We wanted to create a guide that was simple to understand but still gave the relevant adivce, so we designed our guide to provide enough information in a bite size chunk but also deeper detail if you want it.
Annex A in ISO 27001 is the go-to list of security controls that organisations use to meet the requirements of ISO 27001’s risk treatment process (6.1.3) and the Statement of Applicability.
Previously, it had 114 controls spread across 14 categories, covering areas like access control, cryptography, physical security, and incident management. But with the release of ISO 27002:2022, things changed. The updated ISO 27001:2022 now streamlines Annex A into 4 key areas with 93 controls—introducing 11 new ones, merging 24, and refining 58 to better reflect today’s cybersecurity landscape.
If you need to know more check out our blog on Annex A controls
Number of Controls: 37
Control Numbers: 5.1 - 5.37
Organisational controls are the backbone of how a business approaches data protection. They set the tone for security across the board—covering policies, processes, procedures, and even how the organisation is structured. Think of them as the rules and frameworks that dictate not just what needs to be done, but how security fits into the bigger picture.
Number of Controls: 8
Control Numbers: 6.1 - 6.8
People controls are all about managing the human side of security. They shape how employees handle data, interact with each other, and follow security best practices.
This includes everything from recruitment and personnel security to ongoing awareness training—because even the best tech can’t protect you if your people don’t know how to use it securely.
Number of Controls: 14
Control Numbers: 7.1 - 7.14
Physical safeguards are the frontline defence for protecting tangible assets and sensitive information. Think access controls, visitor policies, secure storage, asset disposal, and even simple things like a clear desk policy. These measures ensure that confidential data stays exactly where it should—out of the wrong hands.
Number of Controls: 34
Control Numbers: 5.1 - 5.34
Technological controls set the rules for securing IT systems and keeping them compliant. From authentication methods and system configurations to backup strategies and logging, these measures ensure your digital infrastructure is resilient, protected, and ready to withstand threats.
