Posts

Comparing Annex A in ISO/IEC 27001:2013 vs. ISO/IEC 27001:2022

/in

I wrote ages ago this article, where I compared briefly the Annex A in the two versions of the standard: https://www.sorinmustaca.com/annex-a-of-iso-27001-2022-explained/

But, I feel that there is still need to detail a bit the changes, especially that now more and more business are forced to re-audit for the newer standard.

 

Overview of Annex A

Each of these categories encompasses a set of controls designed to address specific aspects of information security management within an organization. These categories encompass policies, procedures, and technical and organizational measures designed to safeguard critical assets, prevent unauthorized access, and mitigate security threats.

The primary purpose of Annex A controls is to guide organizations in selecting appropriate security measures based on their specific context and identified risks. They are not mandatory requirements but serve as best practices for information security management.

Many auditors or practitioners are recommending to not focus exclusively on these controls, because they will not help you in the end to pass the audit. I agree, to not rely exclusively on them, but only to use them as a starting point.

 

  • 2013 edition:

    • 114 controls

    • Grouped in 14 control domains (e.g., A.5 Information Security Policies, A.6 Organization of Information Security, etc.).

    • Numbering is A.x.y.z.

  • 2022 edition:

    • 93 controls (reduced by consolidation, merging, and restructuring).

    • Grouped in 4 control themes:

      • Organizational (37 controls)

      • People (8 controls)

      • Physical (14 controls)

      • Technological (34 controls)

    • Numbering is A.5–A.8 only, reflecting the 4 control themes.

 

New Controls Introduced in 2022

ISO/IEC 27001:2022 introduced 11 new controls to address modern risks. Each expands the ISMS scope to include practices that were not explicitly covered in the 2013 edition.

I personally love this addition, because now the standard is in sync with the reality out there. I especially love the A.8.28 Secure Coding, which has been far too long ignored, despite the evidence that all major exploits have been caused by not respecting secure coding standards.

  1. A.5.7 Threat Intelligence

    • Requires collection and analysis of threat intelligence.

    • Sources: security vendors, government advisories, industry ISACs, internal incident data.

    • Outcome: anticipate and defend against emerging attack methods.

  2. A.5.23 Information Security for Use of Cloud Services

    • Establishes rules for assessing and managing cloud providers.

    • Covers due diligence, contracts, data residency, shared responsibility.

    • Goal: ensure cloud adoption is secure and consistent.

  3. A.5.30 ICT Readiness for Business Continuity

    • Ensures IT and communications systems are resilient to disruptions.

    • Focus: backup, recovery testing, failover, disaster readiness.

    • Bridges ISMS with business continuity (ISO 22301).

  4. A.7.4 Physical Security Monitoring

    • Monitoring of physical facilities using CCTV, access logs, alarms, motion sensors.

    • Detects unauthorized access and environmental hazards.

    • Complements access restriction controls.

  5. A.8.9 Configuration Management

    • Requires baseline configurations for systems and software.

    • Covers patching, secure hardening, prevention of unauthorized changes.

    • Reduces risks from misconfigurations.

  6. A.8.10 Information Deletion

    • Secure and verified erasure of data when no longer needed.

    • Applies to disks, mobile devices, cloud storage, and backups.

    • Prevents data recovery by unauthorized parties.

  7. A.8.11 Data Masking

    • Techniques to obscure sensitive information.

    • Useful in non-production environments and analytics.

    • Supports privacy requirements (GDPR, HIPAA, etc.).

  8. A.8.12 Data Leakage Prevention (DLP)

    • Deployment of technical and procedural measures to prevent data leaks.

    • Examples: DLP software, email scanning, outbound traffic filtering.

    • Helps against insider threats and accidental data loss.

  9. A.8.16 Monitoring Activities

    • Expands on logging to include continuous monitoring of systems and networks.

    • Goal: real-time detection of anomalies and policy violations.

    • Supports SOC operations and incident response.

  10. A.8.23 Web Filtering

  • Restricts or blocks access to malicious or inappropriate websites.

  • Prevents phishing, malware, and unauthorized browsing.

  • Often implemented via secure DNS or proxy gateways.

  1. A.8.28 Secure Coding

  • Mandates secure software development practices.

