to report incidents and near-misses

People controls produce findings most often around training records (incomplete coverage), termination procedures (delayed access revocation), and confidentiality agreements (missing for contractors).

Theme 3: Physical Controls (A.7)

The 14 physical controls cover facilities, equipment, and environmental safeguards.

Notable controls:

A.7.1 Physical security perimeters — defined boundaries with controlled entry points

A.7.4 Physical security monitoring (new in 2022) — surveillance, alarms, periodic review

A.7.6 Working in secure areas — controls for handling sensitive information in restricted spaces

A.7.10 Storage media — handling, transport, and disposal of media containing information

A.7.14 Secure disposal or re-use of equipment — destruction or sanitization before reuse

For organizations operating in cloud environments, most physical controls are inherited from the cloud provider's certifications. The Statement of Applicability documents this inheritance, and auditors verify by reviewing the cloud provider's SOC 2, ISO 27001, or equivalent reports.

Theme 4: Technological Controls (A.8) — Where Most CISGuard Mapping Happens

The 34 technological controls cover the configuration of systems, networks, applications, and data. This is the theme where automated evidence collection delivers the most value, and where CIS benchmark scanning provides the broadest coverage.

Notable controls and the CIS benchmark areas that satisfy them:

A.8.1 User end point devices — endpoint hardening (CIS Windows, macOS, Linux benchmarks)

A.8.2 Privileged access rights — local admin policy, sudo restrictions, MFA on privileged accounts

A.8.3 Information access restriction — file and folder permissions, share permissions, RBAC

A.8.5 Secure authentication — password complexity, account lockout, session management

A.8.7 Protection against malware — endpoint protection configuration, removable media policy

A.8.8 Management of technical vulnerabilities — patching cadence, vulnerability scanning

A.8.9 Configuration management — baselined configurations, deviation detection, change control

A.8.10 Information deletion — secure deletion procedures, retention policy enforcement

A.8.11 Data masking — data minimization, anonymization for non-production

A.8.12 Data leakage prevention (new in 2022) — DLP rules, exfiltration monitoring

A.8.15 Logging — what is logged, log integrity, log retention

A.8.16 Monitoring activities — anomaly detection, alerting thresholds

A.8.20 Networks security — firewall rules, segmentation, perimeter hardening

A.8.22 Segregation of networks — VLAN, subnet, trust zone separation

A.8.23 Web filtering (new in 2022) — outbound web filtering, allowlist/blocklist

A.8.24 Use of cryptography — algorithm selection, key strength, key lifecycle

A.8.32 Change management — change request, approval, testing, rollback for ICT changes

A single CIS benchmark scan against Windows Server 2022, Ubuntu 24.04, RHEL 9, Azure, AWS, M365, or Kubernetes evaluates dozens of these technological controls automatically. CISGuard maps each CIS control to its corresponding A.8 controls and produces a per-control coverage report.

What the Statement of Applicability Must Include

The Statement of Applicability (SoA) is the bridge between Annex A and your implementation. For each of the 93 controls, the SoA states:

1. Whether the control is applicable to your scope

2. The justification for inclusion or exclusion

3. The implementation status (planned, implemented, partially implemented)

4. References to the policy or procedure that operationalizes the control

Auditors compare the SoA to evidence. Controls marked "implemented" must have evidence showing operation during the audit period. Controls marked "not applicable" must have justification an auditor finds defensible.

Common Annex A Findings

Across audit cycles, the most common Annex A findings are:

A.5.1 — policy approved but not reviewed annually

A.5.10 — acceptable use policy not signed by all employees

A.5.15 — access control policy exists but is not enforced consistently across systems

A.6.3 — training delivered but completion rates below 100%

A.8.5 — password policy meets minimum but does not match the documented standard

A.8.8 — vulnerability scanning runs but remediation SLAs are not tracked

A.8.9 — configuration baselines defined but drift is not detected between scans

A.8.15 — logging is enabled but retention policy is not enforced

A.8.16 — alerts generated but not reviewed within documented timeframes

Most of these findings are about consistency over time, not initial design. They surface in Type II-style audits and ISO 27001 surveillance audits, where auditors examine evidence across the audit period rather than at a single point.

How Continuous Compliance Changes the Audit

Traditional ISO 27001 audits required a major evidence collection effort before each surveillance audit. With continuous compliance tooling, evidence is generated as a byproduct of daily operations.

For the technological controls in A.8 specifically, continuous CIS benchmark scanning produces:

Population data — every in-scope asset at every point in time

Configuration evidence — pass/fail per CIS control mapped to Annex A

Drift records — every regression, with timestamps and remediation

Exception records — formal waivers with approval chains and expiration

The evidence is timestamped, immutable, and queryable. ISO 27001 auditors can extract whatever sample they prefer, on whatever date, and the answers are consistent.

How CISGuard Maps to ISO 27001:2022 Annex A

CISGuard maps 36 of the 93 Annex A controls directly to underlying CIS controls, with primary coverage in the Technological theme (A.8) and partial coverage in Organizational (A.5) controls related to logging, change management, and supplier security.

Each CISGuard scan produces an ISO 27001 Annex A coverage report listing per-control satisfaction status and the underlying CIS controls evaluated. Combined with continuous monitoring, this satisfies Clause 9.1 (Monitoring, Measurement, Analysis, and Evaluation) requirements without manual evidence collection.

See how CISGuard automates ISO 27001 evidence or request an ISO 27001 readiness review.