ISO 27001 Annex A controls explained (2022)
By ComplyBricks · Last reviewed Jul 12, 2026
Annex A of ISO 27001 is the reference catalogue of security controls you draw from to treat your risks. The 2022 revision reorganised it significantly — here's how it works.
93 controls, four themes
ISO 27001:2022 has 93 controls grouped into four themes (down from the 2013 version's 114 controls across 14 domains):
| Theme | Controls | Examples |
|---|---|---|
| Organizational | 37 | Policies, roles, supplier and cloud security, incident management |
| People | 8 | Screening, awareness and training, remote working |
| Physical | 14 | Secure areas, equipment, clear desk/screen |
| Technological | 34 | Access control, cryptography, logging, secure development |
What changed in 2022
- Consolidation: the 2013 catalogue was merged and simplified into 93 controls under four themes.
- New controls: the revision introduced 11 new controls reflecting modern practice — for example threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
- Attributes: each control now carries attributes (such as control type, security properties, and operational capabilities) that let you filter and view the catalogue in different ways.
You don't implement all 93
Annex A is a menu, not a checklist to complete in full. You select the controls that treat your identified risks, based on your risk assessment, and record which apply — and why the rest don't — in your Statement of Applicability. An auditor checks that your selection is justified and that the controls you claim are actually operating.
How this helps beyond ISO 27001
Because Annex A spans access control, cryptography, supplier and incident management, and more, the same controls carry much of NIS2's Art. 21 measures and GDPR's Art. 32 security requirement. Map each control to the frameworks it satisfies and the evidence does double (or triple) duty — see NIS2 vs ISO 27001.
New to the standard? Start with the ISO 27001 guide for SMBs.
References
- ISO/IEC 27001:2022 (Annex A)
- ISO/IEC 27002:2022
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →