ISO/IEC 27001:2022
The ISO standard for information security management systems, including Annex A, which is further explained in ISO/IEC 27002:2022.
What Is ISO/IEC 27001?
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive information through risk assessment, security controls, and continual improvement.
Annex A of the standard defines 93 reference controls across four themes. Organisations select controls based on their risk assessment and document their choices in a Statement of Applicability (SoA). Unlike the Essential Eight, which prescribes specific technical mitigations, ISO 27001 takes a risk-based approach where the organisation determines which controls are relevant.
Who Needs ISO 27001?
- Certification seekers β organisations pursuing formal ISO 27001 certification through an accredited certification body.
- Contractual requirements β many enterprise clients and government agencies require ISO 27001 certification from their suppliers and service providers.
- Cyber insurance β insurers increasingly reference ISO 27001 certification or alignment during underwriting and renewal.
- Organisations aligning with best practice β even without formal certification, the standard provides a proven framework for managing information security risks.
Annex A Control Themes
The 93 Annex A controls in ISO/IEC 27001:2022 are organised into four themes:
Organisational (37 controls)
Policies, roles, asset management, access control, supplier relationships, incident management, and business continuity.
People (8 controls)
Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination.
Physical (14 controls)
Physical perimeters, access controls, equipment protection, secure disposal, clear desk, and cabling security.
Technological (34 controls)
Authentication, access rights, malware protection, backups, logging, network security, cryptography, and secure development.
How to Use This Page
- Browse by section β use the quick filters in the sidebar to narrow controls by Annex A section (Organisational, People, Physical, Technological).
- Control detail β click any control for a plain-English explanation, implementation tips, audit evidence requirements, and cross-framework mappings to the Essential Eight and ASD ISM.
- Build your SoA β use the control summaries and evidence tips to draft your Statement of Applicability and prepare for Stage 1 and Stage 2 audits.
Preparing for certification? Mindset Cyber offers PECB-accredited ISO 27001 courses β Lead Implementer ($849), Lead Auditor ($849), and Foundation ($399) β available as self-paced eLearning or live weekend training.
Controls
Annex A 5
37 controls- View β
Annex A 5.1
Policies for information security
- View β
Annex A 5.10
Acceptable Use Policies for Information and Assets
- View β
Annex A 5.11
Return of Organisation's Assets upon Departure
- View β
Annex A 5.12
Information Classification Policy and Practices
- View β
Annex A 5.13
Labelling of Information
- View β
Annex A 5.14
Information Transfer Policies and Procedures
- View β
Annex A 5.15
Access Control Policies and Procedures
- View β
Annex A 5.16
Identity life cycle management
- View β
Annex A 5.17
Management of Authentication Information
- View β
Annex A 5.18
Managing Access Rights to Information Assets
- View β
Annex A 5.19
Managing Information Security in Supplier Relationships
- View β
Annex A 5.2
Defining Information Security Roles and Responsibilities
- View β
Annex A 5.20
Integrating security clauses in supplier agreements
- View β
Annex A 5.21
Managing Information Security in the ICT Supply Chain
- View β
Annex A 5.22
Monitoring and Managing Supplier Services
- View β
Annex A 5.23
Using incidents to improve security controls
- View β
Annex A 5.24
Information security incident management planning and preparation
- View β
Annex A 5.25
Assessment and decision on information security events
- View β
Annex A 5.26
Response to Information Security Incidents
- View β
Annex A 5.27
Learning from information security incidents
- View β
Annex A 5.28
Procedures for Collecting and Preserving Evidence
- View β
Annex A 5.29
Maintain information security during disruptions
- View β
Annex A 5.3
Segregation of Duties
- View β
Annex A 5.30
ICT Readiness for Business Continuity
- View β
Annex A 5.31
Compliance with Information Security Legal Requirements
- View β
Annex A 5.32
Intellectual Property Rights Protection
- View β
Annex A 5.33
