Understanding the Purpose of ISO 27001's Annex A Controls

Annex A of ISO 27001 is one of the most widely known lists of requirements of all the ISO standards. It provides companies with a structured checklist to define controls for their information security management system (ISMS) and to mitigate their cyber-related risks. Review the changes to ISO 27001:2022 controls here.

When it comes to defining controls, the process begins with your risk assessment. The controls found in Annex A serve as a comprehensive checklist, but they aren't meant to be followed blindly or used as a one-size-fits-all solution. Instead, you should select information security controls that directly address the specific risks you've identified. Once you’ve determined which controls are required, compare your selection with the Annex A list to ensure all relevant risks have been covered.

It's important to note that not all Annex A controls will necessarily apply to your organization. You can exclude certain controls if they aren’t relevant to your environment, but any exclusions must be clearly justified in your Statement of Applicability (SoA). This documentation step is essential: it ensures transparency and demonstrates that your approach is both intentional and tailored to your actual risk landscape.

Information Security Domains

ISO 27001'a Annex A contains 114 controls, organized into 14 domains. These domains represent different aspects of information security management and ensure a comprehensive approach to protecting information assets.

The 14 ISO 27001 Domains

1. A.5: Information Security Policies – Establishing and reviewing security policies.

2. A.6: Organization of Information Security – Defining roles, responsibilities, and coordination.

3. A.7: Human Resource Security – Ensuring employees and contractors understand their responsibilities.

4. A.8: Asset Management – Identifying, classifying, and protecting information assets.

5. A.9: Access Control – Managing access rights to prevent unauthorized use.

6. A.10: Cryptography – Applying encryption and key management to protect data.

7. A.11: Physical and Environmental Security – Protecting facilities and equipment from threats.

8. A.12: Operations Security – Securing IT operations, change management, and logging.

9. A.13: Communications Security – Protecting data in networks and during transmission.

10. A.14: System Acquisition, Development, and Maintenance – Embedding security in the lifecycle of systems.

11. A.15: Supplier Relationships – Ensuring third parties manage security appropriately.

12. A.16: Information Security Incident Management – Detecting, reporting, and responding to incidents.

13. A.17: Information Security Aspects of Business Continuity Management – Ensuring resilience and disaster recovery.

14. A.18: Compliance – Meeting legal, regulatory, and contractual requirements.

The 5 Dimensions of the Domains

While the 14 domains are specific, they are often grouped into five broader dimensions to simplify understanding:

1. Organizational Controls

   • A.5 Information Security Policies

   • A.6 Organization of Information Security

   • A.15 Supplier Relationships

   • A.18 Compliance
     
     

2. Human Controls

   • A.7 Human Resource Security
     
     

3. Physical Controls

   • A.11 Physical and Environmental Security
     
     

4. Technological Controls

   • A.8 Asset Management

   • A.9 Access Control

   • A.10 Cryptography

   • A.12 Operations Security

   • A.13 Communications Security

   • A.14 System Acquisition, Development, and Maintenance
     
     

5. Resilience Controls

   • A.16 Information Security Incident Management

   • A.17 Information Security Aspects of Business Continuity Management

Technological Controls

When most organizations picture information security, they’re usually thinking about technological controls—those solutions and measures embedded within your IT environment. In Annex A, these controls form the foundation of your technical defense.

Key controls in this category include:

• Malware protection: Safeguarding systems from malicious software through antivirus tools, anti-malware platforms, and proactive threat detection.

• Regular backups: Consistent scheduling and secure storage of data backups to ensure business continuity and minimize data loss.

• System logging and monitoring: Continuous tracking of system events and user activity to quickly spot suspicious behavior and respond to incidents.

• Network security and segmentation: Implementation of firewalls, intrusion detection/prevention systems, and network zoning to restrict and control access across your infrastructure.

• Secure development practices: Embedding security throughout the software development lifecycle—think source code reviews, vulnerability assessments, and secure coding standards.

By ensuring these technical measures are in place, organizations lay the groundwork for a stronger information security posture, complementing their administrative and physical safeguards.

Physical Controls in Annex A

Physical controls are a crucial component of ISO 27001’s approach to safeguarding information—after all, a secure server is only as safe as the room it's in. Annex A outlines 14 distinct physical controls designed to protect your organization’s physical environment, not just its digital borders.

These controls focus on:

• Defining boundaries with security perimeters and designated secure areas to prevent unauthorized access;

• Enforcing clear desk and clear screen policies to ensure sensitive information isn’t left exposed;

• Ensuring supporting utilities (like electricity and air conditioning) are protected to prevent failures that could compromise security;

• Securing cabling to minimize risks of tampering or accidental damage; and

• Establishing rigorous maintenance routines for equipment to uphold ongoing reliability and security.

By thoughtfully implementing these physical requirements, your ISMS can ensure information remains protected not just from virtual threats, but from risks in the real world as well.

People-Related Controls in Annex A

When it comes to protecting your information, people are just as important as technology and processes. Annex A includes a dedicated set of controls that focus specifically on the human element of information security. These controls help organizations ensure that staff not only understand their responsibilities but are also equipped to handle sensitive information appropriately.

Key people-related controls you’ll find in Annex A include:

• Proper screening and background checks before you bring someone on board;

• Ongoing security awareness training programs to keep everyone up to speed on the latest threats and best practices;

• Formal agreements—like employment contracts and non-disclosure agreements (NDAs)—to clearly outline confidentiality expectations;

• Clear policies for secure remote work to address today’s increasingly mobile workforce;

• And processes for promptly reporting any information security incidents or concerns, ensuring that no threat goes unnoticed.

Each of these controls plays a crucial role in building a culture of security within your organization, making your team the first line of defense against breaches and leaks.

What Are the Organizational Controls Included in Annex A?

Organizational controls are the backbone of a strong ISMS, setting the foundation for how information security is managed across your company. These controls revolve around not just the technology in use, but the policies, structures, and daily responsibilities that ensure your ISMS actually works as intended.

Annex A highlights several key organizational controls, including:

• Establishing information security policies that provide clear direction and intent for protecting data.

• Assigning roles and responsibilities so that both leadership and operational staff understand their part in maintaining security.

• Maintaining communications with regulatory authorities and other relevant organizations, ensuring compliance and alignment with industry standards.

• Gathering and sharing threat intelligence to stay aware of emerging risks and adapt your defences accordingly.

• Classifying and labelling information assets so sensitive data is appropriately handled and protected throughout its lifecycle.

• Managing identity and access to ensure only authorized individuals have the necessary permissions.

• Tracking assets and making sure they are inventoried, protected, and accounted for at all times.

By focusing on these organizational controls, companies can better embed security into their everyday operations—not just at a technical level, but throughout the culture and processes of the entire organization.

The Role of ISO 27002 in Supporting Annex A Controls

While ISO 27001 lays out what needs to be done to secure your information assets, ISO 27002 steps in to explain how you can put these controls into practice. Think of ISO 27001 Annex A as the checklist of security controls, and ISO 27002 as the guidebook that brings each item on that list to life with real-world context.

ISO 27002 breaks down every control found in Annex A, offering detailed explanations, implementation guidance, and examples. This makes it far easier for organizations to not only understand the underlying intent of each control but also to figure out practical steps for integrating those controls into daily operations.

It’s important to remember that ISO 27002 isn’t a standalone certification—your compliance is always measured against ISO 27001. Nonetheless, ISO 27002 is an indispensable resource for anyone building, refining, or strengthening their ISMS, providing clarity and confidence as you navigate Annex A’s requirements.

What is the Statement of Applicability (SoA) in ISO 27001?

A Statement of Applicability (SoA) is a cornerstone document within an ISO 27001 Information Security Management System (ISMS). This document acts as the definitive record of all the controls listed in Annex A, outlining whether each control is applied, omitted, or substituted within your organization’s security framework.

Beyond simply listing controls, the SoA provides clear justifications for the inclusion or exclusion of each one, details on their current implementation status, and incorporates any additional controls—such as those from supplementary frameworks or internally developed measures. This level of documentation is not a one-time task; maintaining accuracy, comprehensive version control, and regular reviews are essential since auditors and certification bodies pay special attention to the SoA during both certification and ongoing surveillance audits.

Many organizations keep their SoA in spreadsheet format for ease of access and updates, but the format can be adapted to suit your workflow, including leveraging integrated compliance management platforms. What matters most is the SoA's clarity, completeness, and ongoing maintenance, as it directly demonstrates your ISMS’s scope and maturity ,and ultimately, your readiness for ISO 27001 certification.

What Must Be Included in the Statement of Applicability?

The Statement of Applicability (SoA) plays a pivotal role within your ISMS, serving as a comprehensive reference for both auditors and your organization’s leadership. To meet ISO 27001’s requirements and ensure certification readiness, your SoA should always include the following key pieces of information:

• A List of All Annex A Controls: Clearly identify every control from Annex A, whether you have adopted, excluded, or chosen to modify them.

• Justification for Selection: For each control, offer a rationale as to why it was included or excluded. This demonstrates your risk-driven approach and helps external auditors grasp your decision-making process.

• Implementation Status: Indicate whether each control is fully implemented, partially implemented, or not implemented, providing a snapshot of your current security posture.

• Additional Controls: If you have included custom controls or adopted controls from frameworks such as NIST, COBIT, or CIS, make sure these are reflected within your SoA alongside those from Annex A.

Just as important as what you include is how you manage your SoA. Given its complexity, it’s crucial to keep it up to date with robust version control, regular reviews, and clear documentation practices. Whether you use cloud-based GRC platforms, spreadsheets, or another tool, ensure your SoA remains easy to access, update, and present during both internal reviews and external audits.

When managed properly, the SoA becomes not just a compliance checkbox, but a valuable tool that enhances transparency, operational efficiency, and oversight throughout your information security program.

Summary

To achieve ISO 27001 certification, you will need to understand the many requirements described in Annex A to define appropriate and effective controls. Your ISMS is structured based on the deployment of technical, administrative, and security controls prescribed in the Annex A domains.

To implement a successful ISMS, you will need to develop and formalize processes and policies, manage people and create awareness all of which can be done with the help of a cloud-based management solution.