Docs

Appearance

ISO/IEC 27001:2022 — Annex A

ISO/IEC 27001:2022 Annex A is normative: 93 information-security controls organised into four themes. Every control gets a position in the Statement of Applicability — included or excluded with justification. This page covers the four themes at a structural level and references controls by reference number only.

Quick decision

  • You need to build the Statement of Applicability → every one of the 93 Annex A controls gets a position. Drive selection from your information-security risk assessment under Clause 6.1.2.
  • You are mapping AI controls to ISO 27001 → themes 5 (supplier and incident-handling categories) and 8 (cryptography, logging and secure-development categories) carry most of the AI-relevant content. AI-specific controls layer on top via ISO/IEC 42001 Annex A.
  • You want to know what's new in the 2022 edition → 11 new controls at A.5.7, A.5.23, A.5.30, A.7.4, A.8.9, A.8.10, A.8.11, A.8.12, A.8.16, A.8.23 and A.8.28.
  • You want to see how Annex A maps to Modulos → evidence on ORF-205 (Clause 6.1.3 risk treatment) with the SoA.

TL;DR

  • 93 controls in 4 themes: 5 Organizational (37), 6 People (8), 7 Physical (14), 8 Technological (34).
  • Normative — every control gets a position in the SoA. Inclusion or exclusion with justification.
  • 11 new controls added in the 2022 edition vs the 2013 edition.
  • Theme-based structure replaces the 14-control-objective structure of the 2013 edition.
  • Modulos models Annex A as control-level evidence on ORF-205 + the SoA artefact.

Primary source

ISO/IEC 27001:2022 Annex A (normative)Information security controls reference. © ISO/IEC. Available via the ISO Online Browsing Platform. Companion guidance: ISO/IEC 27002:2022.

The four themes

ThemeFocusControl countExample reference numbers
5 OrganizationalPolicies, roles, supplier relationships, asset management, incident management, business continuity, legal and compliance, information classification37A.5.1, A.5.7 (new), A.5.19, A.5.23 (new), A.5.30 (new)
6 PeopleScreening, employment terms, awareness, disciplinary, remote working, confidentiality agreements8A.6.3, A.6.4, A.6.7
7 PhysicalPhysical security perimeter, equipment, secure disposal, clear desk / clear screen, working in secure areas, supporting utilities14A.7.1, A.7.4 (new), A.7.7
8 TechnologicalEndpoint security, identity and access management, cryptography, network security, secure development, logging, vulnerability management, configuration management34A.8.5, A.8.9 (new), A.8.10 (new), A.8.15, A.8.23 (new), A.8.24, A.8.28 (new)

The 11 new controls in the 2022 edition (A.5.7, A.5.23, A.5.30, A.7.4, A.8.9, A.8.10, A.8.11, A.8.12, A.8.16, A.8.23, A.8.28) reflect the modernisation of information-security practice since 2013 — particularly around cloud services, configuration management, modern data-protection techniques and threat intelligence.

How to use Annex A in practice

1) Drive selection from scope and risk

Controls follow from the ISMS scope (Clause 4.3) and the information-security risk assessment (Clause 6.1.2). If the scope is unclear, control selection becomes arbitrary.

2) Document every control in the SoA

Every Annex A control gets a position in the Statement of Applicability:

  • Inclusion with a justification linked to the risk assessment.
  • Exclusion with an explicit rationale (e.g., physical controls excluded for a fully cloud-native organisation that owns no physical infrastructure).
  • Implementation status — implemented, planned, in progress.
  • Responsible function and evidence reference.

3) Translate control intent into operable work

Turn each selected control into:

  • Owned work — who runs it.
  • Cadence — how often it is executed or reviewed.
  • Evidence expectations — what artefacts exist.
  • Escalation path — what happens when the control fails.

4) Reuse evidence without merging control obligations

Many information-security activities support multiple governance programs. Reuse evidence where the same activity genuinely supports more than one mapped requirement, but keep each framework's risk assessment, applicability decision and control obligation distinct.

