Blog
Sprintwinkel rechts
ISO 27001
Sprintwinkel rechts
ISO 27001-Kontrollen: Ein Leitfaden zur Implementierung der Kontrollen gemäß Anhang A

ISO 27001-Kontrollen: Ein Leitfaden zur Implementierung der Kontrollen gemäß Anhang A

TL; DR

ISO 27001 controls are Annex A safeguards that organizations use to manage information security risks and support their Information Security Management System (ISMS).
ISO/IEC 27001:2022 includes 93 Annex A controls grouped into four themes: organizational, people, physical, and technological. The 2013 structure, with 114 controls across 14 domains, has been retired.
You do not need to implement every Annex A control. Select controls based on your risk assessment and risk treatment plan, and document applicable controls, exclusions, justifications, and implementation status in the Statement of Applicability (SoA).
Clauses 4–10 define the mandatory ISMS requirements for certification, while Annex A controls show how your organization addresses specific risks, assigns ownership, prepares evidence, and remains audit-ready.

ISO 27001 is the international standard for building an Informationssicherheits-Managementsystem (ISMS). An ISMS is the set of policies, processes, and technical controls you use to manage information security risk. The current version, ISO/IEC 27001:2022, lists 93 controls in Annex A, and you choose the ones that apply to your organization.

This guide walks you through the 93 controls, how they are grouped, how to decide which ones you actually need, and what evidence an auditor expects to see.

Bevor Sie fortfahren: the 2013 version is retired. Organizations had until 31 October 2025 to move from ISO 27001:2013 to ISO 27001:2022. After that date, certificates issued against the 2013 version are no longer valid. If you did not transition in time, you now pursue full recertification against the 2022 version (a Stage 1 and Stage 2 audit), not the lighter transition path that used to exist. Everything below reflects the 2022 structure.

Sprinto-Logo
Sie sind sich nicht sicher, welche Bedienelemente Sie tatsächlich benötigen?

Was sind die Kontrollen nach ISO 27001?

ISO 27001 controls are the safeguards you implement to manage information security risks and support your ISMS. In ISO/IEC 27001:2022, Annex A references 93 controls grouped into four themes: organizational, people, physical, and technological.

You do not have to implement all 93. You select controls based on your risk assessment and risk treatment plan, then record those decisions in your Statement of Applicability. A good SoA explains which controls apply, which do not, why you made each call, and how the applicable ones are implemented.

ISO 27001 is now a trust baseline

The Business ROI of Compliance 2026 survey found that SOC 2 and ISO 27001 continue to dominate adoption, together accounting for over 85% of certifications selected.

Bericht herunterladen to see how SOC 2, ISO 27001, and other certifications influence trust, revenue, TAM expansion, and sales velocity.

Who is responsible for implementing Annex A controls?

Your infosec officer or team is responsible for implementing controls and ensuring your overall compliance with ISO 27001. But the day-to-day responsibility sits with everyone. Your employees are the first line of defense in most attacks, so control implementation is a shared effort across the company, not a single person’s job.

Management buy-in is what holds it together. Leadership reviews and approves your policies and procedures at every decisive step, and that sponsorship is what keeps the program funded and prioritized.

Sprinto-Flares
Turn ISO 27001 controls into owned, trackable implementation tasks

How many ISO 27001 clauses and controls are there?

ISO 27001:2022 has 11 core clauses (numbered 0-10) that define the requirements for an ISMS, supported by 93 Annex A controls. The controls are grouped into four themes: organizational, people, physical, and technological. Not all of them are IT controls. Many cover governance, people, and physical security.

You must meet the requirements in Klauseln 4 bis 10 to claim compliance. In practice, certification depends on satisfying every requirement across those clauses, while Annex A gives you the menu of controls you draw from to treat your specific risks.

Every organization picks the controls that apply to its risk profile. If a control does not apply, you document the reason in your SoA rather than implementing it for the sake of completeness.

ISO 27001:2022 Annex A controls: The four themes

ISO 27001:2022 organizes its 93 controls into four themes, each tied to a different area of ownership. This replaces the 14-domain structure used in the retired 2013 version. Here is what each theme covers and the evidence auditors typically look for.

1. Organizational controls: Annex A.5 (37 controls)

This is the largest theme and the administrative backbone of your ISMS. It covers governance-level measures: Informationssicherheitsrichtlinien, roles and responsibilities, segregation of duties, supplier and cloud-service security, your access control policy, threat intelligence, and incident management planning. Most cross-functional and policy work lives here.

