ISO 27001 Controls List: All 93 Annex A Controls Explained

ISO 27001 Controls List

The ISO 27001 controls list is one of the most referenced — and most misunderstood — components of the entire ISO 27001 certification framework. Many organizations approach Annex A as a mandatory checklist, assuming every control must be implemented before certification can be achieved. This assumption is incorrect. In practice, the ISO 27001 controls list in Annex A is a reference catalogue — organizations select the controls that are relevant to their identified risks, document those selections in a Statement of Applicability, and explain why any controls have been excluded. For foundational context, see our article on what is ISO 27001.

Tl; DR:

Concern: Organizations implementing ISO 27001 often struggle to understand which of the 93 Annex A controls they must implement, how to document their decisions, and how auditors evaluate control effectiveness during a certification audit.
Overview: The ISO 27001 controls list — formally known as Annex A of ISO/IEC 27001:2022 — contains 93 information security controls organized across four themes: Organizational, People, Physical, and Technological. Organizations select applicable controls based on their risk assessment and document decisions in a Statement of Applicability.
Solution: Understanding the full ISO 27001 controls list, how each control functions, and how to document applicability decisions enables organizations to build a defensible, audit-ready ISMS. CertPro CPA LLC guides organizations through control selection, implementation, and certification audit.

How Many Controls in ISO 27001:2022?

The ISO 27001:2022 controls list contains 93 controls organized across four themes. This represents a significant restructuring from the previous ISO 27001:2013 version, which contained 114 controls across 14 domains. The 2022 revision reduced total controls from 114 to 93, merged overlapping controls, added 11 new controls, and reorganized the structure into 4 themes.

Theme Controls Focus Area
Organizational 37 Policies, roles, processes, supplier relationships
People 8 Workforce security, awareness, responsibilities
Physical 14 Physical security, equipment, environmental controls
Technological 34 Technical security, access, cryptography, monitoring

Theme 1: Organizational Controls (37 controls — 5.1 to 5.37)

These controls cover governance, policy, process, and third-party relationship management. Key 2022 additions include: 5.7 (Threat Intelligence), 5.21 (ICT Supply Chain Security), 5.23 (Cloud Services Security), and 5.30 (ICT Business Continuity).

