Inside ISO 27001:2022 Annex A: A Closer Look at Key Controls
Table Of Contents:
- 1) Introduction to ISO 27001:2022 Annex A
- 2) ISO 27001:2022 Annex A Categories
- 3) Critical ISO 27001:2022 Annex A Controls
- 4) Risk Assessment and Treatment in ISO 27001:2022
- 5) Annex A: ISO 27001:2013 vs ISO 27001:2022
- 6) Transitioning from ISO 27001:2013 to ISO 27001:2022
- 7) Annex A: Unlocking ISO 27001:2022 Success
Introduction to ISO 27001:2022 Annex A
ISO 27001:2022 is an international information security standard implemented through an information security management system (ISMS). The standard’s Annex A contains 93 security controls that can be applied based on your organisation’s needs and objectives.
Implementing these controls enables your organisation to address potential risks and achieve compliance with the ISO 27001 standard. It’s a proven approach to showing your customers and prospects that protecting their data is a priority for your business.
In this article, we’ll examine Annex A, outline critical controls, and explain why understanding and implementing relevant Annex A controls is vital to your organisation’s ISO 27001 success.
ISO 27001:2022 Annex A Categories
The 93 ISO 27001:2022 Annex A controls are classified under four categories:
- Organisational controls
- People controls
- Physical controls
- Technological controls.
Organisational Controls
ISO 27001 contains 37 organisational controls. These controls relate to your organisation’s policies, procedures, structures, and more, enabling you to implement effective information security at the organisational level.
Organisational controls include your information security policies, responsibilities for information security, access control, asset management and more.
People Controls
ISO 27001 contains eight people controls, focusing on critical measures organisations should take to ensure employees receive sufficient information security training and know their responsibilities.
People controls include information security education, awareness and training, remote working measures, information security event reporting and more.
Physical Controls
The 14 physical controls in ISO 27001 address the security of your organisation’s physical environment.
Physical controls include security measures for working in secure areas, storage media management, clear desk and screen policies, and more.
Technological Controls
There are 34 technological controls outlined in ISO 27001:2022 relating to various technological elements across your organisation.
Technological controls include secure authentication, management of technical vulnerabilities, monitoring activities and use of cryptography.
Critical ISO 27001:2022 Annex A Controls
Your organisation doesn’t necessarily need to implement all 93 controls, but you should select controls relevant to your organisation’s information security objectives and the risks you’ve identified. Several vital controls are required for most if not all, organisations to be compliant with ISO 27001.
Note that the list below is not exhaustive. Your organisation should consider each control based on your overarching information security objectives.
A.5.1 Policies for Information Security
Control A.5.1, Policies for information security, ensures continuing suitability, adequacy and effectiveness of management support and direction for your organisation’s information security and privacy.
Implemented successfully, this control ensures that your organisation has a set of information security and privacy policies designed to inform and guide the behaviour of individuals in line with information security risks.
For example, your information security policy, which is a requirement of ISO 27001:2022 Clause 5.2, should be approved by management and state your organisation’s approach to managing information security. It should consider your business strategy, requirements, relevant legislation, regulations and contracts.
The policy should:
- Include a definition of information security
- Provide a framework for establishing information security objectives
- State an ongoing commitment to improving your organisation’s ISMS
- Assign responsibilities for information security management to defined roles.
Top management should approve the information security policy and any changes made to ensure effective implementation. You should then communicate the policy (and any associated sub-policies, such as access control and asset management policies) to relevant personnel.
A.5.1. Outcomes: Information security policy; relevant topic-specific sub-policies, e.g. A.5.10 Acceptable use of information and other associated assets, A.8.32 Change management, A.8.13 Information backup, etc.
A.5.15 Access Control
Control A.5.15, Access control requires your organisation to establish and implement rules to control physical and logical access to information and other associated assets based on business and information security requirements. This ensures only authorised profiles can access information and other assets and prevents unauthorised access.
You should address this control with an access control policy, which sits as a topic-specific policy under your information security policy. Your access control policy should consider:
- Determining which entities require which type of access to information and other assets
- Security of applications
- Physical access, supported by physical entry controls
- Information dissemination and authorisation and information security levels and classification of information
- Restrictions to privileged access
- Segregation of duties
- Relevant legislation, regulations and contractual obligations regarding limitation of access to data or services
- Segregation of access control functions (such as access request, access authorisation and access administration)
- Formal authorisation of access requests
- Management of access rights
- Logging.
Need-to-know and need-to-use principles are commonly used in access control:
- Need-to-know involves an entity (such as an individual or organisation) only being granted access to information that the entity requires to perform its tasks.
- Need-to-use involves an entity only being given access to information technology infrastructure with a clear need.
These principles can guide how your organisation grants access to information assets. You should also consider business requirements and risk factors when defining which access control rules are applied and the level of granularity needed.
A.5.15 Outcomes: Topic-specific access control policy; access control implementation (e.g. mandatory access control, discretionary access control, role-based access control or attribute-based access control).
A.6.3 Information Security Awareness, Education and Training
Control A.6.3, Information security awareness, education, and training, is a foundation of your organisation’s security posture. It ensures that your employees and interested parties can prevent, identify, and report potential information security incidents.
The control requires personnel and relevant parties to receive appropriate information security awareness, education, training, and regular updates on your organisation’s information security policy and topic-specific policies and procedures as applicable to their roles.
