← Glossary·Controls

ISO 27001 Annex A

ISO 27001

The catalogue of 93 reference controls (2022 edition) across Organisational, People, Physical, and Technological themes.

Annex A of ISO/IEC 27001:2022 lists 93 reference controls grouped into four themes: Organisational (37), People (8), Physical (14), Technological (34). The 2022 edition reduced the count from 114 and added 11 new controls (e.g. threat intelligence, configuration management, secure coding).

Why it matters
Every Annex A control must be addressed in your Statement of Applicability (SoA) — either implemented, partially implemented with justification, or excluded with rationale.

Related terms

ISO/IEC 27001
International standard for an Information Security Management System (ISMS) with 93 Annex A controls.
Statement of Applicability (SoA)
ISO 27001 document declaring which Annex A controls apply, why, and how — central artefact for certification.
ISMS (Information Security Management System)
A documented, risk-based management system for information security — the object of ISO 27001 certification.

Does your program actually cover ISO 27001 Annex A?

Run a free ComplianceIQ audit against ISO 27001 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free ISO 27001 auditBack to glossary