ISO 27001 Controls: A Guide to Implementing Annex A Controls

ISO 27001 is the international standard for building an Information Security Management System (ISMS). An ISMS is the set of policies, processes, and technical controls you use to manage information security risk. The current version, ISO/IEC 27001:2022, lists 93 controls in Annex A, and you choose the ones that apply to your organization.

This guide walks you through the 93 controls, how they are grouped, how to decide which ones you actually need, and what evidence an auditor expects to see.

Before you go further: the 2013 version is retired. Organizations had until 31 October 2025 to move from ISO 27001:2013 to ISO 27001:2022. After that date, certificates issued against the 2013 version are no longer valid. If you did not transition in time, you now pursue full recertification against the 2022 version (a Stage 1 and Stage 2 audit), not the lighter transition path that used to exist. Everything below reflects the 2022 structure.

What are ISO 27001 controls?

ISO 27001 controls are the safeguards you implement to manage information security risks and support your ISMS. In ISO/IEC 27001:2022, Annex A references 93 controls grouped into four themes: organizational, people, physical, and technological.

You do not have to implement all 93. You select controls based on your risk assessment and risk treatment plan, then record those decisions in your Statement of Applicability. A good SoA explains which controls apply, which do not, why you made each call, and how the applicable ones are implemented.

Who is responsible for implementing Annex A controls?

Your infosec officer or team is responsible for implementing controls and ensuring your overall compliance with ISO 27001. But the day-to-day responsibility sits with everyone. Your employees are the first line of defense in most attacks, so control implementation is a shared effort across the company, not a single person’s job.

Management buy-in is what holds it together. Leadership reviews and approves your policies and procedures at every decisive step, and that sponsorship is what keeps the program funded and prioritized.

How many ISO 27001 clauses and controls are there?

ISO 27001:2022 has 11 core clauses (numbered 0-10) that define the requirements for an ISMS, supported by 93 Annex A controls. The controls are grouped into four themes: organizational, people, physical, and technological. Not all of them are IT controls. Many cover governance, people, and physical security.

You must meet the requirements in Clauses 4 through 10 to claim compliance. In practice, certification depends on satisfying every requirement across those clauses, while Annex A gives you the menu of controls you draw from to treat your specific risks.

Every organization picks the controls that apply to its risk profile. If a control does not apply, you document the reason in your SoA rather than implementing it for the sake of completeness.

ISO 27001:2022 Annex A controls: The four themes

ISO 27001:2022 organizes its 93 controls into four themes, each tied to a different area of ownership. This replaces the 14-domain structure used in the retired 2013 version. Here is what each theme covers and the evidence auditors typically look for.

1. Organizational controls: Annex A.5 (37 controls)

This is the largest theme and the administrative backbone of your ISMS. It covers governance-level measures: information security policies, roles and responsibilities, segregation of duties, supplier and cloud-service security, your access control policy, threat intelligence, and incident management planning. Most cross-functional and policy work lives here.

Evidence to prepare:

• Documented, management-approved information security policies, communicated to staff and reviewed on a set schedule
• Defined security roles, responsibilities, and reporting lines
• Vendor risk assessments and a documented supplier and third-party management policy
• An access control policy plus proof of periodic access reviews
• A threat intelligence process and a documented incident response plan

2. People controls: Annex A.6 (8 controls)

This theme covers the human side of security across the full employee lifecycle: screening and background checks, security responsibilities written into employment terms, awareness training, disciplinary processes, remote working, and confidentiality or non-disclosure agreements.

Evidence to prepare:

• Background verification records for new hires
• Signed acknowledgment of security policies and signed NDAs
• Records showing employees complete periodic security awareness training
• A defined process for securing data when people join, change roles, or leave

3. Physical controls: Annex A.7 (14 controls)

This theme protects your physical premises and equipment. It covers secure areas, physical entry controls, physical security monitoring, protection against environmental and natural threats, clear desk and clear screen, equipment security, and secure disposal of assets and media.

Evidence to prepare:

• Physical entry controls and monitoring for sensitive areas
• Endpoints configured to auto-lock after a set period of inactivity
• Secure media handling and disposal procedures

4. Technological controls: Annex A.8 (34 controls)

This is the largest and most technical theme, and where your IT and engineering teams focus. It covers authentication, encryption, malware protection, logging and monitoring, secure coding, configuration management, data masking, data leakage prevention, web filtering, backups, and protection during development and testing.

Evidence to prepare:

• Encryption of customer data at rest and in transit
• Malware protection on endpoints that reach production systems
• Logging, monitoring, and alerting on production assets
• Vulnerability scans, penetration tests, and a documented backup and disaster recovery process

What changed in ISO 27001:2022: the 11 new controls

The 2022 update did not just renumber things. It trimmed the count from 114 to 93 by merging overlapping controls, and it added 11 new ones to address risks that barely existed when the 2013 version was written:

• A.5.7 Threat intelligence
• A.5.23 Information security for use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

If you last looked at the standard before 2022, these additions are where most of your gap analysis effort will go.

The 2024 climate amendment (Amendment 1:2024)

ISO 27001 now requires you to consider climate change as part of your ISMS context. That requirement came from ISO/IEC 27001:2022/Amd 1:2024, published in February 2024, a small but mandatory update that adds two sentences to the standard:

• Clause 4.1 now requires you to determine whether climate change is a relevant issue for your ISMS.
• Clause 4.2 adds a note that interested parties, such as customers, regulators, and partners, may have climate-related requirements.