Evidence to prepare:

  • Documented, management-approved information security policies, communicated to staff and reviewed on a set schedule
  • Defined security roles, responsibilities, and reporting lines
  • Vendor risk assessments and a documented supplier and third-party management policy
  • An access control policy plus proof of periodic access reviews
  • A threat intelligence process and a documented incident response plan

2. People controls: Annex A.6 (8 controls)

This theme covers the human side of security across the full employee lifecycle: screening and background checks, security responsibilities written into employment terms, Aufklärungsarbeit, disciplinary processes, remote working, and confidentiality or non-disclosure agreements.

Evidence to prepare:

  • Background verification records for new hires
  • Signed acknowledgment of security policies and signed NDAs
  • Records showing employees complete periodic Schulung zum Thema Sicherheitsbewusstsein
  • A defined process for securing data when people join, change roles, or leave

3. Physical controls: Annex A.7 (14 controls)

This theme protects your physical premises and equipment. It covers secure areas, physical entry controls, physical security monitoring, protection against environmental and natural threats, clear desk and clear screen, equipment security, and secure disposal of assets and media.

Evidence to prepare:

  • Physical entry controls and monitoring for sensitive areas
  • Endpoints configured to auto-lock after a set period of inactivity
  • Secure media handling and disposal procedures
Expert tip: Controls need measurable proof

“Effectiveness is subjective but if you want to measure say technical controls, set operational KPIs. Is multi-factor enabled for all accounts? Is traffic encryption enabled? What are the training completion rates and so on? You can use automated tools to get all this information directly from APIs.” ~ Fabian Weber, vCISO and ISO 27001 auditor

4. Technological controls: Annex A.8 (34 controls)

This is the largest and most technical theme, and where your IT and engineering teams focus. It covers authentication, encryption, malware protection, logging and monitoring, secure coding, configuration management, data masking, data leakage prevention, web filtering, backups, and protection during development and testing.

Evidence to prepare:

  • Encryption of customer data at rest and in transit
  • Malware protection on endpoints that reach production systems
  • Logging, monitoring, and alerting on production assets
  • Vulnerability scans, penetration tests, and a documented backup and disaster recovery process
Sprinto-Flares
Automate control monitoring instead of tracking controls in spreadsheets

What changed in ISO 27001:2022: the 11 new controls

The 2022 update did not just renumber things. It trimmed the count from 114 to 93 by merging overlapping controls, and it added 11 new ones to address risks that barely existed when the 2013 version was written:

  • A.5.7 Bedrohungsinformationen
  • A.5.23 Informationssicherheit bei der Nutzung von Cloud-Diensten
  • A.5.30 IKT-Bereitschaft für Geschäftskontinuität
  • A.7.4 Physische Sicherheitsüberwachung
  • A.8.9 Konfigurationsmanagement
  • A.8.10 Löschung von Informationen
  • A.8.11 Datenmaskierung
  • A.8.12 Verhinderung von Datenlecks
  • A.8.16 Überwachungsaktivitäten
  • A.8.23 Web-Filter
  • A.8.28 Sichere Codierung

If you last looked at the standard before 2022, these additions are where most of your gap analysis effort will go.

The 2024 climate amendment (Amendment 1:2024)

ISO 27001 now requires you to consider climate change as part of your ISMS context. That requirement came from ISO/IEC 27001:2022/Amd 1:2024, published in February 2024, a small but mandatory update that adds two sentences to the standard:

  • Klausel 4.1 now requires you to determine whether climate change is a relevant issue for your ISMS.
  • Klausel 4.2 adds a note that interested parties, such as customers, regulators, and partners, may have climate-related requirements.

No new Annex A controls came with it. For most teams, the impact is light: you document whether climate change affects your information security (for example, extreme weather threatening a data center, or grid instability affecting uptime), and if it does, you fold it into your risk assessment. Do not over-engineer it. A documented determination that it is not a material risk is enough for many organizations. Auditors began checking for this during surveillance audits starting in mid-2024.

How to identify which ISO 27001 controls you should implement

From the field: Evidence has to map back to controls

“An audit is not just about producing correct documents. You need to link evidence to the controls being tested to clearly show your policies are functioning as they are meant to do.” ~ Anil Varma, CISO, Officebeacon

Lesen Sie die Officebeacon ISO 27001 case study to see how the team mapped policies, controls, workflows, and evidence to reach ISO 27001 audit readiness in 2 weeks.

Your risk assessment decides which controls you implement, not the Annex A list itself. The list is a menu; your risks tell you what to order. Start with a thorough risk assessment that surfaces the threats most relevant to your business and informs a treatment plan built around your actual exposure rather than a checklist. From there, prioritize controls based on your specific vulnerabilities, your operating environment, and your compliance goals.

A few practical inputs help: review which assets and data need priority protection, find the gaps a control could close, and factor in the regulations your industry expects. Pull in your IT, compliance, and legal stakeholders early, since they usually spot the high-risk areas first.

