What's Inside
ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim to strengthen your organization’s information security defenses.
Understanding ISO 27001 Controls: A Guide to Annex A
ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim to strengthen your organization’s information security defenses.
Get Started With Drata
ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim to strengthen your organization’s information security defenses.
Security controls are an essential part of the ISO 27001 standard. These ISO 27001 safeguards function as minimum baseline controls, offering guidance for how organizations can adopt them as listed or tailor them to their specific organization.
ISO 27001 was established in 2005 and has since been updated in 2013 and most recently in 2022. The most recent version is referred to as ISO 27001:2022 and comes with significant changes to how security controls are structured within Annex A, which lists out each objective and security control.
Below, we dive into those structural changes as well as new control additions to be aware of.
ISO 27001 is an international standard designed to help organizations protect the confidentiality, integrity, and availability of their information. The standard includes a list of security controls companies can implement to safeguard their sensitive data.
The ISO 27001 controls outline the measures organizations must take by way of policies, processes, and procedures to meet the document’s security requirements. These security controls are grouped into four control themes—people, organizational, technological, and physical—that aim to reduce risks to an acceptable level.
Changes to the ISO 27001 document in 2022 reduced the number of controls in Annex A from 114 to 93. There have also been noteworthy changes to existing controls, including renaming and merging controls. ISO 27001:2022 consolidated old controls and added new ones, but are not all-encompassing.
The changes in the 2022 version aim to address the changing business landscape, such as the rise of remote work and the evolving nature of cybersecurity threats. The new version puts an emphasis on streamlining controls under thematic topics to make the implementation process easier.
There are 11 new controls that have been added to the ISO 27001 document, which include:
Threat intelligence (5.7): requires companies to collect and analyze information relating to information security threats
Information security for use of cloud services (5.23): requires companies to specify and manage information security for the use of cloud services
ICT readiness for business continuity (5.30): requires companies to create an ICT continuity plan to maintain operational resilience
Physical security monitoring (7.4): requires companies to detect and prevent external and internal intruders by deploying suitable surveillance tools
Configuration management (8.9): requires companies to establish policies to manage how they document, implement, monitor, and review the use of configurations across their entire network
Information deletion (8.10): provides guidance on how to manage data deletion to comply with laws and regulations
Data masking (8.11): provides data masking techniques for personal identifiable information (PII) to comply with laws and regulations
Data leakage protection (8.12): requires companies to implement technical measures that detect and prevent the disclosure and/or extraction of information
Monitoring activities (8.16): provides guidance on improving network monitoring activities to identify anomalous behavior and address security events and incidents
Web filtering (8.23): requires companies to enforce access controls and measures to restrict and control access to external websites
Secure coding (8.28): requires companies to follow secure coding principles to prevent vulnerabilities caused by poor coding methods
Below, we outline each attribute with examples of specific documentation and evidence needed to demonstrate compliance:
Control Type categorizes each control based on its primary function—whether it aims to prevent security incidents, detect threats, or correct issues once they occur.
Preventive controls, such as access management policies or encryption protocols, aim to block unauthorized access or risky actions before they occur. Documentation for preventive measures often includes authentication protocols and encryption standards.
Detective controls, by contrast, are designed to identify potential security issues. These might include monitoring logs, intrusion detection system (IDS) alerts, or network traffic analyses.
Corrective controls, such as incident response plans, focus on addressing and remediating issues once detected. Evidence here could include incident reports or records of actions taken during security incidents.
The Operational Capabilities attribute emphasizes your organization’s ability to manage assets, human resources, and information security policies effectively. For example, strong governance practices require policies and audit reports that define and document your organization’s security approach.
Asset management controls, which track and secure digital and physical resources, might include asset inventories and usage logs to show that all assets are accounted for and properly managed. It also involves regular tracking and review of asset status and usage, which can include lifecycle management and disposal processes for both digital and physical assets. Similarly, information protection controls require data classification policies and access permissions logs to demonstrate data protection.