Protection of Records
- View β
Annex A 5.34
Privacy and Protection of Personally Identifiable Information
- View β
Annex A 5.35
Independent review of information security
- View β
Annex A 5.36
Review compliance with information security policies
- View β
Annex A 5.37
Documented Operating Procedures for Information Processing
- View β
Annex A 5.4
Management responsibilities for information security
- View β
Annex A 5.5
Establish and Maintain Contact with Authorities
- View β
Annex A 5.6
Contact with special interest groups
- View β
Annex A 5.7
Threat Intelligence Collection and Analysis
- View β
Annex A 5.8
Information security in project management
- View β
Annex A 5.9
Inventory management of information and associated assets
Annex A 6
8 controls- View β
Annex A 6.1
Personnel Background Verification
- View β
Annex A 6.2
Terms and conditions of employment for security
- View β
Annex A 6.3
Information security awareness, education and training programme
- View β
Annex A 6.4
Disciplinary Process for Information Security Violations
- View β
Annex A 6.5
Responsibilities after employment termination or role change
- View β
Annex A 6.6
Confidentiality and Non-disclosure Agreements
- View β
Annex A 6.7
Remote Working Security Measures
- View β
Annex A 6.8
Mechanisms for Reporting Security Events
Annex A 7
14 controls- View β
Annex A 7.1
Physical Security Perimeters
- View β
Annex A 7.10
Secure Management of Storage Media
- View β
Annex A 7.11
Protection from Utility Failures
- View β
Annex A 7.12
Secure Cabling for Power and Data
- View β
Annex A 7.13
Proper Maintenance of Equipment
- View β
Annex A 7.14
Secure disposal or re-use of equipment
- View β
Annex A 7.2
Physical access controls for secure areas
- View β
Annex A 7.3
Physical Security for Offices and Facilities
- View β
Annex A 7.4
Continuous monitoring of physical access to premises
- View β
Annex A 7.5
Protecting against physical and environmental threats
- View β
Annex A 7.6
Security Measures for Working in Secure Areas
- View β
Annex A 7.7
Clear desk and clear screen policies
- View β
Annex A 7.8
Equipment Siting and Protection
- View β
Annex A 7.9
Security of Off-Site Assets
Annex A 8
34 controls- View β
Annex A 8.1
Protection of User Endpoint Devices
- View β
Annex A 8.10
Secure deletion of information when no longer needed
- View β
Annex A 8.11
Data Masking for Sensitive Information
- View β
Annex A 8.12
Data Leakage Prevention Measures
- View β
Annex A 8.13
Backup and Recovery Procedures for Data
- View β
Annex A 8.14
Clock Synchronisation for Information Processing Systems
- View β
Annex A 8.15
Logging of Activities and Events
- View β
Annex A 8.16
Monitoring Networks and Systems for Anomalous Behaviour
- View β
Annex A 8.17
Clock synchronization for information systems
- View β
Annex A 8.18
Securing Software Installations on Operational Systems
- View β
Annex A 8.19
Secure Software Installation Procedures
- View β
Annex A 8.2
Management of Privileged Access Rights
- View β
Annex A 8.20
Network and Network Devices Security
- View β
Annex A 8.21
Security of Network Services
- View β
Annex A 8.22
Network Segregation for Security
- View β
Annex A 8.23
Web Filtering to Reduce Malicious Website Exposure
- View β
Annex A 8.24
Effective Use of Cryptography and Key Management
- View β
Annex A 8.25
Secure Development Lifecycle
- View β
Annex A 8.26
Defining Security Requirements for Applications
- View β
Annex A 8.27
Secure system architecture and engineering principles
- View β
Annex A 8.28
Secure Coding Practices in Software Development
- View β
Annex A 8.29
Security testing in development and acceptance
- View β
Annex A 8.3
Restrict access to information and assets
- View β
Annex A 8.30
Management of Outsourced System Development
- View β
Annex A 8.31
Separation of Development, Test, and Production Environments
- View β
Annex A 8.32
Change management procedures for information systems
- View β
Annex A 8.33
Test Information Selection and Protection
- View β
Annex A 8.34
Protection of information systems during audits
- View β
Annex A 8.4
Access management for source code and tools
- View β
Annex A 8.5
Secure authentication technologies and procedures
- View β
Annex A 8.6
Capacity Management for Resource Use
- View β
Annex A 8.7
Protection against malware
- View β
Annex A 8.8
Configuration management for security
- View β
Annex A 8.9
Configuration Management of IT Systems