Annex A of ISO/IEC 27001:2022 provides a comprehensive reference set of 93 information security controls designed to help organizations protect their information assets and manage risks. These controls are not mandatory but must be considered during the risk assessment process; organizations select and implement only those relevant to their context via the Statement of Applicability (SoA).
The 2022 update streamlined the structure from the 2013 version’s 114 controls across 14 domains to 93 controls grouped into four themes for better alignment with modern threats like cloud computing, supply chain risks, and remote work:
• Organizational Controls (37 controls, A.5): Focus on governance, policies, risk management, and supplier relationships.
• People Controls (8 controls, A.6): Address human factors like screening, training, and remote working.
• Physical Controls (14 controls, A.7): Cover protection of physical assets and environments.
• Technological Controls (34 controls, A.8): Deal with technical measures like access, malware protection, and secure development.
Implementation involves tailoring controls to your organization’s risks, with evidence of effectiveness required for certification. Below is a complete list of the controls, including numbers, titles, and brief descriptions.
Organizational Controls (A.5)
• A.5.1 Policies for information security: Establish and maintain information security policies.
• A.5.2 Information security roles and responsibilities: Assign and communicate information security roles and responsibilities.
• A.5.3 Segregation of duties: Segregate duties to reduce the risk of unauthorized access or errors.
• A.5.4 Management responsibilities: Ensure management supports and promotes information security.
• A.5.5 Contact with authorities: Maintain appropriate contact with relevant authorities.
• A.5.6 Contact with special interest groups: Engage with special interest groups to stay informed on security matters.
• A.5.7 Threat intelligence: Obtain and use threat intelligence to enhance security.
• A.5.8 Information security in project management: Integrate information security into project management processes.
• A.5.9 Inventory of information and other associated assets: Maintain an inventory of information and assets.
• A.5.10 Acceptable use of information and other associated assets: Define rules for acceptable use of assets.
• A.5.11 Return of assets: Ensure assets are returned upon termination or change.
• A.5.12 Classification of information: Classify information based on sensitivity and requirements.
• A.5.13 Labelling of information: Label information according to its classification.
• A.5.14 Information transfer: Manage secure transfer of information.
• A.5.15 Access control: Implement access control policies and procedures.
• A.5.16 Identity management: Manage user identities throughout their lifecycle.
• A.5.17 Authentication information: Manage authentication information securely.
• A.5.18 Access rights: Assign and review access rights.
• A.5.19 Information security in supplier relationships: Secure information security in supplier relationships.
• A.5.20 Addressing information security within supplier agreements: Include information security requirements in supplier agreements.
• A.5.21 Managing information security in the ICT supply chain: Manage security in the ICT supply chain.
• A.5.22 Monitoring, review and change management of supplier services: Monitor and review supplier services for security.
• A.5.23 Information security for use of cloud services: Ensure security when using cloud services.
• A.5.24 Information security incident management planning and preparation: Plan and prepare for incident management.
• A.5.25 Assessment and decision on information security events: Assess and decide on security events.
• A.5.26 Response to information security incidents: Respond to security incidents effectively.
• A.5.27 Learning from information security incidents: Learn from incidents to improve security.
• A.5.28 Collection of evidence: Collect evidence for security incidents.
• A.5.29 Information security during disruption: Maintain security during disruptions.
• A.5.30 ICT readiness for business continuity: Ensure ICT readiness for business continuity.
• A.5.31 Identification of legal, statutory, regulatory and contractual requirements: Identify legal and regulatory requirements.
• A.5.32 Intellectual property rights: Protect intellectual property rights.
• A.5.33 Protection of records: Protect records from unauthorized access or loss.
• A.5.34 Privacy and protection of PII: Protect personally identifiable information (PII).
• A.5.35 Independent review of information security: Conduct independent reviews of information security.
• A.5.36 Compliance with policies and standards for information security: Ensure compliance with security policies and standards.
• A.5.37 Documented operating procedures: Maintain documented procedures for operations.
People Controls (A.6)
• A.6.1 Screening: Screen personnel before employment to ensure suitability.
• A.6.2 Terms and conditions of employment: Include information security in employment terms.