In human resources, documentation such as training logs, confidentiality agreements, and records of background checks show a commitment to fostering a security-focused workforce.
Security Domains in ISO 27001 group controls based on broader security goals—governance and ecosystem, protection, defense, and resilience.
Governance and ecosystem controls emphasize establishing frameworks for security roles and responsibilities, which may include policies for third-party partnerships and records of security assessments. Protection controls, like encryption or firewall configurations, demonstrate measures taken to guard data and systems.
Defense-focused controls typically include tools for active threat monitoring, such as intrusion detection logs and threat intelligence reports. Resilience controls, which prepare your organization to recover from disruptions, often require documentation of business continuity and disaster recovery plans, as well as test results from recovery drills.
Described in the ISO Technical Standard ISO/IEC TS 27110, the Cybersecurity Concepts attribute categorizes controls by the steps taken to manage cybersecurity risks.
Controls focused on identifying risks might include risk assessment reports and vulnerability scanning results. Protection controls, like access policies and secure development practices, are preventive measures aimed at safeguarding resources.
Detection controls use monitoring protocols and alert systems to identify anomalies, while response controls include incident response logs that document actions taken during security events. Finally, recovery-focused controls may include disaster recovery strategies and system restoration logs, ensuring your organization can bounce back after an incident.
Information Security attributes reflect the fundamental principles of confidentiality, integrity, and availability (also referred to as CIA). Confidentiality controls, such as access restrictions and vendor agreements with confidentiality clauses, ensure that sensitive data is only accessible to authorized users.
Integrity-focused controls, like data validation reports or integrity-check mechanisms, maintain accuracy and consistency. Availability controls are documented through system uptime reports and backup records, showing that your organization is prepared to provide timely access to systems and data.
Control attributes are a new addition to the standard introduced in ISO 27001:2022. These five attributes are intended to help easily classify and group the controls based on what makes sense to their organization and security needs.
ISO 27002:2022—(which provides guidance for how to implement controls outlined in ISO 27001)—states in section 4.2 Themes and Attributes:
"The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences."
The five attributes are:
Control type: preventative, detective, corrective
Operational capabilities: governance, asset management, information protection, human resource security, etc.
Security domains: governance and ecosystem, protection, defense, resilience
Cybersecurity concepts: identify, protect, detect, respond, recover
Information security properties: confidentiality, integrity, availability
The previous version of ISO 27001 spread out the security controls into 14 categories. The newest version (ISO 27001:2022) has merged the original 14 categories into four themes.
Section 5: People (eight controls)
Section 6: Organizational (37 controls)
Section 7: Physical (14 controls)
Section 8: Technological (34 controls)
Each theme contains specific domains that focus on different areas of security, such as access management or physical safeguards, providing a structured approach to securing information assets. Within each domain, there are controls—specific actions, policies, or mechanisms designed to address unique aspects of security.
For example, the Organizational theme includes domains like Access Control and Asset Management, each with targeted controls such as reviewing user access rights and asset ownership.
This consolidated grouping of controls removes redundancies from previous versions of the standard. It also helps companies by grouping controls together based on who’s responsible for carrying them out. For example, technological controls may be carried out by IT, whereas organizational controls might be handled by your system operations team.
The Organizational theme within ISO 27001 forms the backbone of secure information management. This theme addresses essential policies, asset use, and cloud security measures, covering wide-ranging areas that don’t fit neatly into other categories—like identity management, management responsibilities, and data handling practices.
Domains under this theme ensure that security is woven into every layer of operations:
Information Security Policies (Annex A5). Information security policies set the tone for your organization’s security practices. This domain centers on having formal policies that are not only aligned with the organization’s goals but are also reviewed and updated regularly to stay relevant.
