Please enable JavaScript to view the comments powered by Disqus. ISO 27001 Annex A 14 Controls & Domains 2024 [Checklist]





ISO 27001: Conquer 2024 with Annex A's 14 Controls [Checklist]

Vikas Sharma

Vikas Sharma

Last updated 11/01/2024

ISO 27001: Conquer 2024 with Annex A's 14 Controls [Checklist]

ISO 27001 is one of the foremost international standards that focuses on information security. It's been developed to help industries of any size. It contributes to protecting the data of businesses systematically and cost-effectively with the help of the adoption of an information security management system.

The ISO framework is a combination of different standards for businesses to use. It is part of a set of standards implemented to handle information security in the ISO/IEC 27000 series. It’s a well-known extension of all the ISO norms. This is because it provides the basic tool for managing data security chances to a rundown of ISO 27001 security controls, which are used to enhance the security of data resources. To get to know different factors about this, you must visit our ISO 27001:2022 Lead Auditor Certification Training Course

What are the ISO 27001 Annex A controls?

Annex A of ISO 27001 is basically one of the most famous annexes of all the ISO standards because it contributes to providing the essential tool for information security risk management. It is the list of security controls used to improve the security of information assets. 

The ISO 27001 domains are the practices to be implemented to decrease risks to acceptable levels. These Controls can be organizational or technological, physical and human-related. Information security controls and policies you put in place to reduce information security risks. ISO 27001 needs businesses to develop controls that meet its standards for the Information Security Management System. 

The ISO 27001 standard document contains Annex A, which outlines all ISO 27001 controls and groups them into 14 categories known as control objectives and controls. Annex A outlines each objective and control to help businesses decide which ones they should use. 

How many domains does Annex A ISO 27001 have?

ISO 27001 Annex A includes 114 controls, which are differentiated into 14 categories. Together with the ISO 27001 framework clauses, these controls offered a framework for identifying, assessing, treating, and managing information security risks. Addressing the risk is the core requirement of the ISO 27001 standard. 

You can explore the classification of specific segments as follows:

  • Business-related issue categories: A.5, A.6, A.8, and A.15.
  • Section identified with HR: A.7
  • Information Technology areas: A.9, A.10, A.12, A.13, A.14, A.16, and A.17
  • Section identified with physical security: A.11
  • Section identified with legal problems: A.18

Following is a short elaboration of every one of the 14 sections:

The current ISO 27001 Standard has 14 domains, and they have six major security areas. The purpose of these is to identify and secure the information assets.

1. A.5 Information Security Policies (2 Controls):

The first domain in the ISO 27001 Annex A controls asks whether businesses have a clear set of policies about keeping their information systems secure. Here Auditors seek:

  • high-level documentation of information security policies.
  • Throughout the business, the policies are disseminated.
  • Procedure to review and update those policies.
  • In-depth elaboration for how these policies works with businesses other requirements

This domain sets the tone for the information security processes in place and how business personnel are informed of such procedures.

2. A.6 Organization of Information Security (7 Controls):

This domain is regarding ensuring the policies outlined in A.5 can be developed throughout the business. ISO standard IT security controls on how the duties are allocated to incorporate the control for cell phones and teleworking. It is far easier for a single information security professional to develop the policies in smaller circumstances. 

3. A.7 Human Resource Security (6 Controls):

Here, think of A.5 as the set of ISO 27001 2022 controls for policy leadership and tone. The A.6 domain reflects the controls for middle-level management. The A.7 domain controls are especially for individual contributors. It is categorized into different sections. The controls in this section ensure that employees have clear information on security responsibilities.

4. A.8 Asset Management (10 Controls):

Any information asset is a potential security risk, and if it is valuable for you, then it is more likely to be valuable to somebody else. ISO 27001 controls allow your business to identify its information assets, allocate ownership, categorize them, and apply management procedures based on the categorization. 

