ISO 27001 Annex A controls explained (2022)

By ComplyBricks · Last reviewed Jul 12, 2026

Annex A of ISO 27001 is the reference catalogue of security controls you draw from to treat your risks. The 2022 revision reorganised it significantly — here's how it works.

93 controls, four themes

ISO 27001:2022 has 93 controls grouped into four themes (down from the 2013 version's 114 controls across 14 domains):

Theme Controls Examples
Organizational 37 Policies, roles, supplier and cloud security, incident management
People 8 Screening, awareness and training, remote working
Physical 14 Secure areas, equipment, clear desk/screen
Technological 34 Access control, cryptography, logging, secure development

What changed in 2022

  • Consolidation: the 2013 catalogue was merged and simplified into 93 controls under four themes.
  • New controls: the revision introduced 11 new controls reflecting modern practice — for example threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
  • Attributes: each control now carries attributes (such as control type, security properties, and operational capabilities) that let you filter and view the catalogue in different ways.

You don't implement all 93

Annex A is a menu, not a checklist to complete in full. You select the controls that treat your identified risks, based on your risk assessment, and record which apply — and why the rest don't — in your Statement of Applicability. An auditor checks that your selection is justified and that the controls you claim are actually operating.

How this helps beyond ISO 27001

Because Annex A spans access control, cryptography, supplier and incident management, and more, the same controls carry much of NIS2's Art. 21 measures and GDPR's Art. 32 security requirement. Map each control to the frameworks it satisfies and the evidence does double (or triple) duty — see NIS2 vs ISO 27001.

New to the standard? Start with the ISO 27001 guide for SMBs.

References

  • ISO/IEC 27001:2022 (Annex A)
  • ISO/IEC 27002:2022

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →