ISO 27001 Controls List – Annex A Controls, Categories and Checklist

Before discussing Annex A structure, it’s important to answer a common question: what are ISO 27001 controls?

ISO 27001 controls are safeguards or measures designed to reduce information security risks to acceptable levels. They can be technical, physical, organizational, or people-related controls.

In ISO/IEC 27001:2022:

• There are 93 ISO 27001 Annex A controls
• They are grouped into 4 ISO 27001 control categories (themes)
• They support risk treatment decisions under Clause 6

An ISO 27001 controls list typically includes areas such as:

• Access management and the access control policy ISO 27001 requires
• Asset management
• Cryptography
• Physical security
• Supplier relationships
• Logging and monitoring
• Incident management
• Business continuity support

However, ISO 27001 controls are not mandatory by default. They must be selected based on risk assessment results. 

During real-world implementations, organizations that treat Annex A as a reference, not a checklist, demonstrate stronger risk alignment and clearer audit justification, especially during Stage 2 certification audits.

ISO 27001 is often misunderstood as a long list of iso 27001 controls to implement. In reality, ISO 27001 is a management system standard. Its core focus is not controls; it’s how security is governed, improved, and aligned with business risk.

ISO 27001 primarily focuses on:

• Risk management: identifying, analyzing, and treating information security risk
• Leadership commitment: clear ownership, direction, and accountability
• Continual improvement: learning from audits and changes

This is why iso 27001 Annex A is not the starting point of an ISMS. The starting point is understanding risk and business context. Annex A Controls exist to support risk treatment decisions, not to replace them.

One of the biggest shifts in ISO/IEC 27001:2022 was how Annex A Controls are organized.

From 2013 to 2022: What Changed?

ISO/IEC 27001:2013

• 114 controls
• 14 domains

ISO/IEC 27001:2022

• 93 controls
• 4 control themes

The new structure groups ISO 27001 Annex A Controls into four clear ISO 27001 control categories:

• Organizational Controls – 37 controls
• People Controls – 8 controls
• Physical Controls – 14 controls
• Technological Controls – 34 controls

In transition projects from ISO/IEC 27001:2013 to 2022, organizations that mapped old domains to the 4 new themes early reduced migration timelines by 20–25%. Structured cross-mapping workshops have proven particularly effective in avoiding duplicated technological controls and overlooked organizational responsibilities.

The ISO 27001 Annex A controls are now grouped into four major ISO 27001 control categories. These themes improve clarity, ownership, and accountability across organizations.

1. Organizational Controls (Annex A.5 – 37 Controls)

These controls focus on governance, risk management, supplier relationships, asset ownership, and policy frameworks. They ensure management direction and strategic oversight exist. Without organizational controls, security lacks structure and accountability.

Examples include:

• Information security policy framework
• Supplier security requirements
• Information classification
• Access control policy ISO 27001 expectations

These controls form the governance backbone of an ISMS.

2. People Controls (Annex A.6 – 8 Controls)

People control address human behavior, awareness, training, and employment lifecycle security. Many breaches occur due to human error, making these controls critical.

Examples include:

• Security awareness programs
• Background verification
• Disciplinary processes
• Remote working security requirements

These controls reduce insider threats and negligence risks.

3. Physical Controls (Annex A.7 – 14 Controls)

Physical controls protect facilities, equipment, and physical access points. Even in cloud-first environments, physical protection remains important.

Examples include:

• Secure areas
• Equipment protection
• Clear desk policy
• Environmental monitoring

These controls prevent unauthorized physical access or damage.

4. Technological Controls (Annex A.8 – 34 Controls)

Technological controls cover system-level protections such as encryption, logging, monitoring, backup, and vulnerability management.

Examples include:

• Malware protection
• Secure coding practices
• Network security
• Data deletion
• Backup and recovery
• Identity and access management

These controls are often supported using tools, automation, and monitoring systems.

The best way to implement ISO 27001 Annex A controls is through a structured, risk-driven process, not through a generic ISO 27001 controls checklist copied from the internet.

Step-by-step approach:

1. Conduct Risk Assessment First:Identify threats, vulnerabilities, and business impacts before reviewing the iso 27001 controls list.

