Please enable JavaScript to view the comments powered by Disqus. Explained: ISO 27001 Annex A Controls List In Depth Overview


Understanding the ISO 27001 Annex A 14 security Controls and Domains List: In-Depth Overview



Last updated 23/05/2023

Understanding the ISO 27001 Annex A 14 security Controls and Domains List: In-Depth Overview

Addition A of ISO 27001 is probably the most well-known extension of all the ISO norms – this is because it gives a basic tool to managing data security chances: a rundown of security controls (or protects) that are to be utilized to improve the security of data resources. 

This article will furnish you with a knowledge of how Annex A is organized, just as its relationship with the principle part of ISO 27001, and with ISO 27002. 

How many domains are there in ISO 27001? 

The ISO 27001 controls rundown can be found in Annex A, and it is sorted out into 14 sections. Despite what one may think, these are not all IT arranged – under you can discover a categorization of what specific segments are centered around: 

  • Sections identified with organizational issues: A.5, A.6., A.8, A.15 
  • Section identified with HR: A.7 
  • IT-related areas: A.9, A.10, A.12, A.13. A.14, A.16, A.17 
  • Section identified with physical security: A.11 
  • Section identified with legal issues: A.18 

Here's a short description of every one of the 14 sections: 

  • A.5 Information security strategies – controls on how the approaches are composed and evaluated 
  • A.6 Organization of data security – controls on how the duties are allocated; likewise incorporates the controls for cell phones and teleworking 
  • A.7 Human assets security – controls preceding business, during, and after the work 
  • A.8 Asset the executives – controls identified with the stock of advantages and adequate use; likewise for data characterization and media taking care of 
  • A.9 Access control – controls for the administration of access privileges of clients, frameworks and applications, and the administration of client obligations 
  • A.10 Cryptography – controls identified with encryption and key administration 
  • A.11 Physical and ecological security – controls characterizing secure zones, passage controls, insurance against dangers, hardware security, secure removal, Clear Desk and Clear Screen Policy, and so on. 
  • A.12 Operational security – heaps of controls identified with the administration of IT creation: change the executives, limit the board, malware, reinforcement, logging, observing, establishment, weaknesses, and so on. 
  • A.13 Communications security – controls identified with organize security, isolation, arrange administrations, move of data, informing, and so on. 
  • A.14 System obtaining, advancement and upkeep – controls characterizing security prerequisites, and security being developed and uphold measures 
  • A.15 Supplier connections – controls on what to remember for understandings, and how to screen the providers 
  • A.16 Information security occurrence the executives – controls for announcing occasions and shortcomings, characterizing duties, reaction systems, and an assortment of proof 
  • A.17 Information security parts of business progression the executives – controls requiring the arranging of business congruity, systems, check and inspecting, and IT excess 
  • A.18 Compliance – controls requiring the distinguishing proof of appropriate laws and guidelines, licensed innovation insurance, individual information assurance, and audits of data security 

 What many of controls does ISO 27001 have? 

There are 114 ISO 27001 data security controls recorded in its Annex An in the current 2013 correction of the norm (contrasted with 133 from the past 2005 amendment of the norm). Here is a breakdown of what sort of controls are incorporated: 

  • Controls identified with authoritative issues: 24 
  • Controls identified with HR:
  • IT-related controls: 61 
  • Controls identified with physical security: 15 
  • Controls identified with legitimate issues:

The most ideal approach to comprehend Annex A is to consider it a list of data security controls you can choose from – out of the 114 controls that are recorded in Annex A, you can pick the ones that are material to your organization's degree. Another methodology is to utilize Annex A as an ISO 27001 controls agenda, for an underlying assessment of your association's availability for data security the board cycle. 

Relationship with ISO 27001 fundamental conditions 

Not these ISO 27001:2022 controls are compulsory – associations can decide for themselves which controls they discover relevant, and afterward, it must execute them (as a rule, in any event, 90% of the controls are pertinent); the rest are announced to be non-material. For instance, control A.14.2.7 Outsourced improvement can be set apart as non-material if an organization doesn't redistribute the advancement of programming. The principal standard for choosing the controls is through hazard the board, which is characterized in statements 6 and 8 of the fundamental piece of ISO 27001. Learn more here: ISO 27001 hazard evaluation and treatment – 6 fundamental advances. 

