ISO 27001 Annex A Controls

ISO/IEC 27001:2022 is the international standard that specifies the requirements for an Information Security Management System (ISMS). Published jointly by ISO and IEC, it is the third edition (October 2022), replacing ISO/IEC 27001:2013 and aligned to ISO/IEC 27002:2022.

The standard is framework-neutral and applies to any organisation — regardless of type, size, or sector. It sets out what an ISMS must do; it does not prescribe how to do it. That flexibility is why ISO 27001 is used by tech startups, banks, health providers, manufacturers, and government agencies worldwide.

Certification against ISO 27001 is voluntary but widely used as evidence that an organisation is systematically managing information security risks.

ISO 27001 is the requirements standard — the one you get audited and certified against. It defines what must be in place.

ISO/IEC 27002:2022 is the implementation guidance companion. It provides detailed guidance on each of the 93 Annex A controls — what they mean, how to implement them, and what good practice looks like.

You cannot be certified against ISO 27002. Auditors reference 27002 to understand intent, but certification decisions are made against 27001.

An Information Security Management System (ISMS) is a documented, risk-based system for managing information security — not a single tool or policy. It is a set of policies, processes, procedures, roles, and technical controls that work together to protect information confidentiality, integrity, and availability (the "CIA" triad).

The defining features of an ISMS under ISO 27001:

• Top-management commitment and explicit assignment of roles and responsibilities
• A defined scope — the boundary of what the ISMS covers (sites, systems, people, data)
• A documented risk assessment and risk treatment process, repeated regularly
• Selection of controls justified by risk, documented in the Statement of Applicability
• Performance monitoring, internal audits, and management reviews
• A continual improvement loop — nonconformities identified and corrected

The body of ISO 27001 (Clauses 4–10) contains the requirements you must meet. These are non-negotiable; Annex A controls are secondary. Auditors start with these clauses.

• Clause 4 — Context of the organization: understand internal/external issues, interested parties, and define the ISMS scope
• Clause 5 — Leadership: top management commitment, information security policy, roles and responsibilities
• Clause 6 — Planning: risk assessment, risk treatment, information security objectives
• Clause 7 — Support: resources, competence, awareness, communication, documented information
• Clause 8 — Operation: operational planning and control; carry out risk assessments and treatments
• Clause 9 — Performance evaluation: monitoring, internal audits, management reviews
• Clause 10 — Improvement: address nonconformities, continual improvement

Common misunderstanding: teams focus on Annex A controls and neglect Clauses 4–10. Most certification failures happen in the mandatory clauses, not the technical controls.

Annex A of ISO 27001:2022 lists 93 reference information security controls, grouped into four themes. These controls are a reference set — you don’t have to implement all of them; you implement the ones your risk assessment says you need.

• Organizational controls (A.5) — 37 controls: policies, roles, threat intelligence, supplier relationships, cloud security, incident management, legal and regulatory requirements
• People controls (A.6) — 8 controls: screening, terms of employment, awareness and training, remote working, event reporting
• Physical controls (A.7) — 14 controls: physical security perimeters, monitoring, equipment protection, secure disposal
• Technological controls (A.8) — 34 controls: access, authentication, cryptography, network security, application security, logging, vulnerability management

In ISO 27001:2013 there were 114 controls across 14 domains. The 2022 revision consolidated them to 93 controls across 4 themes and added 11 new controls (including threat intelligence, cloud services, data masking, and secure coding).

ISO 27001 suits any organisation that handles information of value to itself or its interested parties. In Australia we typically see it adopted by:

• Technology vendors selling into enterprise or government — often mandated by procurement
• Managed service providers and cloud platforms demonstrating multi-tenant security
• Financial services and superannuation funds under APRA prudential expectations
• Health sector organisations handling My Health Record or sensitive patient data
• Government contractors aligning to PSPF and departmental procurement requirements
• Professional services firms (legal, accounting, consulting) handling client-confidential material
• Organisations seeking to simplify overlapping audit programs (SOC 2, ISM, PCI DSS)

ISO 27001 is explicitly risk-based. You don’t implement controls because the standard lists them; you implement them because your risk assessment identified a risk they address.

The process defined in Clause 6.1:

• Establish risk criteria (risk acceptance and assessment criteria)
• Identify information security risks against confidentiality, integrity, and availability
• Analyse each risk: likelihood and consequence
• Evaluate risks against your criteria and prioritise for treatment
• Select risk treatment options: modify (apply controls), share (transfer/insure), retain (accept), or avoid (stop the activity)
• Compare chosen controls to Annex A to confirm nothing necessary has been omitted

The standard aligns with the principles in ISO 31000:2018 (the generic risk management standard). Annex A controls are not exhaustive — you can design additional controls not listed there.

The Statement of Applicability is the central document that ties risk assessment to control selection. Every auditor asks for it first.

• Lists all necessary controls the organisation has selected (including controls not from Annex A if applicable)
• Provides justification for including each control — typically the risk it addresses
• Shows whether each control is currently implemented or is a planned control
• Justifies the exclusion of any Annex A control that has not been selected
• Is approved by risk owners and maintained as living documented information

A weak SoA — generic justifications, boilerplate language, no link back to the risk register — is the single most common finding in ISO 27001 Stage 1 audits.

Most organisations follow a phased approach over 6–18 months depending on size, scope, and existing security maturity.

• 1. Scoping — determine ISMS boundaries: which entities, locations, systems, and data are in scope
• 2. Gap analysis — compare current state to ISO 27001 requirements
• 3. Risk assessment — identify, analyse, and evaluate information security risks
• 4. Risk treatment planning — select controls, document in the Statement of Applicability
• 5. Implementation — stand up policies, procedures, and technical controls; fill gaps
• 6. Internal audit — verify the ISMS works as documented, identify nonconformities
• 7. Management review — top management reviews ISMS performance, approves improvements
• 8. Stage 1 external audit — documentation review by certification body
• 9. Stage 2 external audit — on-site implementation review; certificate awarded if passed
• 10. Ongoing — surveillance audits (usually annual) and recertification every 3 years

Certification is carried out by accredited certification bodies (CBs). In Australia these include BSI, SAI Global, TQCSI, NCSI, and international CBs. Choose one that is accredited (JAS-ANZ for Australian scope, or an IAF member body).

The audit cycle:

• Stage 1 — documentation audit: does your ISMS documentation meet 27001 requirements? Typically 1–2 days
• Stage 2 — certification audit: is the documented ISMS actually implemented and effective? Typically 3–5 days for small-to-mid orgs
• Surveillance audits — conducted annually in years 1 and 2 after certification; partial re-audits of the ISMS
• Recertification audit — full re-audit every 3 years; renews the certificate for another cycle

Major nonconformities found at Stage 2 must be closed before the certificate is issued. Minor nonconformities usually have 90 days to address. Surveillance audits may also raise findings that must be resolved.

ISO 27001 is framework-neutral but maps cleanly onto Australian security frameworks. Control Stack shows the mappings directly on every control page.

• Essential Eight — the ASD Essential Eight mitigation strategies align with specific Annex A technological controls (A.8.7 malware protection, A.8.8 vulnerability management, A.8.23 web filtering, etc.). Implementing the Essential Eight at ML1–ML3 helps satisfy several Annex A controls but does not cover the full ISMS requirements
• ASD ISM — The Information Security Manual is far more granular than Annex A but addresses the same domains. Organisations under the PSPF often hold ISO 27001 AND align to ISM for government work
• PSPF — Australian Government Protective Security Policy Framework references ISO 27001 as one acceptable approach to information security management
• SOC 2 — US-centric trust services criteria overlap heavily with Annex A; a well-run ISO 27001 ISMS can be leveraged for SOC 2 Type II attestation with additional work

ISO 27001 helps meet — but does not replace — specific Australian legal obligations.

• Privacy Act 1988 and the Australian Privacy Principles (APP 11) — require "reasonable steps" to protect personal information; Annex A control A.5.34 (privacy and PII protection) directly addresses this
• Notifiable Data Breaches (NDB) scheme — incident management (A.5.24–5.28) supports breach detection and response timelines
• APRA CPS 234 (Information Security) — prudential standard for banks, insurers, and superannuation funds; ISO 27001 aligns with many CPS 234 requirements but is not a substitute
• Security of Critical Infrastructure Act 2018 (SOCI) — critical infrastructure operators must have a Critical Infrastructure Risk Management Program; ISO 27001 supports this
• Consumer Data Right (CDR) — data recipients must have an accredited security baseline; ISO 27001 is one pathway

Building in-house ISO 27001 capability saves consulting dollars and produces better outcomes. PECB is the dominant certification body for individual ISO 27001 practitioners globally, offering three main pathways:

• ISO 27001 Foundation — 1–2 day introduction for anyone new to the standard; good for broader teams who need context without deep technical detail
• ISO 27001 Lead Implementer — 5-day practitioner course covering all clauses and Annex A controls; for people standing up or running an ISMS
• ISO 27001 Lead Auditor — 5-day course covering audit methodology (ISO 19011) and ISO 27001; required for CB auditors and valuable for internal audit teams

Mindset Cyber delivers all three PECB-accredited courses in Australia — Lead Implementer, Lead Auditor, and Foundation — available as self-paced eLearning or live weekend training. These are the industry-standard qualifications recognised globally.

After thousands of ISO 27001 implementations across the industry, the same traps recur.

• Treating Annex A as a checklist — skipping the risk assessment and just implementing all 93 controls produces a bloated, ineffective ISMS
• Scoping too narrow — defining an ISMS boundary that excludes the important assets to avoid work; auditors will flag this
• Over-documentation — writing policies nobody reads or follows; controls must be operational, not aspirational
• Under-powered leadership engagement — top management signing the policy and nothing else; Clause 5 failures are common findings
• Treating certification as the goal — the certificate is a by-product of a working ISMS, not the reason to build one
• Skipping the internal audit — many organisations do one internal audit just before the external audit; 27001 expects ongoing internal audit over the cycle
• Poor change control — the ISMS must be updated when systems, suppliers, or scope change (Clause 6.3)

Terms you’ll encounter repeatedly.

• ISMS — Information Security Management System. The documented, risk-based system covering Clauses 4–10
• SoA — Statement of Applicability. The document listing selected controls and justifying exclusions
• CIA triad — Confidentiality, Integrity, Availability. The three information security properties ISO 27001 protects
• Risk treatment — The process of modifying, retaining, sharing, or avoiding identified risks
• Risk owner — The person accountable for a specific risk being appropriately managed
• Nonconformity — A finding that a requirement has not been met; may be "minor" (isolated) or "major" (systemic or high-consequence)
• Corrective action — Action taken to eliminate the cause of a nonconformity and prevent recurrence
• Interested parties — Stakeholders whose information security expectations the ISMS must address: customers, regulators, employees, suppliers
• Annex SL — The high-level structure shared across ISO management system standards; enables integrated management systems (27001 + 9001 + 14001, etc.)
• Surveillance audit — A partial re-audit conducted annually in years 1 and 2 post-certification; sub-set of the full scope

Official source: ISO/IEC 27000:2022 — Overview and vocabulary. Provides the authoritative terms and definitions for the entire ISO 27000 family.