You should establish an information security awareness, education and training programme in line with your information security objectives, and training should take place periodically. The programme should make personnel aware of their responsibilities for information security and include an appropriate education and training plan to help staff understand the aim of information security and the potential impact of their behaviour, as it relates to information security, on your business.
Consider covering aspects such as:
- Management’s commitment to information security throughout your organisation
- Familiarity and compliance needs concerning applicable information security rules and obligations
- Personal accountability for one’s actions and inactions, and general responsibilities towards securing or protecting information belonging to the organisation
- Basic information security procedures such as event reporting and password security
- Contact points and resources for additional information and advice.
A.6.3 Outcomes: Periodic awareness training; periodic education and training programme; regular dissemination of relevant information security policies, including updates.
A.8.24 Use of Cryptography
Control A.8.24, use of cryptography requires your organisation to define and implement rules for the effective use of cryptography. Cryptography can be used to achieve different information security objectives, such as:
- Confidentiality, by using encryption to protect sensitive or critical information
- Integrity or authenticity, by using digital signatures or message authentication codes to verify the authenticity or integrity of sensitive or critical information
- Non-repudiation, by using cryptographic techniques to provide evidence of the occurrence or non-occurrence of an event or action
- Authentication, by using cryptographic techniques to authenticate users and other entities requesting access to your system, entities, or resources.
Your organisation should implement a topic-specific cryptography policy, including general principles for protecting information. You should also consider relevant legal, statutory, regulatory and contractual requirements related to cryptography. Critical considerations for your cryptography policy include:
- Identifying the required level of protection and classification of the information and consequently establishing the type, strength and quality of the cryptographic algorithms required
- The approach to key management and key generation, including secure processes for generating, storing, archiving, retrieving, distributing, retiring and destroying cryptographic keys
- Roles and responsibilities for implementing the rules for the effective use of cryptography and key management and generation.
In line with this control, your organisation should define and use a key management system.
A.8.24 Outcomes: Topic-specific cryptography policy; implementation of appropriate cryptographic methods; implementation of key management system.
Risk Assessment and Treatment in ISO 27001:2022
Your organisation will need to define and apply an information security risk assessment process to comply with ISO 27001:2022 Clause 6.1.2, information security risk assessment.
The information security risk assessment process should:
- Establish and maintain information security risk criteria, including risk acceptance criteria and criteria for performing information security risk assessments.
- Ensure that repeated information security assessments produce consistent, valid and comparable results.
- Identify the information security risks.
- Analyse information security risks, including the likelihood of risk occurrence, potential consequences of risk occurrence, and the levels of risk
- Evaluate the information security risks by comparing the risk analysis results with your established risk criteria and prioritising analysed risks for treatment.
This process allows you to build a systematic framework for risk assessment. Once this has been established, you should define and apply an information security risk treatment process in line with Clause 6.1.3.
Your risk treatment process should include:
- Selecting appropriate risk treatment options.
- Considering the risk assessment results.
- Determining the controls necessary to implement the risk treatment options shown.
Here, Annex A serves as a guideline for comprehensive and appropriate risk treatment. Using your risk assessment framework, you can prioritise and select controls based on your risk profile and organisational requirements. Then, you should choose the necessary Annex A controls to implement to address them and ensure that no critical controls have been overlooked.
Annex A: ISO 27001:2013 vs ISO 27001:2022
The current version of ISO 27001, released in 2022, features a restructured set of Annex A controls compared to the 2013 iteration. Previously, Annex A comprised 114 controls in 14 categories; now Annex A contains 93 controls in four core categories as outlined: organisational, people, physical and technological.
This change is primarily due to controls being consolidated; however, there are 11 new security controls to consider:
The 2022 update also introduces five new core attributes for easier categorisation:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identity, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience).
Transitioning from ISO 27001:2013 to ISO 27001:2022
If your organisation is already certified to ISO 27001:2013, the deadline for transitioning to the new revision is October 31, 2025.
At ISMS.online, we’re already helping companies transition to ISO 27001:2022. Our clients have a 100% success rate of achieving certification using our Assured Results Method (ARM).
To start, we break the process down into seven simple steps. This step-by-step guidance is built into our platform, so we’ll guide you through every step – from updating your risk treatment plan to demonstrating compliance with the 2022 standard requirements. We’ll also help you maintain compliance with 2013 while transitioning your certification to 2022, ensuring your business is consistently compliant.
Annex A: Unlocking ISO 27001:2022 Success
For organisations looking to achieve ISO 27001 certification, it’s vital to understand Annex A controls and implement them effectively and clearly. These controls enable you to prevent the occurrence of potential information security risks and outline processes and procedures to respond effectively should an incident occur. They also enable you to build a robust ISMS that will evolve and grow with your business’s needs.
Every organisation has different information security requirements, so you should evaluate your business’s specific needs and objectives when selecting Annex A controls. You may find that some controls address risks that your risk assessments find aren’t applicable. The ISMS.online platform can simplify this process: quickly identify and address your relevant Annex A controls with pre-filled templates and our dynamic risk management engine.
Our platform also connects with your existing systems, so you’ll find everything you need for success all in one place. Best of all, using our Headstart content, your compliance journey is 81% complete from your first login.
Learn more about how you can leverage our practical, affordable path to achieving ISO 27001 first time in our Proven Path to ISO 27001 Success whitepaper.
