Pricing + Sign up

ISO 27001 Annex A Controls: An Overview

Similar posts

ISO 27001 Annex A Controls: An Overview

Square infographic with four colored quadrants on a blue gradient background, each showing an icon and control count for ISO 27001 Annex A: Organizational (37), People (8), Physical (14), and Technological (34).

What Is Annex A in ISO 27001?

When companies start preparing for ISO 27001, they often run into one major obstacle: Annex A. It’s a long list of 93 information security controls that must be reviewed, selected, and implemented based on risk.

The list can feel overwhelming if you’re not familiar with the standard (and most small and medium companies are not). Nevertheless, the best way to approach this is to understand one thing. Annex A is your toolbox with which you’ll be going through the ISO certification process, and within the next audits, so understanding how it works can be beneficial.

In this post, we’ll explain how ISO 27001 controls, in Annex A are structured, how to decide which ones apply to you, and how to prepare for your audit with real, practical documentation.

Streamlining from 14 Domains to 4 Categories

In ISO 27001:2013, Annex A lists 114 controls across 14 domains such as Access Control, Asset Management, and Business Continuity. The 2022 update reorganized these into four clearer categories to reduce overlap and improve alignment with modern risk contexts:

By grouping related controls, Annex A:2022 makes it easier for organizations to map controls to business structures and risk registers.

Annex A  Control Categories in 2025

Infographic showing ISO 27001 Annex A with four colored sections: Organizational Controls (37), People Controls (8), Physical Controls (14), and Technological Controls (34), on a purple background.

A.5 Organizational Controls

Controls in this category: 37 (A.5.1 to A.5.37)

These controls establish the foundation of your ISMS. They cover information security policies, roles and responsibilities, risk management frameworks, incident handling, and supplier security requirements. Strong organizational controls ensure leadership oversight and governance.

Deep dive: Organizational Controls (A.5) Guide

A.6 People Controls

Controls in this category: 8 (A.6.1 to A.6.8)

Human error is a leading cause of security incidents, so People Controls focuses on building a security-aware culture. They encompass background checks, onboarding/offboarding processes, security training, and awareness programs that empower employees to act as your first line of defense.

Deep dive: People Controls (A.6) Guide

A.7 Physical Controls

Controls in this category: 14 (A.7.1 to A.7.14)

Physical Controls protect your tangible assets and environments. This domain includes facility access restrictions, equipment security, environmental safeguards, and media disposal procedures, preventing unauthorized physical access and environmental threats.

Deep dive: Physical Controls (A.7) Guide

A.8 Technological Controls

Controls in this category: 34 (A.8.1 to A.8.34)

These controls form the technical backbone of your security posture. They address access control, cryptography, system hardening, logging and monitoring, and backup strategies. Proper implementation helps prevent, detect, and respond to cyber threats effectively.

Infographic showing that 15% of employees access generative AI tools on corporate devices, posing a data leak risk
2025 DBIR infographic

Deep dive: Technological Controls (A.8) Guide

Statement of Applicability (SoA)

The Statement of Applicability is a mandatory document that lists each Annex A control, marks it “applicable” or “excluded,” and explains your rationale. It directly ties your risk assessment to control selection and is your auditor’s primary tool for verifying a risk-based approach.

How to Choose and Apply Controls

Controls are not implemented “just in case.” You apply them based on your risk assessment.

  1. Map your risks
    Use your risk register (see our guide on how compliance risk management works) to identify actual threats and vulnerabilities.

  2. Link risks to controls
    For each risk, find the Annex A control(s) that mitigate it. For example, a “shadow IT” risk points to A.8.1 (Access control) and A.8.15 (Logging & monitoring).

  3. Decide on inclusion/exclusion
    If a control doesn’t address any of your risks (for instance, physical controls in a fully remote team), you can exclude it, but note that in your SoA.

  4. Document your approach
    For each included control, record:

    • Who owns it

    • What policy or procedure enforces it

    • How do you prove it’s working (logs, reports, screenshots)

You can learn more about this risk-based approach in our ISO 27001 Audit Checklist and Compliance Risk Management Guide.

What the Auditor Will Expect

Your auditor won’t just look for checkboxes. They’ll want to see that:

  • Each applicable control has a defined owner

  • It’s covered by a policy or documented procedure

  • You have evidence it’s being followed

  • Excluded controls are properly justified

This is where tools like policy management systems and centralized risk registers really help. They bring order to your documentation and show that your controls are part of how you operate, not just something on paper. Check how humadroid.io can help you with this. 

Common Mistakes to Avoid

Here are some traps many teams fall into:

  • Trying to implement all 93 controls without assessing relevance

  • Leaving controls without a clear owner

  • Forgetting to test or monitor controls in real-world use

  • Poorly written or outdated policy documents

  • Skipping the Statement of Applicability or treating it like a formality

A Simple Example: How to Document a Control

Let’s take A.6.3 – Information security awareness, education, and training.

Here’s how you might document it:

  • Is it applicable? Yes

  • Owner: Head of People

  • How we implement it: All new employees complete security training in their first week. We also run mandatory annual refreshers, and training completion is tracked in our HR system.

  • Evidence: LMS logs, attendance records, training slides, internal wiki content

It’s not about long documents. It’s about understandable, clear processes and traceable evidence.

ISO 27001 controls, if used well, will help your company stay secure.

Focus on what actually reduces risk. Assign ownership. Make your policies usable, not only to you, but to every employee in your company.  And track the proof. That’s what your auditor wants to see.

By treating controls like part of your daily operations, not just an audit checklist once a year, you’ll build a system that scales with your business and keeps your data safer.

Additional Resources

Start 30-day free trial today
POSTS

How to Manage Internal Policy: Practical Guidance

How a Small company got ISO 27001 Certification – The Prograils Way

ISO 27001 Internal Audit: Step-by-Step Guide

Product Updates

FEATURES
LEGAL
SUPPORT

© 2025 humadroid.io. All rights reserved.

❤️ Proudly made in EU 

Pricing + Sign up

Existing Customer? Sign in

Live Demo

Join us on a personalized onboarding session! As we launch our service, we’re eager to connect directly with each of our clients. Booking a session with us means we can better understand your unique needs and tailor our solution to fit you perfectly. Let’s start this journey together—your insights are invaluable as we grow and refine our offerings. Click here to schedule a time that works best for you!
Book live demo