Skip to content
360 Cyber Compliance

ISO 27001 · 1 July 2026

ISO 27001 Annex A controls explained: the 93 controls and 4 themes

Annex A of ISO/IEC 27001:2022 is the catalogue of security safeguards you can draw on to treat your risks. It contains 93 controls grouped into four themes. This guide explains what those themes cover, how the 2022 revision changed things, and how to choose the controls that fit your organisation.

What Annex A is (and isn’t)

Annex A is a reference list of controls, not a checklist you must implement in full. The management system clauses (4 to 10) of ISO/IEC 27001 are mandatory; Annex A is where you pick the practical measures that address the risks you identified in your risk assessment.

You then record your choices in the Statement of Applicability (SoA) — stating, for each control, whether it applies, and why. A control might be excluded because it isn’t relevant to your business (for example, some physical controls if you have no office of your own), and that’s perfectly acceptable if your reasoning is sound.

The four themes at a glance

The 2022 revision reorganised the controls from the old 14 domains into four clearer themes.

ThemeNumber of controlsFocus
Organisational37Policies, roles, supplier and information management
People8Staff, awareness, screening and responsibilities
Physical14Premises, equipment and physical access
Technological34Systems, networks, software and technical safeguards

Together these make up the 93 controls.

Organisational controls (37)

The largest group. These set the governance and management foundations — the rules and responsibilities that hold everything else together. They include:

  • Information security policies and defined roles and responsibilities.
  • Segregation of duties and management responsibilities.
  • Threat intelligence and contact with authorities.
  • Information classification and handling.
  • Access control policy and identity management.
  • Supplier and cloud service security.
  • Information security in project management.
  • Incident management planning and response.
  • Business continuity and legal, statutory and contractual compliance.

For SMEs, this is often where the most work sits, because it’s about how the business is run rather than a single piece of technology.

People controls (8)

These address the human side of security — often the area where incidents actually begin. They cover:

  • Screening before employment and terms and conditions of work.
  • Information security awareness, education and training.
  • A disciplinary process for breaches.
  • Responsibilities after termination or change of employment.
  • Confidentiality and non-disclosure agreements.
  • Remote working and reporting of security events.

Good people controls turn staff from a weak point into a first line of defence.

Physical controls (14)

These protect the physical environment and equipment. They include:

  • Physical security perimeters and entry controls.
  • Securing offices, rooms and facilities.
  • Protection against physical and environmental threats.
  • Equipment siting, protection and secure disposal.
  • Clear desk and clear screen practices.
  • Storage media handling and cabling security.

Even cloud-first and remote organisations usually keep several of these — for laptops, home working and any equipment holding data.

Technological controls (34)

The technical safeguards most people picture when they think of cyber security. They cover:

  • User endpoint devices and privileged access rights.
  • Authentication, cryptography and secure configuration.
  • Malware protection and management of technical vulnerabilities.
  • Backup, logging, monitoring and clock synchronisation.
  • Network security, segregation and web filtering.
  • Secure development, testing and change management.
  • Data leakage prevention and information deletion.

Several of these overlap with the requirements of Cyber Essentials and IASME Cyber Assurance, so work you’ve already done there gives you a head start.

New controls in the 2022 revision

The 2022 update introduced 11 new controls to reflect modern threats and ways of working. Notable additions include:

  • Threat intelligence.
  • Information security for use of cloud services.
  • ICT readiness for business continuity.
  • Physical security monitoring.
  • Configuration management.
  • Information deletion.
  • Data masking.
  • Data leakage prevention.
  • Monitoring activities.
  • Web filtering.
  • Secure coding.

If you certified against the older 2013 version, these are the areas to review as part of transition.

Control attributes: a useful lens

The 2022 standard also introduced attributes — tags you can use to view controls from different angles, such as control type (preventive, detective, corrective), information security properties (confidentiality, integrity, availability) and cybersecurity concepts. These are optional but can help you organise your controls and report on coverage to leadership.

Choosing the right controls

The goal is not to implement all 93 controls, but the right ones. A sensible approach:

  1. Complete your risk assessment so you understand what you’re protecting against.
  2. For each significant risk, identify which Annex A controls would reduce it.
  3. Decide how to treat the risk — modify, accept, avoid or share it.
  4. Record every control decision, applicable or not, in the SoA.
  5. Implement, then check the controls are actually working.

Over-selecting controls creates work you can’t sustain; under-selecting leaves gaps an auditor will find. The discipline of tying every control back to a real risk keeps your ISMS proportionate.

If any of the terminology is unfamiliar, our glossary explains the key terms, and our guide on what an ISMS is sets Annex A in its wider context.

How we can help

Working through 93 controls and mapping them to your risks is where many organisations get stuck. We provide practical support throughout — helping you interpret each control, decide what applies, and evidence it sensibly — as part of a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool is a quick way to see which controls need attention.

Learn more about our ISO 27001 service or contact us to discuss your situation.

Need help in practice? See our ISO 27001 service.

Need a hand with this?

Book a free, no-obligation readiness check.