ISO/IEC 27001:2022
The ISO standard for information security management systems, including Annex A, which is further explained in ISO/IEC 27002:2022.
What Is ISO/IEC 27001?
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive information through risk assessment, security controls, and continual improvement.
Annex A of the standard defines 93 reference controls across four themes. Organisations select controls based on their risk assessment and document their choices in a Statement of Applicability (SoA). Unlike the Essential Eight, which prescribes specific technical mitigations, ISO 27001 takes a risk-based approach where the organisation determines which controls are relevant.
Who Needs ISO 27001?
- Certification seekers β organisations pursuing formal ISO 27001 certification through an accredited certification body.
- Contractual requirements β many enterprise clients and government agencies require ISO 27001 certification from their suppliers and service providers.
- Cyber insurance β insurers increasingly reference ISO 27001 certification or alignment during underwriting and renewal.
- Organisations aligning with best practice β even without formal certification, the standard provides a proven framework for managing information security risks.
Annex A Control Themes
The 93 Annex A controls in ISO/IEC 27001:2022 are organised into four themes:
Organisational (37 controls)
Policies, roles, asset management, access control, supplier relationships, incident management, and business continuity.
People (8 controls)
Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination.
Physical (14 controls)
Physical perimeters, access controls, equipment protection, secure disposal, clear desk, and cabling security.
Technological (34 controls)
Authentication, access rights, malware protection, backups, logging, network security, cryptography, and secure development.
How to Use This Page
- Browse by section β use the quick filters in the sidebar to narrow controls by Annex A section (Organisational, People, Physical, Technological).
- Control detail β click any control for a plain-English explanation, implementation tips, audit evidence requirements, and cross-framework mappings to the Essential Eight and ASD ISM.
- Build your SoA β use the control summaries and evidence tips to draft your Statement of Applicability and prepare for Stage 1 and Stage 2 audits.
Preparing for certification? Mindset Cyber offers PECB-accredited ISO 27001 courses β Lead Implementer ($849), Lead Auditor ($849), and Foundation ($399) β available as self-paced eLearning or live weekend training.