Organization of Information Security (Annex A6). Clear roles and a solid governance structure are key to effective information security. This domain defines security roles, coordinates security activities, and sets up frameworks to keep everyone on the same page.
Access Control (Annex A9). Access control keeps sensitive data and systems off-limits to unauthorized users. Controls in this domain include multi-factor authentication (MFA), role-based access control (RBAC), and routine access reviews to make sure only the right people have access to what they need.
Asset Management (Annex A8). Effective asset management is about knowing what assets you have, who’s responsible for them, and how they should be protected. Controls here cover everything from maintaining an asset inventory to setting guidelines for asset handling and ownership.
Communications Security (Annex A13). This domain safeguards information exchanged within and outside the organization. Controls span secure communication protocols, data encryption for transfers, and network security practices, all aimed at preventing eavesdropping and data leaks.
Supplier Relationships (Annex A15). Working with third parties and vendors can introduce security risks. Controls under this domain manage those risks by assessing suppliers, building security requirements into contracts, and monitoring ongoing compliance.
Information Security Incident Management (Annex A16). Incidents happen, and this domain focuses on preparing for and managing them effectively. Controls here include setting up an incident response team, establishing reporting procedures, and conducting post-incident reviews to learn and improve.
Information Security Aspects of Business Continuity Management (Annex A17). Critical information must remain secure even in disruptive situations. This domain ensures continuity through business continuity plans, disaster recovery tests, and resilience measures for key systems.
Compliance (Annex A18). Meeting legal, regulatory, and contractual requirements is essential, and compliance controls help make this happen. These controls involve identifying relevant laws, conducting audits, and maintaining compliance records.
New organizational controls introduced in ISO 27001:2022 add further layers of resilience:
5.7: Threat Intelligence
5.23: Information security for use of cloud services
5.30: ICT readiness for business continuity
Threat intelligence is a noteworthy control addition under this theme. This control goes beyond recognizing a malicious domain name to help organizations better understand how they may be targeted and then using that threat intelligence information to better inform their information security approach.
The People theme in ISO 27001 zeroes in on how employees interact with sensitive information and contribute to security. It addresses the human side of information security by preparing, educating, and guiding employees in ways that protect your organization’s assets and maintain compliance.
This theme includes one domain, Human Resource Security (Annex A7), which upholds security standards across every stage of the employee lifecycle—from onboarding to offboarding. The controls here focus on background checks, confidentiality agreements, ongoing training, and secure exit processes.
Key documentation in this area includes training records, signed NDAs, and security checklist. Notably, no new controls were introduced in ISO 27001:2022 for this theme.
The Physical theme in ISO 27001 focuses on safeguarding your organization’s physical spaces and assets. It addresses potential physical and environmental risks to ensure that everything from equipment to data storage facilities stays secure, no matter what comes your way.
All controls in this theme fall under the Physical and Environmental Security (Annex A11) domain, which is about securing your organization’s premises and assets against unauthorized access, environmental hazards, and natural disasters. These controls cover everything from entry-point security to monitoring environmental factors in high-sensitivity areas.
Measures include secure entry systems, like keycard or biometric access, along with surveillance cameras and visitor logs to keep track of who’s entering and exiting your facilities. Environmental protections, such as fire suppression systems and climate controls, help guard against temperature fluctuations, humidity, and fire risks that could compromise both physical and digital assets.
ISO 27001:2022 introduced a new control under this theme:
7.4: Physical security monitoring
The Technological theme in ISO 27001 is about securing your organization’s digital environment. These controls target network security, data integrity, and system resilience, providing essential defenses against cyber threats.
The domains under this theme are:
Cryptography (Annex A10). This domain keeps sensitive information safe and private through encryption and other cryptographic techniques. Controls cover the encryption of data at rest and in transit, cryptographic key management, and secure storage practices.
Operational Security (Annex A12). Operational Security is designed to monitor potential threats and respond swiftly. This domain includes controls for incident response, vulnerability assessments, malware protection, and continuous monitoring to maintain data confidentiality, integrity, and availability.