2. Select Relevant Controls:From the 93 ISO 27001 Annex A controls, choose those that address identified risks.

3. Document in the Statement of Applicability (SoA):Clearly justify inclusion or exclusion of each control.

4. Define Control Owners:Assign responsibility for implementation and monitoring.

5. Implement with Evidence:Ensure controls are operational and supported by records, logs, or documentation.

6. Monitor and Improve:Regularly review control effectiveness and update when risks change.

In live ISMS implementations demos, the most stable results are seen when control owners are formally appointed within 30 days of SoA approval. Projects where ownership was unclear experienced delayed evidence collection and audit stress, especially around logging, supplier reviews, and access recertification controls.

Also, using tools such as iso 27001 Annex A controls excel sheets or iso 27001 controls excel trackers can help monitor implementation status, but they should support risk decisions, not replace them.

One of the most misunderstood areas in ISO 27001 implementation is ownership. Many assume ISO 27001 Annex A controls are purely IT’s responsibility. That assumption leads to weak implementation.

In reality, implementing ISO 27001 controls is a shared responsibility across the organization.

Key stakeholders responsible include:

• Top Management:Provides leadership, approves risk treatment decisions, and ensures adequate resources are available.

• Information Security Manager / ISMS Manager:Coordinates the implementation of the iso 27001 controls list and ensures alignment with risk assessment.

• IT Teams:Implement technological controls such as encryption, logging, backup, and access control policy.

• HR Department:Handles people controls, including background checks, awareness training, and disciplinary processes.

• Facilities / Administration Teams:Manage physical security controls such as secure areas and environmental protections.

Annex A controls are organizational controls, not just IT controls. Accountability must be distributed according to risk ownership.

Learn More:What are the challenges you come across while implementing ISO 27001, and how to overcome them like a pro

Many organizations ask:how many controls are there in ISO 27001, and do we need all of them? The answer is93 controlsin ISO/IEC 27001:2022, but not all will apply to every organization.

To identify applicable ISO 27001 controls:

• Define Organizational Context:Understand business objectives, regulatory requirements, stakeholders, and scope.

• Perform Risk Assessment:Identify assets, threats, vulnerabilities, and impact.

• Evaluate Risk Treatment Options:Decide whether to mitigate, transfer, accept, or avoid risk.

• Map Risks to Annex A Controls:Select controls that reduce risk to acceptable levels.

• Justify Exclusions:If a control is not applicable, document the reason clearly.

In risk assessment workshops, teams that quantify impact using financial or operational downtime metrics produce stronger control justifications. Certification auditors consistently favor measurable risk reasoning over generic statements such as “industry best practice,” particularly when evaluating SoA exclusions.

When implemented correctly, ISO 27001 provides more than certification — it strengthens governance, operational resilience, and customer trust.

Key benefits include:

• Structured Risk Management:Clear visibility into security risks and structured treatment decisions.

• Improved Audit Readiness:Well-documented iso 27001 controls list and SoA reduce audit stress.

• Regulatory Alignment:Supports compliance with data protection and industry regulations.

• Stronger Access Management:Clear access control policy ISO 27001 enforcement reduces unauthorized access.

• Increased Customer Trust:Certification signals commitment to information security.

• Operational Consistency:Standardized control implementation reduces ambiguity.

Organizations that understand what are ISO 27001 controls and apply them correctly gain both compliance assurance and operational discipline.

Annex A was never meant to be the ISMS itself. It is a tool — one that supports risk-driven, business-aligned security decisions.

When teams understand control intent, justify applicability, and continuously improve, Annex A Controls become practical and effective. Security becomes integrated, measurable, and resilient.

The goal is not to “implement all controls,” but to apply the right controls for the right risks — and keep improving as those risks evolve.

If you want to move beyond implementation and develop true audit competence, NovelVista’s ISO 27001 Lead Auditor Certification Training Course is a strong next step. The program focuses on clause interpretation, ISO 27001 Annex A Controls, audit evidence, and real-world scenarios. You’ll gain the skills needed to assess ISMS effectiveness with confidence and support continual improvement at an auditor level.