ISO/IEC 27001:2022 Annex A (how to use it)

ISO/IEC 27001 includes Annex A (normative): an information security controls reference. Annex A is often where teams get stuck — either by treating it as “the checklist” or by treating it as “someone else’s problem”.

This page is a practical guide to using Annex A as a control baseline without reproducing the standard.

What Annex A is (and isn’t)

Annex A is:

• a structured reference list of common information security controls
• a practical starting point for a control catalog
• a tool to ensure your risk treatment is systematic and defensible

Annex A is not:

• a guarantee of security (“we implemented Annex A” is not a security claim)
• a substitute for risk assessment and context
• a reason to create a spreadsheet that no one operates

How to use Annex A effectively

1) Start with scope and risk

Controls should follow from your ISMS scope and risk method. If your scope is unclear, Annex A selection becomes arbitrary.

2) Make applicability decisions (explicitly)

For each control you consider:

• decide whether it applies in your scope
• record the rationale (especially for exclusions)
• define what “implemented and operated” means

This is where many organizations create a “statement of applicability” style record (format varies by org).

3) Translate control intent into operable work

Turn controls into:

• owned work (who runs it)
• cadence (how often it’s executed/reviewed)
• evidence expectations (what artifacts exist)
• escalation paths (what happens when it fails)

4) Prefer control reuse across frameworks

Many security controls support multiple governance programs. Reuse is the point:

• implement a control once
• map it to multiple requirements across frameworks
• link evidence once and preserve the narrative

What auditors typically test

Auditors usually test operation and evidence, not just existence:

• can you show the control operating in the stated period
• can you trace evidence to the control claim
• can you show reviews, exceptions, and corrective actions
• do your applicability decisions make sense for your scope

Common failure modes

• Checklist compliance: “we have all Annex A controls” with thin/no evidence.
• Paper controls: procedures exist, but execution records do not.
• Unowned controls: controls exist but no one runs them on a cadence.

How this maps into Modulos

In Modulos, Annex A typically becomes:

• requirements and controls that teams execute
• evidence attached to control components (sub-claims)
• reviews for traceable approvals and separation of duties
• exports for point-in-time audit packs

Framework mapping

Four layers, one reusable spine.

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Controls

The reusable spine

One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.

Risk assessment process

Data validation checks

Reusable

Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.