ISO 27001 Annex A Controls: An Overview
TL;DR
ISO 27001's Annex A contains 93 security controls organized into 4 categories (Organizational, People, Physical, and Technological) that must be selected based on risk assessment, not implemented blindly. Success requires mapping controls to actual risks, assigning clear ownership, maintaining proper documentation, and treating controls as part of daily operations rather than just audit requirements.
What Is Annex A in ISO 27001?
When companies start preparing for ISO 27001, they often run into one major obstacle: Annex A. It's a long list of 93 information security controls that must be reviewed, selected, and implemented based on risk.
The list can feel overwhelming if you're not familiar with the standard (and most small and medium companies are not). Nevertheless, the best way to approach this is to understand one thing. Annex A is your toolbox with which you'll be going through the ISO certification process, and within the next audits, so understanding how it works can be beneficial.
In this post, we'll explain how ISO 27001 controls, in Annex A are structured, how to decide which ones apply to you, and how to prepare for your audit with real, practical documentation.
Streamlining from 14 Domains to 4 Categories
In ISO 27001:2013, Annex A lists 114 controls across 14 domains such as Access Control, Asset Management, and Business Continuity. The 2022 update reorganized these into four clearer categories to reduce overlap and improve alignment with modern risk contexts:
- A.5 Organizational Controls (governance, policies, supplier management)
- A.6 People Controls (hiring, training, awareness)
- A.7 Physical Controls (facility security, equipment protection)
- A.8 Technological Controls (access management, encryption, logging)
By grouping related controls, Annex A:2022 makes it easier for organizations to map controls to business structures and risk registers.
Annex A Control Categories in 2025
A.5 Organizational Controls
Controls in this category: 37 (A.5.1 to A.5.37)
These controls establish the foundation of your ISMS. They cover information security policies, roles and responsibilities, risk management frameworks, incident handling, and supplier security requirements. Strong organizational controls ensure leadership oversight and governance.
Deep dive: Organizational Controls (A.5) Guide
A.6 People Controls
Controls in this category: 8 (A.6.1 to A.6.8)
Human error is a leading cause of security incidents, so People Controls focuses on building a security-aware culture. They encompass background checks, onboarding/offboarding processes, security training, and awareness programs that empower employees to act as your first line of defense.
Deep dive: People Controls (A.6) Guide.
A.7 Physical Controls
Controls in this category: 14 (A.7.1 to A.7.14)
Physical Controls protect your tangible assets and environments. This domain includes facility access restrictions, equipment security, environmental safeguards, and media disposal procedures, preventing unauthorized physical access and environmental threats.
Deep dive: Physical Controls (A.7) Guide
A.8 Technological Controls
Controls in this category: 34 (A.8.1 to A.8.34)
These controls form the technical backbone of your security posture. They address access control, cryptography, system hardening, logging and monitoring, and backup strategies. Proper implementation helps prevent, detect, and respond to cyber threats effectively.
[caption id="attachment_3362" align="aligncenter" width="300"]
2025 DBIR infographic[/caption]Deep dive: Technological Controls (A.8) Guide
Statement of Applicability (SoA)
The Statement of Applicability is a mandatory document that lists each Annex A control, marks it "applicable" or "excluded," and explains your rationale. It directly ties your risk assessment to control selection and is your auditor's primary tool for verifying a risk-based approach.
Ready to Streamline Your Compliance?
Discover how Humadroid can simplify your compliance management process.
How to Choose and Apply Controls
Controls are not implemented "just in case." You apply them based on your risk assessment.
- Map your risks
Use your risk register (see our guide on how compliance risk management works) to identify actual threats and vulnerabilities. - Link risks to controls
For each risk, find the Annex A control(s) that mitigate it. For example, a "shadow IT" risk points to A.8.1 (Access control) and A.8.15 (Logging & monitoring). - Decide on inclusion/exclusion
If a control doesn't address any of your risks (for instance, physical controls in a fully remote team), you can exclude it, but note that in your SoA. - Document your approach
For each included control, record:
- **Who** owns it
- **What** policy or procedure enforces it
- **How** do you prove it's working (logs, reports, screenshots)
You can learn more about this risk-based approach in our ISO 27001 Audit Checklist and Compliance Risk Management Guide.
What the Auditor Will Expect
Your auditor won't just look for checkboxes. They'll want to see that:
- Each applicable control has a defined owner
- It's covered by a policy or documented procedure
- You have evidence it's being followed
- Excluded controls are properly justified
This is where tools like policy management systems and centralized risk registers really help. They bring order to your documentation and show that your controls are part of how you operate, not just something on paper. Check how humadroid.io can help you with this.
Common Mistakes to Avoid
Here are some traps many teams fall into:
- Trying to implement all 93 controls without assessing relevance
- Leaving controls without a clear owner
- Forgetting to test or monitor controls in real-world use
- Poorly written or outdated policy documents
- Skipping the Statement of Applicability or treating it like a formality
A Simple Example: How to Document a Control
Let's take A.6.3 – Information security awareness, education, and training.
Here's how you might document it:
- Is it applicable? Yes
- Owner: Head of People
- How we implement it: All new employees complete security training in their first week. We also run mandatory annual refreshers, and training completion is tracked in our HR system.
- Evidence: LMS logs, attendance records, training slides, internal wiki content
It's not about long documents. It's about understandable, clear processes and traceable evidence.
ISO 27001 controls, if used well, will help your company stay secure.
Focus on what actually reduces risk. Assign ownership. Make your policies usable, not only to you, but to every employee in your company. And track the proof. That's what your auditor wants to see.
By treating controls like part of your daily operations, not just an audit checklist once a year, you'll build a system that scales with your business and keeps your data safer.
Additional Resources
- Comprehensive ISO 27001 Audit Checklist
- Broader Compliance Risk Management
- Foundational Risk Register Guide
Frequently Asked Questions
Map each risk to the smallest set of Annex A controls that fully address the threat—for example, linking 'customer database exposure' to Access Control (A.9) and Cryptography (A.10) controls. Humadroid automates this mapping process and maintains a living treatment tracker that updates as your risk profile changes.
Humadroid's AI automatically analyzes your risk assessment and recommends the most relevant Annex A controls from the 93 available options, then generates implementation documentation in minutes instead of weeks. This AI-powered approach eliminates the guesswork and reduces consultant costs by 97%, providing 24/7 guidance for selecting and documenting controls across all four categories (Organizational, People, Physical, and Technological).
Traditional ISO 27001 consultants charge $200k+ annually to help implement Annex A controls, while Humadroid's AI platform delivers the same expertise for just $125-250/month—a 97% cost savings. The AI can generate your Statement of Applicability and control documentation instantly, compared to consultants who take weeks or months for the same deliverables.
With Humadroid's AI, you can generate a complete Statement of Applicability for all 93 Annex A controls in under 30 minutes, including proper justifications for included and excluded controls. Traditional consultants typically require 2-4 weeks to produce the same document, making AI automation 50-100x faster for this critical ISO 27001 requirement.
Yes, Humadroid's AI makes ISO 27001 Annex A controls accessible to SMBs by providing expert-level guidance at $125-250/month instead of $200k+ consultant fees. The AI automatically maps your specific risks to the appropriate controls across all four categories (A.5-A.8) and generates implementation documentation, making enterprise-level compliance affordable for small businesses.