What auditors test on Annex A

Stage 2 and surveillance audits sample operation and evidence, not just existence:

  • SoA consistency — every Annex A control has a position; justification is linked to the risk register.
  • Control operation — selected controls are executed within the certification period, with evidence.
  • Exception management — exclusions remain defensible as scope and risk change.
  • Review and corrective action — control failures feed Clause 10.2 corrective action.

Common failure modes

  • Checklist compliance — "we have all Annex A controls" with thin or no evidence.
  • Paper controls — procedures exist, but execution records do not.
  • Unowned controls — controls exist in the SoA but no one runs them on a cadence.
  • Stale SoA — controls remain "implemented" in the SoA after the system or vendor has changed.
  • Copy-paste from Annex A text — reproducing ISO/IEC 27001 control text into internal documents (copyright risk; substantively, it confuses the implementation from the requirement).

How to operationalise Annex A in Modulos

ISO 27001 Annex A controls are tracked as control-level evidence on the ORF-205 requirement (Clause 6.1.3 risk treatment) on OFF-9.

OFF-9 requirementDescriptionAnnex A coverage
ORF-205Information-security risk treatment + Statement of ApplicabilityAll 93 Annex A controls via the SoA
ORF-215Operational planning and controlOperational execution of the selected controls
ORF-216Monitoring, measurement, analysis and evaluationControl effectiveness signals
ORF-217 / ORF-218Internal audit + audit programmeSampling control operation

Practical pattern:

  • The SoA artefact itself is owner-authored documented information attached as evidence on ORF-205.
  • Per-control evidence (control execution records, exception decisions, supplier reviews) is linked to controls in Modulos that map to the relevant ORF requirements.
  • The applicability decisions (which themes apply, which controls within each theme apply) flow from the risk assessment in ORF-204.

Modulos does not provide a per-Annex-A-control normative checklist surface — the SoA captures the per-control decisions and the operational evidence sits on controls.

Cross-framework mapping (preview)

ISO 27001 Annex A themeAdjacent provision
Theme 5 Organizational (A.5.19–A.5.22)EU AI Act Article 25 value chain; NIS2 Article 21(2)(d); ISO 42001 Annex A.10
Theme 5 Organizational (A.5.12–A.5.14)GDPR personal-data classification; ISO 27701 PIMS
Theme 5 Organizational (A.5.24–A.5.28)EU AI Act Article 73 serious-incident reporting; NIS2 Article 23 incident notification; GDPR Article 33
Theme 6 People (A.6.3)Training-governance evidence that may support, but does not replace, EU AI Act Article 4 AI literacy obligations
Theme 8 Technological (A.8.24)EU AI Act Article 15(5) cybersecurity for high-risk AI; NIS2 Article 21(2)(h)
Theme 8 Technological (A.8.15)EU AI Act Article 12 logging; Article 26(6) deployer log retention
Theme 8 Technological (A.8.9 — new)ISO 42001 Annex A.6 AI system lifecycle
Theme 8 Technological (A.8.28 — new)ISO 42001 Annex A.6.2 development controls
ISO 27001 overview

Hub: ISMS structure, Annex SL backbone, certification path

ISMS foundations (scope + SoA + certification)

Scope, Statement of Applicability, Stage 1 / Stage 2 / surveillance / recertification

Clauses 4–10 (implementation guide)

Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement

Operationalizing in Modulos

OFF-9 + MFF-9 rollout, ISMS evidence patterns

Integration with AI governance

How ISO 27001 supports ISO 42001 AIMS and the EU AI Act

Source attribution

ISO/IEC 27001:2022 Annex A (normative) — Information security controls reference. © ISO/IEC. Available via the ISO Online Browsing Platform. Companion implementation guidance: ISO/IEC 27002:2022. The 2013 edition (114 controls) was sunset by the late-2025 transition deadline.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.