ISO 27001 Controls Explained | Annex A Controls & Domains | CertCrowd

ISO 27001 Controls Explained — Understanding Annex A

ISO 27001 Annex A lists 93 information security controls that form the backbone of your ISMS. They help you manage cyber risks across people, processes, and technology. CertCrowd makes them easier to apply, track, and prove during audits.

ISO 27001 Controls and Information Security Management System

View ISO 27001 Blueprint Book a Demo

What Are Annex A Controls?

Annex A is the reference list of security controls within ISO 27001. Each control represents a safeguard designed to reduce information security risks identified in your risk assessment.

The 2022 revision restructured the controls from 114 down to 93 and grouped them into four themes for a more modern and flexible approach.

The Four Annex A Control Themes

Organisational Controls (37)

Policies, processes, and management activities that define how security is governed.

Examples:

A.5.1 Information Security Policies
A.5.23 Information Security for Use of Cloud Services
A.5.30 ICT Readiness for Business Continuity

These controls ensure your organisation has a structured and documented approach to security management.

People Controls (8)

Focused on staff awareness, training, and responsibilities.

Examples:

A.6.3 Information Security Awareness, Education and Training
A.6.4 Disciplinary Process

They protect information by promoting responsible behaviour and clear accountability.

Physical Controls (21)

Protect your facilities and physical assets from unauthorised access or damage.

Examples:

A.7.1 Physical Security Perimeter
A.7.4 Protection Against Physical and Environmental Threats

These controls help prevent data breaches caused by environmental events or physical intrusion.

Technological Controls (34)

Cover technical measures like access management, malware protection, encryption, and logging.

Examples:

A.8.2 Information Access Control
A.8.9 Configuration Management
A.8.28 Secure Coding

They form the core of your cyber defence and operational resilience.

How to Use Annex A Controls

Not every control will apply to your organisation. ISO 27001 requires you to:

Identify risks to your information assets
Select appropriate controls to treat those risks
Document your choices in the Statement of Applicability (SoA)
Demonstrate implementation through policies, procedures, and records

Integrated Control System

ISO 27001 controls work together as an integrated system to protect your organisation's information assets across all business processes. Each control is designed to complement others, creating multiple layers of protection.

ISO 27001 Information Security Management System implementation

Control Attributes and Themes

In the 2022 update, each control includes attributes to help categorise and align them with modern security frameworks.

Attributes include:

Control Type: Preventive, Detective, Corrective
Information Security Properties: Confidentiality, Integrity, Availability
Cybersecurity Concepts: Identify, Protect, Detect, Respond, Recover
Operational Capabilities: Governance, Asset Management, Identity Management, etc.

These make it easier to integrate ISO 27001 with other frameworks like NIST CSF or SOC 2.

How CertCrowd Simplifies Control Management

CertCrowd's ISO 27001 Blueprint includes a pre-configured Control Register for Annex A. You can link each control to:

Relevant policies and procedures
Risk records that triggered its selection
Actions or tasks that demonstrate implementation
Audit evidence and verification status

Every control is traceable from risk through to evidence — so you're always audit-ready.

Related Page: Working with CertCrowd for ISO 27001

Audit-Ready Evidence

Regular audits help ensure your controls remain effective and compliant. CertCrowd's evidence tracking makes audit preparation straightforward by maintaining a clear trail from risk to control to evidence.

ISO 27001 audit preparation and evidence management

Maintaining and Reviewing Your Controls

Controls aren't set-and-forget. They should be reviewed as part of your ongoing ISMS improvement cycle:

Update controls when new risks or technologies emerge
Perform regular internal audits to verify effectiveness
Track actions and non-conformities in CertCrowd's Issues Module

This ensures your controls stay relevant and effective as your business grows.

Complete Control Checklist

Use our comprehensive checklist to track your progress through all 93 Annex A controls and ensure nothing is missed. This visual guide helps you understand the scope and complexity of the full control set.

Next Steps

Understanding the controls is just the start. To build a fully compliant ISMS, you'll also need to map controls to risks and justify their applicability through the SoA.

Download Annex A Control Checklist Explore the CertCrowd ISO 27001 Blueprint