ISO 27001 Annex A Controls: A Practical Guide to the 93 Controls

Annex A is the control catalogue of ISO 27001. It lists the security controls your organization can implement to address the risks identified in your risk assessment. The 2022 revision restructured the controls from 14 domains into four themes, consolidated overlapping controls, and added 11 new controls reflecting modern security challenges.

Understanding which controls matter most for your organization, and how to implement them practically rather than just on paper, is the difference between an ISMS that passes audit and one that actually improves security.

The Four Control Themes

New Controls in the 2022 Revision

The 2022 revision added 11 entirely new controls that reflect the evolution of the threat landscape and modern IT environments:

• A.5.7 Threat intelligence - Collect and analyze information about information security threats
• A.5.23 Information security for cloud services - Manage security for cloud service acquisition, use, and exit
• A.5.30 ICT readiness for business continuity - Ensure ICT systems are ready to support business continuity
• A.7.4 Physical security monitoring - Monitor premises for unauthorized physical access
• A.8.9 Configuration management - Manage configurations of hardware, software, services, and networks
• A.8.10 Information deletion - Delete information when no longer required
• A.8.11 Data masking - Use data masking techniques to limit exposure of sensitive data
• A.8.12 Data leakage prevention - Apply measures to prevent unauthorized disclosure of information
• A.8.16 Monitoring activities - Monitor networks, systems, and applications for anomalous behavior
• A.8.23 Web filtering - Manage access to external websites to reduce exposure to malicious content
• A.8.28 Secure coding - Apply secure coding principles in software development

Controls That Matter Most

While all applicable controls must be implemented, auditors and real-world security outcomes consistently show that some controls carry more weight than others.

High-impact organizational controls

• A.5.1 Policies for information security - The foundation document that everything else references
• A.5.15-A.5.18 Access control - Identity management, authentication, access rights, and access control models
• A.5.24-A.5.28 Incident management - Planning, assessment, response, learning, and evidence collection
• A.5.19-A.5.22 Supplier relationships - Third-party risk management including cloud providers

High-impact technological controls

• A.8.5 Secure authentication - MFA, password policies, session management
• A.8.8 Vulnerability management - Regular vulnerability scanning and penetration testing
• A.8.15-A.8.16 Logging and monitoring - Audit logging and anomaly detection
• A.8.24-A.8.28 Secure development - SDLC security, testing environments, change management, secure coding

The Statement of Applicability

The Statement of Applicability (SoA) is the document that connects your risk assessment to your control implementation. For each of the 93 Annex A controls, the SoA must state whether the control is applicable, the justification for its inclusion or exclusion, and whether it is currently implemented.

The SoA is one of the most scrutinized documents during certification audits. Auditors look for controls excluded without adequate justification, controls marked as implemented but lacking evidence, and gaps between your risk treatment plan and your SoA. Take the time to write clear, specific justifications rather than boilerplate text.

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.