5. A.9 Access Control (14 Controls):

Even though it is one of the largest sections with 14 controls, Annex A.9 is relatively easy to understand. It elaborates that the employees should not be able to access details that aren’t relevant to their job responsibilities. Controls in A.9 address how to keep credentials secure and limit non-essential access to applications with a formal access management process.

6. A.10 Cryptography (2 Controls):

Cryptography is a tool in the security arsenal, but ISO 27001 considers it important enough to deserve its own domain. 

7. A.11 Physical and Environmental Security (15 Controls):

This is the largest domain in Annex A and also one of the unique ones. It contains 15 controls to protect the data against the real world. Other controls cover the risk of equipment damage or any loss. 

8. A.12 Operations Security (14 Controls):

This domain requires your business to have secure information processing facilities and systems that make up its ISMS. It covers documentation of ISMS operating processes, such as change management and review procedures. Other ISO 27001 domains and control subdomains include malware protection, logging and monitoring, data backups, technical vulnerability management such as penetration testing, etc. 

9. A.13 Communication Security (7 Controls):

Information is basically vulnerable while its on the move. It can also include any transit of details from one node of the network to another. 

10. A.14 System acquisition, development, and maintenance (13 controls):

This domain is involved in how businesses achieve information system changes over time. For this, you just need to hold any new system to an existing information system with specific security details. 

11. A.15 Supplier Relationship (5 Controls):

Most businesses nowadays are dependent on outside partnerships or stakeholders to some degree. This domain contains the topic of ensuring appropriate vendor management is in place in terms of information security requirements.

12. A.16 Information Security Incident Management (7 Controls):

This domain covers the topic of security incident management. This domain goes well with security events and weaknesses as well. 

13. A.17 Information Security Aspects of Business Continuity Management (4 Controls):

This domain specifically acknowledges that when businesses are significantly disrupted, information security can fall by the wayside. So, the objective is to ensure that businesses have the required level of continuity for information security during the crisis. 

14. A.18 Compliance (8 Controls):

This section includes details about businesses that comply with information security laws. 

How many controls are in ISO 27001?

There are 114 ISO 27001 data security controls included in Annex A. Following is the breakdown structure of what sort of controls are incorporated:

  • Controls identified with authoritative issues: 24
  • Controls identified with HR: 6
  • IT-related controls: 61
  • Controls identified with Physical security: 15
  • Controls identified with legitimate issues: 8

An excellent approach to understanding ISO 27001 annex controls is to think of it as a list of 114 data security controls you can choose from. It is advisable to consider those that are essential for your business. A second way to use Annex A for the underlying assessment of your business's data security readiness is to use it as an ISO 27001 control agenda.

Relationship with ISO 27001 Fundamental Conditions

It is up to each association to determine which ISO 27001:2022 controls they find relevant and implement them based on their assessment of the risks they face. The rest are reported to be non-material. 

The rest are announced to be non-material, such as controls that are outsourced; improvement can be set apart as non-material if any business doesn’t redistribute the advancement of programming. The principle standard for selecting the controls is through hazard on the board, which is categorized in statements 6 and 8 of the fundamental piece of ISO 27001. 

Also, the 5 fundamental piece of ISO/IEC 27001 expect you to characterize duties regarding dealing with those controls, and condition 9 expects you to quantify if the controls have satisfied their motivation. At long last, statement 10 expects you to fix whatever isn’t right with those controls and to make sure that you gain data security targets with those controls.  

Differences between ISO 27001 and ISO 27002

  • ISO 27001 is the standard for international information security management, and ISO 27002 is the supporting standard that supports how information security controls can be developed.
  • You can certify to ISO 27001 but not to ISO 27002 because 27001 is the management standard that contains the list of compliance requirements.
  • There are no differences in the structure of ISO 27002 and ISO 27001. Nevertheless, the efficient method to accomplish it has been clarified in significant detail.

ISO 27001 is the international standard focused on information security. ISO 27001:2022 controls are recognized international standards published through the ISO and IEC. The standard specifies the requirements for developing and maintaining an effective ISMS to safeguard against information security risks.

