ISO 27001:2022 Annex A Controls Explained (All 93, by Theme)

If you've opened ISO/IEC 27001:2022 expecting a tidy checklist, the structure can feel disorienting. Annex A lists 93 controls grouped into four themes, and the standard assumes you already understand how those controls relate to the management system in clauses 4 to 10. This article unpacks Annex A in plain language: what the themes are, what changed in the 2022 revision, and how the controls actually get used when you build a Statement of Applicability.

A quick framing before the detail. Annex A is not the standard you get certified against. You're certified against the management-system clauses. Annex A is the reference catalog you reach into to treat the risks your assessment surfaces. Get that relationship wrong and you end up treating Annex A as a to-do list, which is exactly the mistake that drags out audits.

What changed in the 2022 revision

The headline number is the control count: 114 controls in 2013 became 93 in 2022. That sounds like a 21-control cut, but it's mostly consolidation. The standard merged 57 controls that overlapped into 24 combined controls, kept the rest, and added 11 genuinely new ones.

The new controls reflect how security work has shifted over a decade:

• A.5.7 Threat intelligence — formalizing the practice of collecting and acting on threat data.
• A.5.23 Information security for use of cloud services — cloud was barely addressed in 2013.
• A.5.30 ICT readiness for business continuity — tying continuity planning to information systems specifically.
• A.7.4 Physical security monitoring — surveillance and alarm systems.
• A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding.

The other structural change: the old 14 domains (A.5 through A.18) were replaced with four themes, and every control was tagged with five attributes — control type, information security property, cybersecurity concept, operational capability, and security domain. Those attributes let you slice the controls in ways that suit your organization, for example pulling every control that supports confidentiality.

The four themes

Organizational (A.5) — 37 controls

This is the largest theme and the heart of the management system in control form. It covers policies, roles and responsibilities, supplier relationships, incident management, the handling of information assets, and the rules for using cloud services. If your organization has a governance gap, it usually shows up here first. A.5.1 (policies for information security) and A.5.9 through A.5.11 (asset inventory, acceptable use, return of assets) are the controls auditors probe early because they reveal whether the basics are actually documented.

People (A.6) — 8 controls

The smallest theme, but disproportionately important. It covers screening before employment, terms and conditions, awareness and training, the disciplinary process, responsibilities after employment ends, confidentiality agreements, and remote working. The reason eight controls carry so much weight is simple: most incidents involve a person, whether through error or intent. A.6.3 (awareness, education, and training) is one many teams treat as a formality and then struggle to evidence.

Physical (A.7) — 14 controls

Physical controls protect facilities and equipment: secure areas, entry controls, protection against environmental threats, equipment maintenance, secure disposal, and clear desk and clear screen policies. Cloud-native companies sometimes assume this theme barely applies to them. It still does — laptops, office access, and the secure disposal of old hardware are all in scope, even when your servers live in someone else's data center.

Technological (A.8) — 34 controls

The second-largest theme and the one engineers care about most. It runs from access control and cryptography through secure development, change management, backup, logging and monitoring, and protection against malware. Most of the new 2022 controls landed here. If your stack is mature, you'll find many of these already covered by tooling you run — but coverage is not the same as documented, reviewed, and evidenced, which is what the audit asks for.

How controls connect to the Statement of Applicability

The Statement of Applicability, or SoA, is where Annex A stops being abstract. Required by clause 6.1.3 d, the SoA is a single document that lists every Annex A control and, for each one, records:

• whether it's applicable,
• whether it's implemented,
• the justification for including it, and
• the justification for excluding it if you've left it out.

The SoA is the artifact an auditor reads to understand your security posture at a glance, and it's the bridge between your risk treatment plan and the controls. You don't decide applicability by gut feel — you decide it from the risks your assessment identified. A control is "in" because it treats a real risk, and "out" because no risk in your register calls for it.

This is also why excluding a control is perfectly legitimate. A company with no physical premises might reasonably exclude some of A.7, provided the justification holds up. What an auditor won't accept is an exclusion with no reasoning, or an "implemented" status that the evidence doesn't support.

A practical way to work through 93 controls

Reading all 93 in order is the slow path. A faster approach:

1. Finish your risk assessment first. The risks drive which controls matter. Without them, you're guessing at applicability.
2. Map each significant risk to one or more Annex A controls. This naturally surfaces the controls that must be "in."
3. Sweep the remaining controls by theme and mark each as applicable or excluded with a one-line reason.
4. Assess status honestly — implemented, partial, or missing — based on what you can actually evidence, not what you intend to do.
5. Turn every partial or missing control into a remediation item with an owner and a priority.

That last step is where readiness becomes a plan. The controls themselves don't get you certified; closing the gaps does.

Where this fits in a certification effort

Annex A is one piece of a larger picture. You still need a scoped ISMS, a risk assessment and treatment plan, internal audits, and management reviews before a certification body will pass you. If you want to see how the whole effort comes together — and how to compress the gap-analysis stage — read how to prepare for ISO 27001 certification with AI. And if you're still deciding whether ISO 27001 is even the right framework for your situation, ISO 27001 vs SOC 2 compares the two head to head.

The Xeviora ISO 27001 Audit Prep tool maps your assets and controls onto the 2022 Annex A themes automatically, producing the applicability assessment that feeds your SoA. It costs 10 credits per run, and it won't replace your own judgment on the close calls — but it gets you from a blank page to a structured draft in under a minute.