  • 5.1 — Policies for information security: Top-level information security policy and supporting topic-specific policies
  • 5.2 — Information security roles and responsibilities: Defined security roles, responsibilities, and accountability across the organization
  • 5.3 — Segregation of duties: Separation of conflicting duties to reduce risk of unauthorized acts
  • 5.4 — Management responsibilities: Requiring all personnel to apply information security in line with policies
  • 5.5 — Contact with authorities: Documented relationships with government, regulatory, and law enforcement bodies
  • 5.6 — Contact with special interest groups: Participation in security forums and professional bodies
  • 5.7 — Threat intelligence (NEW): Systematic collection, analysis, and use of threat intelligence relevant to the organization
  • 5.8 — Information security in project management: Integration of security into project management regardless of project type
  • 5.9 — Inventory of information and other associated assets: Documented inventory of all information assets and their associated asset owners
  • 5.10 — Acceptable use of information and other associated assets: Rules for acceptable use documented and communicated to personnel
  • 5.11 — Return of assets: Processes for return of organizational assets on change or termination of employment
  • 5.12 — Classification of information: Formal classification scheme appropriate to the organization’s information security needs
  • 5.13 — Labelling of information: Procedures for information labelling consistent with the classification scheme
  • 5.14 — Information transfer: Rules, procedures, and controls for information transfer across all transfer types
  • 5.15 — Access control: Topic-specific policy and rules for controlling access to information and systems
  • 5.16 — Identity management: Full lifecycle management of digital identities from registration through revocation
  • 5.17 — Authentication information: Management of authentication information throughout their lifecycle
  • 5.18 — Access rights: Provisioning, review, modification, and revocation of access rights
  • 5.19 — Information security in supplier relationships: Protection of organizational assets accessible to suppliers
  • 5.20 — Addressing information security within supplier agreements: Security requirements established and agreed in supplier agreements
  • 5.21 — Managing information security in the ICT supply chain (NEW): Security requirements for ICT products and services across the supply chain
  • 5.22 — Monitoring, review, and change management of supplier services: Regular monitoring and review of supplier service delivery and security performance
  • 5.23 — Information security for use of cloud services (NEW): Processes for acquisition, use, management, and exit from cloud services
  • 5.24 — Information security incident management planning and preparation: Plans and procedures for consistent, effective incident management
  • 5.25 — Assessment and decision on information security events: Assessment process for determining whether events should be classified as incidents
  • 5.26 — Response to information security incidents: Documented response procedures across the full incident lifecycle
  • 5.27 — Learning from information security incidents: Systematic use of incident knowledge to reduce future risk
  • 5.28 — Collection of evidence: Procedures for collection, preservation, and management of digital evidence
  • 5.29 — Information security during disruption (NEW): Protection of information security during disruptive incidents
  • 5.30 — ICT readiness for business continuity (NEW): ICT continuity planning based on BIA and recovery time/point objectives
  • 5.31 — Legal, statutory, regulatory, and contractual requirements: Identification and documentation of all legal, regulatory, and contractual obligations
  • 5.32 — Intellectual property rights: Procedures for protecting intellectual property and using proprietary software lawfully
  • 5.33 — Protection of records: Protection of records from loss, destruction, falsification, and unauthorized access
  • 5.34 — Privacy and protection of PII: Privacy and PII protection requirements per applicable laws and regulations
  • 5.35 — Independent review of information security: Independent review of ISMS management approach at planned intervals
  • 5.36 — Compliance with policies, rules, and standards: Review of information processing compliance with security policies
  • 5.37 — Documented operating procedures: Documentation of operating procedures for information processing facilities

Theme 2: People Controls (8 controls — 6.1 to 6.8)

These controls address workforce security from pre-employment screening through termination. Control 6.7 (Remote Working) is new in 2022, addressing the security of personnel working outside organizational premises.

  • 6.1 — Screening: Background verification checks on all candidates prior to employment, consistent with applicable laws
  • 6.2 — Terms and conditions of employment: Contractual requirements for employees and contractors covering information security responsibilities
  • 6.3 — Information security awareness, education, and training: Regular security awareness and role-appropriate training for all personnel
  • 6.4 — Disciplinary process: Formal disciplinary process for personnel who commit information security violations
  • 6.5 — Responsibilities after termination or change of employment: Information security responsibilities that continue after termination or role change
  • 6.6 — Confidentiality or non-disclosure agreements: Requirements for NDAs/confidentiality agreements covering information security
  • 6.7 — Remote working (NEW): Security controls for personnel accessing organizational information from remote locations
  • 6.8 — Information security event reporting: Mechanisms for personnel to report security events through appropriate channels

Theme 3: Physical Controls (14 controls — 7.1 to 7.14)

These controls address the security of physical environments, equipment, and infrastructure. Control 7.4 (Physical Security Monitoring) is new in 2022, specifically addressing CCTV, access control monitoring, and physical intrusion detection systems.

  • 7.1 — Physical security perimeters: Security perimeters defining and protecting areas containing sensitive assets
  • 7.2 — Physical entry: Secure entry controls to protect areas against unauthorized physical access
  • 7.3 — Securing offices, rooms, and facilities: Physical security for offices, rooms, and facilities
  • 7.4 — Physical security monitoring (NEW): Continuous monitoring of premises for unauthorized physical access
  • 7.5 — Protecting against physical and environmental threats: Protection against natural disasters, accidents, and deliberate physical attacks
  • 7.6 — Working in secure areas: Physical security procedures for personnel working in secure areas
  • 7.7 — Clear desk and clear screen: Clear desk policy for papers and removable storage; clear screen for IT facilities
  • 7.8 — Equipment siting and protection: Equipment sited and protected to reduce environmental and unauthorized access risks
  • 7.9 — Security of assets off-premises: Security for assets used outside organizational premises
  • 7.10 — Storage media: Management of storage media across acquisition, use, transportation, and disposal
  • 7.11 — Supporting utilities: Protection of equipment from power failures and utility disruptions
  • 7.12 — Cabling security: Protection of power and telecommunications cabling from interception or damage
  • 7.13 — Equipment maintenance: Correct maintenance of equipment to ensure availability and integrity
  • 7.14 — Secure disposal or re-use of equipment: Verified secure deletion of data and software before equipment disposal or reuse

Theme 4: Technological Controls (34 controls — 8.1 to 8.34)

These controls address technical security measures across systems, networks, and applications. Significant 2022 additions include: 8.9 (Configuration Management), 8.10 (Information Deletion), 8.11 (Data Masking), 8.12 (Data Leakage Prevention), 8.16 (Monitoring Activities), 8.23 (Web Filtering), 8.27 (Secure System Architecture), and 8.28 (Secure Coding).

  • 8.1 — User endpoint devices: Protection of information accessed, processed, or stored on user endpoint devices
  • 8.2 — Privileged access rights: Restriction and management of privileged access rights
  • 8.3 — Information access restriction: Restriction of information access according to the access control policy
  • 8.4 — Access to source code: Appropriate management of access to source code, development tools, and software libraries
  • 8.5 — Secure authentication: Secure authentication technologies and procedures based on information access restrictions
  • 8.6 — Capacity management: Monitoring and adjustment of resource use to meet future capacity requirements
  • 8.7 — Protection against malware: Protection against malware with awareness and appropriate technical controls
  • 8.8 — Management of technical vulnerabilities: Prevention of exploitation of technical vulnerabilities through timely patching and monitoring
  • 8.9 — Configuration management (NEW): Establishment, documentation, implementation, and monitoring of secure configurations
  • 8.10 — Information deletion (NEW): Deletion of information stored in systems, devices, and media when no longer required
  • 8.11 — Data masking (NEW): Masking of PII and sensitive data according to policy and business requirements
  • 8.12 — Data leakage prevention (NEW): DLP measures applied to systems, networks, and devices processing sensitive information
  • 8.13 — Information backup: Maintained and regularly tested backup copies of information and systems
  • 8.14 — Redundancy of information processing facilities: Implemented with sufficient redundancy to meet availability requirements
  • 8.15 — Logging: Logs of activities, exceptions, faults, and events produced, stored, protected, and analyzed
  • 8.16 — Monitoring activities (NEW): Networks, systems, and applications monitored for anomalous behaviour
  • 8.17 — Clock synchronization: Clock synchronization of information processing systems to approved time source
  • 8.18 — Use of privileged utility programs: Restriction and control of use of utility programs that override system controls
  • 8.19 — Installation of software on operational systems: Controlled implementation of software on operational systems
  • 8.20 — Networks security: Security of networks and network devices to protect information in systems and applications
  • 8.21 — Security of network services: Security mechanisms for network services identified, implemented, and monitored
  • 8.22 — Segregation of networks: Groups of services, users, and systems segregated in the organization’s networks
  • 8.23 — Web filtering (NEW): Management of access to external websites to reduce exposure to malicious content
  • 8.24 — Use of cryptography: Rules for effective use of cryptography and cryptographic key management
  • 8.25 — Secure development life cycle: Rules for secure software and system development established and applied
  • 8.26 — Application security requirements: Information security requirements identified, specified, and approved for development
  • 8.27 — Secure system architecture and engineering principles (NEW): Principles for engineering secure systems established and applied to implementation
  • 8.28 — Secure coding (NEW): Secure coding principles applied to software development
  • 8.29 — Security testing in development and acceptance: Security testing processes defined and implemented in the development lifecycle
  • 8.30 — Outsourced development: Direction, monitoring, and review of outsourced system development activities
  • 8.31 — Separation of development, test, and production environments: Separation of development, test, and production environments
  • 8.32 — Change management: Change procedures for information processing facilities and information systems
  • 8.33 — Test information: Appropriate selection, protection, and management of test information
  • 8.34 — Protection of information systems during audit testing: Audit tests and activities involving assessment of operational systems planned and agreed

New Controls in ISO 27001:2022

New Control Number Why It Was Added
Threat intelligence 5.7 Formalizes proactive monitoring of threat actor activity
ICT supply chain security 5.21 Addresses third-party software and hardware supply chain compromise
Cloud services security 5.23 Specifically addresses security governance for cloud service usage
ICT business continuity 5.30 Separates ICT resilience from broader business continuity planning
Physical security monitoring 7.4 Addresses CCTV, access control monitoring, physical intrusion detection
Configuration management 8.9 Formalizes baseline configuration and change control for systems
Information deletion 8.10 Addresses secure deletion of data across storage media and cloud
Data masking 8.11 Addresses masking of sensitive data in non-production environments
Data leakage prevention 8.12 Addresses DLP controls for preventing unauthorized data exfiltration
Monitoring activities 8.16 Formalizes continuous security monitoring and anomaly detection
Secure coding 8.28 Addresses secure software development practices and code review

How to Select and Document ISO 27001 Controls

  • Complete the Risk Assessment First: Every control selection decision must flow from the risk assessment output. For a full methodology, see ISO 27001 risk management.
  • Review All 93 Annex A Controls: Review every control and determine its applicability to the organization’s ISMS scope, risk profile, and operational environment.
  • Build the Statement of Applicability: The SoA lists all 93 controls with applicability decisions and justifications. See our full guide on ISO 27001 Statement of Applicability.
  • Implement Selected Controls: Implement each applicable control through policies, procedures, technical configurations, and operational practices.
  • Produce Implementation Evidence: For every applicable control, maintain evidence of implementation. Organizations increasingly use automated evidence collection tools to maintain audit-ready evidence continuously.

How Auditors Evaluate ISO 27001 Controls

Certification auditors evaluate each applicable control on three dimensions: design adequacy (is the control designed to address the identified risk?), implementation evidence (is there documented evidence the control operates?), and operational effectiveness (is the control producing the intended security outcome consistently over time?).

For organizations preparing for their first certification audit, conducting a thorough ISO 27001 gap analysis against each applicable control provides a clear prioritized remediation roadmap before the Stage 2 audit takes place.

Ready to Get ISO 27001 Certified?

CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.

Schedule your ISO 27001 certification discussion →

FAQ

How many controls are in ISO 27001?

ISO/IEC 27001:2022 contains 93 controls in Annex A, organized across four themes: Organizational (37), People (8), Physical (14), and Technological (34). This replaced the previous 2013 version which contained 114 controls across 14 domains.

Do I need to implement all 93 ISO 27001 controls?

No. Organizations select applicable controls based on their risk assessment. Controls that address risks not present in the organization’s environment can be excluded — but exclusions must be documented and justified in the Statement of Applicability.

What is the ISO 27001 Annex A controls list?

Annex A is the reference catalogue of information security controls included in ISO/IEC 27001:2022. It contains 93 controls across Organizational, People, Physical, and Technological themes. Organizations use Annex A as the basis for their control selection during ISMS implementation.

What are the new controls in ISO 27001:2022?

ISO 27001:2022 introduced 11 new controls covering threat intelligence, ICT supply chain security, cloud services security, ICT business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, and secure coding.

What is the Statement of Applicability in ISO 27001?

The Statement of Applicability is a mandatory document that lists all 93 Annex A controls, marks each as applicable or not applicable, provides justification for each decision, and records the implementation status of each applicable control.

How do I document ISO 27001 controls for an audit?

For each applicable control, maintain documented evidence of implementation — policies, procedures, configuration records, training logs, audit logs, access matrices, and incident records. Evidence should demonstrate controls are operational and effective over time.

Schedule A Meeting