Laden Sie Ihre ISO 27001
Gap Analysis Template Now

book_gap-Analysis
What auditors expect when a control is marked implemented

Marking a control as applicable is not enough. Your SoA should connect the control to a risk, an owner, an implementation status, and current evidence. For each applicable control, keep the audit trail clear:

  • Why the control applies to your environment
  • Who owns the control
  • Whether the control is implemented, partially implemented, or still in progress
  • What evidence proves it is operating, such as screenshots, logs, access reviews, policies, tickets, training records, vendor assessments, or test results
  • When the evidence was last reviewed
  • What exception, compensating control, or remediation plan exists if the control is not fully working

This matters most for controls that are not fully automated. If evidence comes from a manual review, spreadsheet, screenshot, meeting record, or uploaded document, make the source, date, reviewer, and control mapping obvious. Auditors are usually testing whether the control works in practice, not just whether the policy exists.

Example: How control selection works in the SoA

Your SoA is where control selection becomes defensible: it ties each control you keep or drop to a specific risk. Here is how that plays out for a typical SaaS company.

Say that the company hosts customer data in Google Cloud, uses GitHub for code, collects limited PII such as names and email addresses, and runs a remote-first team. Its risk assessment might surface risks around cloud access, source-code changes, vendor dependencies, PII exposure, and employee offboarding.

The Statement of Applicability then shows how Annex A controls were selected or excluded. This company might mark cloud service security (A.5.23), access control, secure coding (A.8.28), change and configuration management, logging (A.8.16), data masking (A.8.11), supplier relationships, and offboarding controls as applicable.

For each one, the SoA records:

  • The risk or business context that makes the control relevant
  • Its implementation status
  • The owner responsible for it
  • The evidence available for Prüfungsdurchsicht
  • the reason for excluding any control that does not apply

That turns the SoA into more than a Kontroll-Liste. It serves as the link between your real risk profile and the controls an auditor expects to be working.

How ISO 27001 controls map to other frameworks

If you are pursuing more than one standard, ISO 27001 makes a strong base layer. Its controls overlap heavily with SOC 2’s Trust Services Criteria, NIST CSF’s governance and risk functions, and the risk-management expectations in regulations like DORA and NIS2. Many teams implement ISO 27001 once, then map those controls outward to satisfy the others, rather than building each program from scratch.

How control reuse works in a real compliance program

"Most of the controls we used for ISO 27001 and 27701 overlapped with Sprinto’s, making it easier for us to make the switch to platform-led management. Earlier, we had to manage compliances in three different places, but it’s all consolidated within Sprinto.” ~ Sanjay Mishra, Head of DevOps, WebEngage

Lesen Sie die WebEngage case study to see how the team operationalized ISO 27001, ISO 27701, HIPAA, and SOC 2 on Sprinto while improving cloud security visibility.

That mapping is also where AI governance is showing up. ISO 27001 does not add a separate control just for AI agents, but if your team or systems use AI tools that touch company data, code, or production workflows, those tools belong in your asset inventory, access reviews, vendor assessments, logging, and risk treatment plan. If your AI use is material or customer-facing, ISO / IEC 42001, the dedicated AI management standard, can run alongside ISO 27001 to handle AI-specific governance and lifecycle risks.

Fast-track your ISO 27001 journey

Sprint automates the part of ISO 27001 that consumes your team: keeping evidence for all 93 controls current, every day, across every system. You still decide which controls fit your risks; Sprinto handles collecting and verifying the proof that they are working.

Automated monitoring makes ISO 27001 less overwhelming

“Sprinto made the SOC 2 and ISO 27001 compliance process significantly more structured and less overwhelming. The platform automates a lot of evidence collection and continuously monitors controls, which saved us a lot of manual effort.” ~ Verified reviewer on G2

Here is what that looks like across the ISO 27001 journey.

Mapping risks to controls: Sprinto connects to your tech stack through 300+ integrations across cloud, identity, code, devices, and HR, ITSM, and finance systems. It reads your actual environment, flags where you fall short of the 93 Annex A controls, and helps you build a Statement of Applicability that ties each applicable control to a real risk, an owner, and its implementation status.

Drafting policies: Instead of starting from a blank page, you get editable policy templates written in plain language, pre-mapped to the relevant controls. You adjust them to match how your organization runs, rather than wording them from scratch.

Automatische Beweiserfassung: This is where most of the manual effort disappears. Sprinto runs continuous checks against your live systems (configurations, access permissions, vendor integrations, and AI usage) so your control evidence reflects the production state rather than a screenshot taken weeks ago. Across all customers, the platform runs roughly 950 million compliance checks per month, so drift is caught as it happens, not at audit time.

Getting through the audit: Because evidence is verified against live system state and decision trails are preserved as you go, the audit becomes a matter of producing what already exists rather than reconstructing a year of activity under a deadline. Sprinto has supported 4,550+ successful audits to date, and your engagement includes a dedicated compliance expert who guides you through scoping, risk assessment, control selection, and auditor coordination.