ISO 27002 is the supplementary standard concentrating on information security controls that businesses might choose to develop. The ISO 27001 controls list includes the controls that you will see information security experts mostly refer to when discussing information security controls. Although Annex A ISO 27001 outlines each control in one or two sentences, ISO 27002 commits an average of one page per control.

As Annex A of ISO 27001 doesn’t give massive insights into each control, there isn’t typically one sustenance for each control that brings you the thought of what you have to accomplish. This is the reason ISO 27002 was distributed. Make sure to check our ISO Lead Auditor Combo Certification to learn more about this in detail.

Ease of use of Annex A 

There are some things regarding Annex A as it brings you the ideal review of which controls you can apply, so you remember some that would be significant. It provides you with the adaptability to pick just the ones you discover appropriate to your business, so you don’t need to spend assets on the ones that are not relevant to you. 

What are the benefits of ISO 27001 certification?

Our ISO 27001:2022 Lead Auditor Certification Training Course provides you with various benefits, such as follows:

  • It will protect your reputation from security threats:The most obvious reason to certify to ISO controls is that it will help you avoid security threats. It includes cybercriminals breaking into your business and data breaches caused by internal professionals making mistakes.
  • Avoiding Regulatory Fines:The ISO 27001 control list serves as a valuable tool for organizations to sidestep the costly penalties tied to non-compliance with data protection mandates like the GDPR (General Data Protection Regulation).
  • Safeguarding Your Reputation:Attaining ISO 27001 controls checklist compliance allows you to showcase your commitment to information security to stakeholders. This commitment can translate into gaining new business and strengthening your standing among current clients and customers. In fact, some organizations exclusively partner with entities that can prove their ISO 27001 certification


Having an in-depth understanding of ISO 27001 controls list Excel might be crucial for businesses that aim to develop a robust information security management system. Through this blog, the details of Annex A bring the in-detailed set of controls that contribute to addressing different aspects of information security. Every individual control is designed to reduce the specific risks and provide security, integrity, and availability of information assets. With the help of focusing on Annex A controls, businesses can gain insights into the essential measures that are needed to protect sensitive information. From security policies and asset management to access control, cryptography, and incident response, the control covers a wide range of areas that focus on having a robust and secure information security framework. 

Furthermore, this blog also focused on elaborating on the requirement of aligning the controls to suit the business context by considering factors such as industry, size, and risk appetite. It’s important to conduct a comprehensive risk assessment and develop controls that address risks successfully. Developing the ISO 27001 2022 controls list Excel elaborates the commitment to information security best practices. It also helps to develop trust among stakeholders, including customers, partners, and regulatory bodies. In conclusion, businesses attempting to develop a strong information security framework must have a solid grasp of ISO 27001 Annex A controls. Organizations may reduce risks, safeguard their priceless information assets, and promote an information security excellence culture by utilizing these controls effectively and tailoring them to their particular situation.

Topic Related Post

ISO Auditing in Public Sector: Unique Challenges and Best Practices
ISO 27701 vs ISO 27001: What's the Difference?
Cross-Industry ISO Auditing: Challenges and Insights

About Author

Vikas is an Accredited SIAM, ITIL, PRINCE2 Agile, DevOps, ITAM Trainer with more than 17 years of industry experience currently working with NovelVista as Principal Consultant.



* Your personal details are for internal use only and will remain confidential.


Upcoming Events


Every Weekend


Every Weekend


Every Weekend


Every Weekend

Topic Related

Take Simple Quiz and Get Discount Upto 50%

Popular Certifications

AWS Solution Architect Associates
SIAM Professional Training & Certification
ITIL® 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2® Foundation & Practitioner
ITIL® 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITIL® 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
SRE Certification Course
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
SRE Foundation and Practitioner Combo
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
SRE Webinar
ISO 27701 Lead Auditor Certification
Gen AI for Project Management Webinar
Certified Cloud Tester Foundation
HR Business Partner Certification
Chief Learning Officer Certification