No new Annex A controls came with it. For most teams, the impact is light: you document whether climate change affects your information security (for example, extreme weather threatening a data center, or grid instability affecting uptime), and if it does, you fold it into your risk assessment. Do not over-engineer it. A documented determination that it is not a material risk is enough for many organizations. Auditors began checking for this during surveillance audits starting in mid-2024.

How to identify which ISO 27001 controls you should implement

Your risk assessment decides which controls you implement, not the Annex A list itself. The list is a menu; your risks tell you what to order. Start with a thorough risk assessment that surfaces the threats most relevant to your business and informs a treatment plan built around your actual exposure rather than a checklist. From there, prioritize controls based on your specific vulnerabilities, your operating environment, and your compliance goals.

A few practical inputs help: review which assets and data need priority protection, find the gaps a control could close, and factor in the regulations your industry expects. Pull in your IT, compliance, and legal stakeholders early, since they usually spot the high-risk areas first.

Example: How control selection works in the SoA

Your SoA is where control selection becomes defensible: it ties each control you keep or drop to a specific risk. Here is how that plays out for a typical SaaS company.

Say that the company hosts customer data in Google Cloud, uses GitHub for code, collects limited PII such as names and email addresses, and runs a remote-first team. Its risk assessment might surface risks around cloud access, source-code changes, vendor dependencies, PII exposure, and employee offboarding.

The Statement of Applicability then shows how Annex A controls were selected or excluded. This company might mark cloud service security (A.5.23), access control, secure coding (A.8.28), change and configuration management, logging (A.8.16), data masking (A.8.11), supplier relationships, and offboarding controls as applicable.

For each one, the SoA records:

• The risk or business context that makes the control relevant
• Its implementation status
• The owner responsible for it
• The evidence available for audit review
• the reason for excluding any control that does not apply

That turns the SoA into more than a checklist. It serves as the link between your real risk profile and the controls an auditor expects to be working.

How ISO 27001 controls map to other frameworks

If you are pursuing more than one standard, ISO 27001 makes a strong base layer. Its controls overlap heavily with SOC 2’s Trust Services Criteria, NIST CSF’s governance and risk functions, and the risk-management expectations in regulations like DORA and NIS2. Many teams implement ISO 27001 once, then map those controls outward to satisfy the others, rather than building each program from scratch.

That mapping is also where AI governance is showing up. ISO 27001 does not add a separate control just for AI agents, but if your team or systems use AI tools that touch company data, code, or production workflows, those tools belong in your asset inventory, access reviews, vendor assessments, logging, and risk treatment plan. If your AI use is material or customer-facing, ISO/IEC 42001, the dedicated AI management standard, can run alongside ISO 27001 to handle AI-specific governance and lifecycle risks.

Fast-track your ISO 27001 journey

Sprinto automates the part of ISO 27001 that consumes your team: keeping evidence for all 93 controls current, every day, across every system. You still decide which controls fit your risks; Sprinto handles collecting and verifying the proof that they are working.

Here is what that looks like across the ISO 27001 journey.

Mapping risks to controls: Sprinto connects to your tech stack through 300+ integrations across cloud, identity, code, devices, and HR, ITSM, and finance systems. It reads your actual environment, flags where you fall short of the 93 Annex A controls, and helps you build a Statement of Applicability that ties each applicable control to a real risk, an owner, and its implementation status.

Drafting policies: Instead of starting from a blank page, you get editable policy templates written in plain language, pre-mapped to the relevant controls. You adjust them to match how your organization runs, rather than wording them from scratch.

Collecting evidence automatically: This is where most of the manual effort disappears. Sprinto runs continuous checks against your live systems (configurations, access permissions, vendor integrations, and AI usage) so your control evidence reflects the production state rather than a screenshot taken weeks ago. Across all customers, the platform runs roughly 950 million compliance checks per month, so drift is caught as it happens, not at audit time.

Getting through the audit: Because evidence is verified against live system state and decision trails are preserved as you go, the audit becomes a matter of producing what already exists rather than reconstructing a year of activity under a deadline. Sprinto has supported 4,550+ successful audits to date, and your engagement includes a dedicated compliance expert who guides you through scoping, risk assessment, control selection, and auditor coordination.

Staying compliant after certification: ISO 27001 is not a one-time event. Surveillance audits recur, your systems change, and the 2024 climate amendment is now part of what auditors check. Sprinto’s continuous monitoring keeps your controls and evidence up to date between audits, so recertification is a continuation of normal operations rather than a fresh scramble.

Sprinto supports 200+ frameworks beyond ISO 27001, including SOC 2, GDPR, HIPAA, and PCI DSS, which matters if you plan to map ISO 27001 controls outward to other standards. It is trusted by 3,000+ companies across 75 countries, including Whatfix, WeWork, and HackerRank.

Final thoughts

Annex A is the heart of how you meet ISO 27001’s requirements. Once you have settled on the controls you will implement, ISO 27002:2022 is your detailed reference for putting each one into practice. It is the companion “how-to” to Annex A’s “what.”

The shift to the 2022 structure is the thing to get right today: 93 controls, four themes, the 11 additions, and the climate amendment. Get those straight, anchor every control to a real risk, and your SoA and evidence will line up with what auditors actually check.

FAQs