What Is Annex A in ISO 27001?
When companies start preparing for ISO 27001, they often run into one major obstacle: Annex A. It’s a long list of 93 information security controls that must be reviewed, selected, and implemented based on risk.
The list can feel overwhelming if you’re not familiar with the standard (and most small and medium companies are not). Nevertheless, the best way to approach this is to understand one thing. Annex A is your toolbox with which you’ll be going through the ISO certification process, and within the next audits, so understanding how it works can be beneficial.
In this post, we’ll explain how ISO 27001 controls, in Annex A are structured, how to decide which ones apply to you, and how to prepare for your audit with real, practical documentation.
Streamlining from 14 Domains to 4 Categories
In ISO 27001:2013, Annex A lists 114 controls across 14 domains such as Access Control, Asset Management, and Business Continuity. The 2022 update reorganized these into four clearer categories to reduce overlap and improve alignment with modern risk contexts:
A.5 Organizational Controls (governance, policies, supplier management)
A.6 People Controls (hiring, training, awareness)
A.7 Physical Controls (facility security, equipment protection)
A.8 Technological Controls (access management, encryption, logging)
By grouping related controls, Annex A:2022 makes it easier for organizations to map controls to business structures and risk registers.
Annex A Control Categories in 2025
A.5 Organizational Controls
Controls in this category: 37 (A.5.1 to A.5.37)
These controls establish the foundation of your ISMS. They cover information security policies, roles and responsibilities, risk management frameworks, incident handling, and supplier security requirements. Strong organizational controls ensure leadership oversight and governance.
Deep dive: Organizational Controls (A.5) Guide
A.6 People Controls
Controls in this category: 8 (A.6.1 to A.6.8)
Human error is a leading cause of security incidents, so People Controls focuses on building a security-aware culture. They encompass background checks, onboarding/offboarding processes, security training, and awareness programs that empower employees to act as your first line of defense.
Deep dive: People Controls (A.6) Guide.
A.7 Physical Controls
Controls in this category: 14 (A.7.1 to A.7.14)
Physical Controls protect your tangible assets and environments. This domain includes facility access restrictions, equipment security, environmental safeguards, and media disposal procedures, preventing unauthorized physical access and environmental threats.
Deep dive: Physical Controls (A.7) Guide
A.8 Technological Controls
Controls in this category: 34 (A.8.1 to A.8.34)
These controls form the technical backbone of your security posture. They address access control, cryptography, system hardening, logging and monitoring, and backup strategies. Proper implementation helps prevent, detect, and respond to cyber threats effectively.
Deep dive: Technological Controls (A.8) Guide
Statement of Applicability (SoA)
The Statement of Applicability is a mandatory document that lists each Annex A control, marks it “applicable” or “excluded,” and explains your rationale. It directly ties your risk assessment to control selection and is your auditor’s primary tool for verifying a risk-based approach.
How to Choose and Apply Controls
Controls are not implemented “just in case.” You apply them based on your risk assessment.
Map your risks
Use your risk register (see our guide on how compliance risk management works) to identify actual threats and vulnerabilities.Link risks to controls
For each risk, find the Annex A control(s) that mitigate it. For example, a “shadow IT” risk points to A.8.1 (Access control) and A.8.15 (Logging & monitoring).Decide on inclusion/exclusion
If a control doesn’t address any of your risks (for instance, physical controls in a fully remote team), you can exclude it, but note that in your SoA.Document your approach
For each included control, record:Who owns it
What policy or procedure enforces it
How do you prove it’s working (logs, reports, screenshots)
You can learn more about this risk-based approach in our ISO 27001 Audit Checklist and Compliance Risk Management Guide.
What the Auditor Will Expect
Your auditor won’t just look for checkboxes. They’ll want to see that:
Each applicable control has a defined owner
It’s covered by a policy or documented procedure
You have evidence it’s being followed
Excluded controls are properly justified
This is where tools like policy management systems and centralized risk registers really help. They bring order to your documentation and show that your controls are part of how you operate, not just something on paper. Check how humadroid.io can help you with this.
Common Mistakes to Avoid
Here are some traps many teams fall into:
Trying to implement all 93 controls without assessing relevance
Leaving controls without a clear owner
Forgetting to test or monitor controls in real-world use
Poorly written or outdated policy documents
Skipping the Statement of Applicability or treating it like a formality
A Simple Example: How to Document a Control
Let’s take A.6.3 – Information security awareness, education, and training.
Here’s how you might document it:
Is it applicable? Yes
Owner: Head of People
How we implement it: All new employees complete security training in their first week. We also run mandatory annual refreshers, and training completion is tracked in our HR system.
Evidence: LMS logs, attendance records, training slides, internal wiki content
It’s not about long documents. It’s about understandable, clear processes and traceable evidence.
ISO 27001 controls, if used well, will help your company stay secure.
Focus on what actually reduces risk. Assign ownership. Make your policies usable, not only to you, but to every employee in your company. And track the proof. That’s what your auditor wants to see.
By treating controls like part of your daily operations, not just an audit checklist once a year, you’ll build a system that scales with your business and keeps your data safer.
Additional Resources
Comprehensive ISO 27001 Audit Checklist
Broader Compliance Risk Management
Foundational Risk Register Guide