System Acquisition, Development, and Maintenance (Annex A14). Security should be built into systems from the start. This domain includes controls that embed security throughout the lifecycle of any system—from development to maintenance—to minimize potential vulnerabilities. Controls focus on secure coding practices, routine patching, and regular system security reviews.
ISO 27001:2022 introduced several new technological controls, further strengthening this theme:
8.1: Data masking
8.9: Configuration management
8.10: Information deletion
8.12: Data leakage prevention
8.16: Monitoring activities
8.23: Web filtering
8.28: Secure coding
Data leakage prevention is one of the key new additions under this theme and will likely require a large time and financial investment to put in place for the first time. Web filtering is another notable net new control that outlines how organizations should filter web traffic to prevent users from visiting malicious sites.
ISO 27001 controls span across business functions, embedding security practices into the daily operations of departments like IT, HR, Legal, and Operations. Mapping these controls to each department builds a security strategy that is comprehensive and purpose-driven across your organization.
Here’s how different stakeholders apply ISO 27001 controls and examples of the documentation they might use to show compliance.
The IT department takes the lead with Access Control (Annex A9) and Cryptography (Annex A10) to keep data and networks secure. From multi-factor authentication (MFA) to encryption protocols, IT’s focus is on making sure only the right people have access to sensitive information.
To keep these efforts transparent and accountable, IT might document its security configurations with access logs, firewall records, encryption policies, and detailed incident response records.
For HR, security starts with the hiring process and runs through every step of the employee journey. Under Human Resource Security (Annex A7), HR manages background checks, collects signed confidentiality agreements, and leads security training, so employees know their responsibilities from day one.
They might keep detailed records of these efforts in the form of training logs and background checks.
The Legal team keeps Compliance (Annex A18) top-of-mind by addressing legal, regulatory, and contractual obligations. They help with risk management through security requirements in vendor contracts and oversee regular compliance audits.
To maintain a record of these efforts, Legal might store copies of vendor contracts with security clauses, audit results, and regulatory documentation.
Operations oversee Physical and Environmental Security (Annex A11), protecting facilities and equipment from unauthorized access and environmental risks.
To prove that physical security is robust and proactive, Operations teams might maintain visitor records, access logs, and monitoring reports.
Finance enforces Access Control (Annex A9) and Cryptography (Annex A10) to keep financial records secure. They restrict access to financial systems, store data securely, and encrypt information where needed.
They might keep detailed records of access permissions, encryption policies, and secure handling protocols to show commitment to compliance and secure financial data practices.
Whether you’re on the path to achieving ISO 27001 compliance or you’re looking to maintain your compliance standing, our compliance automation platform helps you streamline evidence collection, access control workflows, and ensure you have all the audit documentation you need.
Below are answers to frequently asked questions that will help you navigate the essentials of ISO 27001:2022 controls.
ISO 27001:2022 Annex A currently contains 93 controls, organized into four thematic groups: Organizational, People, Physical, and Technological.
These 93 controls cover a comprehensive range of security measures to address various risks and safeguard information assets.
No, not all Annex A controls are mandatory. ISO 27001 requires organizations to select controls based on a risk assessment to address specific security risks relevant to their operations.
During implementation, organizations can determine which controls are necessary and exclude those that don’t apply, as long as they provide justifications for exclusions in their Statement of Applicability (SoA).
ISO 27001 controls aim to minimize the likelihood and impact of information security risks, so that an organization’s data remains secure, accurate, and accessible when needed. The controls within Annex A help organizations implement robust security measures, addressing everything from data access and cryptography to incident response and physical security.
ISO 27001:2022 introduced 11 new controls to address emerging security challenges and evolving technological risks. These new controls cover areas such as threat intelligence, secure coding, data masking, data leakage prevention, and monitoring activities.
Keep Reading
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.