• A.6.3 Information security awareness, education and training: Provide awareness, education, and training on information security.
• A.6.4 Disciplinary process: Apply disciplinary processes for security violations.
• A.6.5 Responsibilities after termination or change of employment: Manage responsibilities after termination or role change.
• A.6.6 Confidentiality or non-disclosure agreements: Use confidentiality agreements where appropriate.
• A.6.7 Remote working: Manage security for remote working arrangements.
• A.6.8 Information security event reporting: Encourage and enable reporting of security events.
Physical Controls (A.7)
• A.7.1 Physical security perimeter: Establish a secure perimeter for physical assets.
• A.7.2 Physical entry controls: Control entry to physical areas.
• A.7.3 Securing offices, rooms and facilities: Secure offices, rooms, and facilities.
• A.7.4 Physical security monitoring: Monitor physical security controls.
• A.7.5 Protecting against physical and environmental threats: Protect against physical and environmental threats.
• A.7.6 Working in secure areas: Define rules for working in secure areas.
• A.7.7 Clear desk and clear screen: Implement clear desk and screen policies.
• A.7.8 Equipment siting and protection: Site and protect equipment appropriately.
• A.7.9 Security of assets off-premises: Secure assets when off-premises.
• A.7.10 Storage media: Secure storage media.
• A.7.11 Supporting utilities: Ensure security of supporting utilities.
• A.7.12 Cabling security: Secure cabling infrastructure.
• A.7.13 Equipment maintenance: Maintain equipment securely.
• A.7.14 Secure disposal or re-use of equipment: Dispose of or re-use equipment securely.
Technological Controls (A.8)
• A.8.1 User endpoint devices: Secure user endpoint devices.
• A.8.2 Privileged access rights: Manage privileged access rights.
• A.8.3 Information access restriction: Restrict information access based on needs.
• A.8.4 Access to source code: Control access to source code.
• A.8.5 Secure authentication: Implement secure authentication mechanisms.
• A.8.6 Capacity management: Manage capacity to ensure performance and security.
• A.8.7 Protection against malware: Protect systems against malware.
• A.8.8 Management of technical vulnerabilities: Manage technical vulnerabilities.
• A.8.9 Configuration management: Manage system configurations securely.
• A.8.10 Information deletion: Securely delete information when no longer needed.
• A.8.11 Data masking: Mask sensitive data to protect it.
• A.8.12 Data leakage prevention: Prevent unauthorized data leakage.
• A.8.13 Information backup: Backup information to ensure availability.
• A.8.14 Redundancy of information processing facilities: Ensure redundancy for processing facilities.
• A.8.15 Logging: Implement logging for monitoring and auditing.
• A.8.16 Monitoring activities: Monitor activities for security events.
• A.8.17 Clock synchronisation: Synchronise clocks for accurate logging.
• A.8.18 Use of privileged utility programs: Control use of privileged utility programs.
• A.8.19 Installation of software on operational systems: Control software installation on operational systems.
• A.8.20 Network security: Secure network infrastructure.
• A.8.21 Security of network services: Ensure security of network services.
• A.8.22 Segregation of networks: Segregate networks to reduce risks.
• A.8.23 Web filtering: Implement web filtering to control access.
• A.8.24 Use of cryptography: Apply cryptography to protect information.
• A.8.25 Secure development life cycle: Integrate security into the development life cycle.
• A.8.26 Application security requirements: Define security requirements for applications.
• A.8.27 Secure systems architecture and engineering principles: Apply secure design principles.
• A.8.28 Secure coding: Ensure secure coding practices.
• A.8.29 Security testing in development and acceptance: Conduct security testing during development and acceptance.
• A.8.30 Outsourced development: Manage security in outsourced development.
• A.8.31 Separation of development, test and production environments: Separate environments for development, testing, and production.
• A.8.32 Change management: Manage changes to systems securely.
• A.8.33 Test information: Protect test information.
• A.8.34 Protection of information systems during audit testing: Protect systems during audits and testing.
For deeper implementation guidance, refer to ISO/IEC 27002:2022, which provides detailed objectives and advice for each control. If you need help mapping these to your risk assessment or examples for a specific control, let me know!