ISO 27001:2022 Annex A Explained

What is Annex A, and what has changed?

Annex A in ISO 27001 is a part of the standard that lists a set of classified security controls that organisations use to demonstrate compliance with ISO 27001 6.1.3 (Information security risk treatment) and its associated Statement of Applicability (see below).

It previously contained 114 controls divided into 14 categories, which covered a wide range of topics such as access control, cryptography, physical security, and incident management.

Following the release of ISO 27002:2022 (Information security, cybersecurity and privacy protection controls) on February 15, 2022, ISO 27001:2022 has aligned its Annex A controls.

The new version of the Standard draws upon a condensed set of 93 Annex A controls, including 11 new controls.

A total of 24 controls were merged from two, three, or more security controls from the 2013 version, and 58 controls from the ISO 27002:2013 were revised to align with the current cyber security and information security environment.

What is a Statement of Applicability?

Before continuing, it is worth introducing a statement of applicability (SoA) as this outlines an organisation’s approach to implementing specified Annex A controls.

A Statement of Applicability (SoA) in ISO 27001 2022 is a document that lists the Annex A controls that an organisation will implement to meet the requirements of the standard. It is a mandatory step for anyone planning on pursuing ISO 27001 certification.

Your SoA should contain four main elements:

• A list of all controls that are necessary to satisfy information security risk treatment options, including those contained within Annex A.
• A statement that outlines why all of the above controls have been included.
• Confirmation of implementation.
• The organisation’s justification for omitting any of the Annex A controls.

The New ISO 27001:2022 control categories explained

The Annex A controls of ISO 27001:2013 were previously divided into 14 categories. ISO 27001 2022 adopts a similar categorical approach to information security that distributes processes among four top-level categories.

Annex a Controls Have Now Been Grouped Into Four Categories

The ISO 27001:2022 Annex controls have been restructured and consolidated to reflect current security challenges. The core ISMS management processes remain unchanged, but the Annex A control set has been updated to reflect more modern risks and their associated controls.

• Organisational
• People
• Physical
• Technological

Each control has additionally assigned an attribution taxonomy. Each control now has a table with a set of suggested attributes, and Annex A of ISO 27002:2022 provides a set of recommended associations.

These allow you to quickly align your control selection with common industry language and international standards. The use of attributes supports work many companies already do within their risk assessment and Statement of Applicability (SoA).

For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.

Organisational Controls

• Number of controls: 37
• Control numbers: ISO 27001 Annex A 5.1 to 5.37

Organisational controls encompass regulations and measures which dictate an organisation’s comprehensive attitude towards data protection over a broad range of matters. These controls include policies, rules, processes, procedures, organisational structures and more.

People Controls

• Number of controls: 8
• Control numbers: ISO 27001 Annex A 6.1 to 6.8

People controls enable businesses to regulate the human component of their information security program, by defining the manner in which personnel interact with data and each other. These controls cover secure human resources management, personnel security, and awareness and training.

Physical Controls

• Number of controls: 14
• Control numbers: ISO 27001 Annex A 7.1 to 7.13

Physical safeguards are measures employed to ensure the security of tangible assets. These may include entry systems, guest access protocols, asset disposal processes, storage medium protocols, and clear desk policies. Such safeguards are essential for the preservation of confidential information.

Technological Controls

• Number of controls: 34
• Control numbers: ISO 27001 Annex A 8.1 to 8.34

Technological restraints dictate the cybernetic/digital regulations and proceedings that corporations should adopt in order to execute a protected, compliant IT infrastructure, from authentication techniques to settings, BUDR strategies and information logging.

Why Is Annex A important to my organisation?

The ISO 27001 standard is formulated in such a manner that allows organisations of all shapes and sizes to satisfy the requirements of the standard while adhering to the fundamental premise of implementing and sustaining comprehensive information security practices.

Organisations have various options for attaining and preserving compliance with ISO 27001, contingent upon the nature of their business and the extent of their data processing activities.

Annex A affords organisations a straightforward set of guidance from which to craft a well-structured information security plan that suits their exclusive commercial and operational needs.

Annex A serves as a time- and resource-saving tool for the initial certification and subsequent adherence processes and provides a basis for audits, process reviews and strategic planning. It may be employed as an internal governance document (i.e. a risk treatment plan) that lays out a formal approach to information security.

Understanding Risk Treatment in ISO 27001 6.1.3

ISO 27001 Requirement 6.1.3 is about establishing and maintaining an information security risk assessment process that includes risk acceptance and assessment criteria.

ISO 27001 6.1.3 serves as a conduit for organisations to guarantee that their information security risk procedures, inclusive of their risk management alternatives, conform to ISO’s recommended standards, in pursuit of certification.

Risk Treatment as a Concept

Certified and compliant organisations handle risk in multiple ways. Risk management is not confined to the curative actions necessary to reduce the risk. Upon identifying a risk, organisations are expected to:

• Accept the risk.
• Treat the risk.
• Mitigate the risk.
• Transfer the risk.
• Avoid the risk.

ISO 27001 6.1.3 asks organisations to formulate a risk treatment plan, including sign-off by risk owners, and broad acceptance of what ISO deems ‘residual risks’.

This process begins with the identification of risks associated with the loss of confidentiality, integrity, and availability of information. The organisation must then select appropriate information security risk treatment options based on the risk assessment results.

Other factors

As a governing requirement, ISO 27001 6.1.3 is not the ultimate authority of risk management. Large organisations frequently integrate security protocols from other accreditation entities (NIST, SOC2’s Trust Service Criteria).

Organisations must, however, give priority to Annex A controls throughout the certification and compliance process – ISO auditors are instructed to identify the authenticity and relevance of ISO regulations as usual, as such, this should be an organisation’s first choice when creating an ISO 27001-compliant information security management system.

Particular third-party public and private sector data standards – such as the National Health Service’s Data Security and Protection Toolkit (DSPT) – necessitate an alignment of information security standards between organisations and the public entities they interrelate with.

ISO 27001 6.1.3 permits organisations to coordinate their risk treatment operation with numerous external criteria, allowing for comprehensive adherence to whatever data security measures they are likely to confront.

What Annex A controls should I include?

It is essential to gauge your enterprise’s exclusive information security risks before establishing a resolution on which controls to instate and choosing controls that will aid in subduing identifiable risks.

In addition to risk treatment, controls may also be selected due to a corporate or business intention or goal, a lawful requirement, or in the fulfilment of contractual and/or regulatory obligations.

Moreover, organisations are obligated to illustrate why they have not integrated certain controls within their SOA – e.g. there is no necessity to incorporate controls that address remote or hybrid working if that is not a policy your institution practises, but an auditor will still require to be presented with this data when evaluating your certification/compliance tasks.

How ISMS.online can help

The ISMS.online platform, coupled with our built-in guidance and pre-configured ISMS, enables organisations to demonstrate compliance with each Annex A Control effortlessly. We are here to assist whether you are new to ISO 27001 or are required to transition your existing ISMS to align with the 2022 version of the standard.

Our step-by-step checklist guides you through the entire process, providing clear oversight of progress and outstanding requirements. Our software facilitates mapping your organisation’s information security controls against each aspect of your ISMS.

Book a platform demo today and experience the benefits of our solution for yourself.