Staying compliant after certification: ISO 27001 is not a one-time event. Surveillance audits recur, your systems change, and the 2024 climate amendment is now part of what auditors check. Sprinto’s continuous monitoring keeps your controls and evidence up to date between audits, so recertification is a continuation of normal operations rather than a fresh scramble.

Sprinto supports 200+ frameworks beyond ISO 27001, including SOC 2, GDPR, HIPAA, and PCI DSS, which matters if you plan to map ISO 27001 controls outward to other standards. It is trusted by 3,000+ companies across 75 countries, including Whatfix, WeWork, and HackerRank.

Abschließende Gedanken

Annex A is the heart of how you meet ISO 27001’s requirements. Once you have settled on the controls you will implement, ISO 27002:2022 is your detailed reference for putting each one into practice. It is the companion “how-to” to Annex A’s “what.”

The shift to the 2022 structure is the thing to get right today: 93 controls, four themes, the 11 additions, and the climate amendment. Get those straight, anchor every control to a real risk, and your SoA and evidence will line up with what auditors actually check.

Sprinto-Flares
Simplify ISO 27001 control execution without slowing down your team

Häufig gestellte Fragen

How many controls does ISO 27001 Annex A have?

ISO 27001:2022 has 93 controls in Annex A, grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). The earlier 2013 version had 114 controls across 14 domains, but that version has been retired.

Are Annex A controls mandatory?

No. You do not have to implement all 93. You select the controls that apply based on your risk assessment, and you justify any exclusions in your Statement of Applicability.

What is the primary purpose of Annex A controls?

To treat information security risks and improve the security of your organization’s information assets in a structured, auditable way.

What is the ISO 27001 Annex A Statement of Applicability?

The SoA defines which of the 93 Annex A controls you will implement and how, and it documents the justification for any controls you exclude. It is one of the most scrutinized documents in a certification or surveillance audit.

Why do the Annex A themes start at A.5?

The numbering aligns with ISO 27002, the companion standard that provides implementation guidance for each control. ISO 27002’s clauses 1 to 4 are introductory, so its controls begin at clause 5, and Annex A mirrors that by starting its first theme at A.5.

How many ISO 27001 controls are there in 2026?

ISO 27001:2022, the current version, has 93 Annex A controls in four themes: Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), and Technological (A.8, 34 controls). There is no separate “2026 version” of the standard; the current standard is the 2022 edition plus the 2024 climate amendment. The 2013 version’s 14-domain structure (A.5-A.18) has been retired, and certificates issued against it expired after 31 October 2025.

What is the difference between ISO 27001 clauses and controls?

Clauses 4 to 10 define the mandatory requirements for establishing, running, and improving your ISMS. They are the “what” of compliance. Controls (in Annex A) are the specific safeguards you choose to treat identified risks. They are the “how.”

Does ISO 27001 cover AI tools and AI agents?

There is no separate Annex A control just for AI agents, but AI tools still affect your control selection. If employees or systems use AI that accesses company data, code, customer records, or production workflows, include them in your asset inventory, access reviews, vendor assessments, logging, and risk treatment plan. Treat an AI agent with API access like any other non-human identity: define its owner, limit its privileges, rotate credentials, monitor activity, and remove access when the use case ends. If your AI use is material or customer-facing, ISO/IEC 42001 can run alongside ISO 27001 for AI-specific governance.

Can cloud-only or remote companies exclude physical Annex A controls?

Sometimes, but not automatically. If your organization has no owned office, data center, warehouse, or physical server room, some physical controls may be marked as not applicable in the SoA with a clear justification. But you may still need evidence for endpoint security, device disposal, screen-lock settings, remote-work rules, visitor access to any shared office, or physical controls at a new location. The right answer depends on your scope, assets, people, and where information is actually accessed or stored.

Gowsika
Autorin

Gowsika

Gowsika ist eine begeisterte Leserin und Geschichtenerzählerin, die die komplexe Welt der Compliance und Cybersicherheit mit charmantem Witz entwirrt! Wenn sie nicht gerade kryptische Compliance-Fachbegriffe entschlüsselt, genießt sie die Sonne am Meer, lauscht der Musik und sinniert über die großen (und kleinen) Fragen des Lebens. Ihre Wegweiserin durch den Cyber-Dschungel – mit innerer Ruhe und scharfem Verstand!
Haben Sie genug von inhaltsleeren GRC- und Cybersicherheitsthemen? Abonnieren Sie unseren Newsletter und erhalten Sie detaillierte Informationen.
Recherchen und Erkenntnisse, die Ihnen helfen sollen, sich einen Platz am Tisch zu sichern.
Einzel-Blog-Fußzeilenbild