Further, proviso 5 of the fundamental piece of ISO IEC 27001 expects you to characterize duties regarding dealing with those controls, and condition 9 expects you to quantify if the controls have satisfied their motivation. At long last, statement 10 expects you to fix whatever isn't right with those controls, and to ensure that you accomplish data security targets with those controls.  

What is the distinction between ISO 27001 and ISO 27002? 

Truly Annex An of ISO27001 doesn't give a lot of insight concerning each control. There is typically one sentence for each control, which gives you a thought of what you have to accomplish, yet not how to do it. 

This is the reason ISO 27002 was distributed – it has the very same structure as ISO 27001 Annex An: each control from Annex An exists in ISO 27002, however it has significantly more nitty-gritty clarification on the most proficient method to actualize it. Be that as it may, don't fall into the snare of utilizing just ISO 27002 for dealing with your data security dangers – it doesn't give you any signs regarding how to choose which controls to actualize, how to gauge them, how to allocate obligations, and so forth. Learn more here: ISO 27001 and ISO 27002 combo certification.  

Ease of use of Annex A 

There are several things I like about Annex A – it gives you an ideal review of which controls you can apply so you remember some that would be significant, and it gives you the adaptability to pick just the ones you discover appropriate to your business so you don't need to squander assets on the ones that are not pertinent to you.


understanding ISO 27001 Annex A is crucial for organizations aiming to establish a robust information security management system (ISMS). As explored in this blog, Annex A provides a comprehensive set of controls that address various aspects of information security. Each control is designed to mitigate specific risks and safeguard the confidentiality, integrity, and availability of information assets.

By delving into the Annex A controls, organizations can gain insights into the necessary measures required to protect sensitive information and comply with relevant regulatory requirements. From security policies and asset management to access control, cryptography, and incident response, the controls cover a wide range of areas that contribute to a robust and secure information security framework.

Furthermore, this blog has highlighted the importance of tailoring the controls to suit the organization's unique context, considering factors such as industry, size, and risk appetite. It is essential to conduct a comprehensive risk assessment and implement controls that address identified risks effectively.

Implementing ISO 27001 Annex A controls demonstrates a commitment to information security best practices and helps build trust among stakeholders, including customers, partners, and regulatory bodies. Organizations that successfully implement and adhere to these controls can strengthen their information security posture, reduce the likelihood of security incidents, and minimize potential damages.

However, it is important to note that ISO 27001 Annex A is a dynamic framework that requires periodic review and updates to align with the evolving threat landscape and technological advancements. Organizations should establish a culture of continuous improvement, conducting regular assessments, and adapting controls as needed.

In conclusion, a thorough understanding of ISO 27001 Annex A controls is vital for organizations striving to establish a robust information security framework. By leveraging these controls effectively and customizing them to their unique context, organizations can mitigate risks, protect their valuable information assets, and foster a culture of information security excellence.


Topic Related Post

Is The Adoption Of ISO 27001 Doing Good To Business and Customers
AI, ML & the Future of Six Sigma: Transforming Quality Management
How Can You Pass Your Lean Six Sigma Certification Exam In The First Attempt?

About Author

NovelVista Learning Solutions is a professionally managed training organization with specialization in certification courses. The core management team consists of highly qualified professionals with vast industry experience. NovelVista is an Accredited Training Organization (ATO) to conduct all levels of ITIL Courses. We also conduct training on DevOps, AWS Solution Architect associate, Prince2, MSP, CSM, Cloud Computing, Apache Hadoop, Six Sigma, ISO 20000/27000 & Agile Methodologies.



* Your personal details are for internal use only and will remain confidential.


Upcoming Events


Every Weekend


Every Weekend


Every Weekend


Every Weekend

Topic Related

Take Simple Quiz and Get Discount Upto 50%