  • Includes developer training, code review, automated scanning, use of vetted libraries.

  • Supports DevSecOps integration and early vulnerability prevention.

 

Merged Controls

Some 2013 controls were consolidated to reduce duplication:

  • Logging and monitoring (A.12.4.1–A.12.4.3, 2013) merged into A.8.15 & A.8.16 (2022).

  • Cryptographic controls (A.10.1.1, A.10.1.2, 2013) merged into A.8.24 (2022).

  • Access management controls consolidated into A.5.15–A.5.18 (2022).

 

Removed / Reorganized Controls

No controls were truly eliminated; instead, they were rephrased or merged.

  • Example: Removal of assets (A.11.2.7, 2013) became part of Return of assets (A.5.9, 2022).

  • Teleworking and mobile device policies combined under broader organizational controls.

 

Attributes in Annex A (2022)

A new classification model (“attributes”) was introduced to tag each control.

Categories include:

  • Control type: Preventive, Detective, Corrective

  • Security properties: Confidentiality, Integrity, Availability

  • Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover (aligned with NIST CSF)

  • Operational capabilities: Governance, Asset management, Identity, Resilience, etc.

  • Security domains: Align with organizational, people, physical, technological

Why Attributes Matter

This enables flexible mapping to frameworks like NIST, CIS, and especially TISAX.

  • They make ISO 27001 more practical and flexible.

  • Help you cross-map ISO 27001 controls to:

    • NIST CSF (via cybersecurity concepts)

    • CIA triad (via security properties)

    • Defense-in-depth planning (via control type)

  • Useful for gap analysis: you can check whether your ISMS is too prevention-heavy and weak on detection or recovery.

  • Improve communication with stakeholders: executives, auditors, regulators, or IT operations can each view controls in the lens that matters most to them.

In simple words: Attributes are like tags in a library. They don’t change the book (control), but they let you find it faster depending on whether you search by topic, author, or year.

Since TISAX is my favorite certification (ok, ok, it is a label, but bare with me here) I need to point to the column P. “Reference to other standards”, where this cateogry has been used several times.

Reference “3.1.10” in Cell P50 from the ISA-VDA-6.0.3:

3 -> Cybersecurity Concept

1 -> Detect

10 -> Control Identifier

This ia a Mapping between control A.8.15 (=Logging) und  Cybersecurity Concept: Detect von NIST CSF :

Identifier   Control_Code   Title
3.1.1  A.7. X Employee event reporting
3.1.2 A.7. X Information security event reporting
3.1.3 A.5.24 Information security incident planning/prep
3.1.4 A.5.25 Assessment & decision on info security events
3.1.5 A.5.26 Response to information security incidents
3.1.6 A.5.27 Learning from information security incidents
3.1.7 A.7.4 Physical security monitoring
3.1.8 A.8.12 Data leakage prevention
3.1.9 A.8.16 Monitoring activities
3.1.10 A.8.15 Logging

A.8.15 Logging -> mapping -> Cybersecurity Concept: Detect

This is useful for aligning ISO/IEC 27001 with NIST CSF, TISAX, ISA/IEC 62443, and others .

I think there is a lot more to write about them, perhaps in another article.

 

Summary

2013 Control (Domain) 2022 Control (Theme) Notes
A.5.1.1 Information security policy A.5.1 Policies for information security Mostly unchanged
A.5.1.2 Review of policies A.5.1 Policies for information security Merged
A.6.1.1 Roles and responsibilities A.5.2 Information security roles and responsibilities Direct
A.6.1.2 Segregation of duties A.5.3 Segregation of duties Direct
A.6.1.3 Contact with authorities A.5.4 Contact with authorities Direct
A.6.1.4 Contact with special interest groups A.5.5 Contact with special interest groups Direct
A.6.1.5 Project management A.5.8 Information security in project management Expanded
A.6.2.1 Mobile device policy A.6.2.1 (2013) merged → A.6.2 (2022 People theme) Consolidated
A.6.2.2 Teleworking A.5.10 Acceptable use of information and other assets + A.5.11 Return of assets Reorganized
A.7.1.1 Screening A.6.1 Screening Direct
A.7.1.2 Terms of employment A.6.2 Terms of employment Direct
A.7.2.1 Management responsibilities A.6.3 Management responsibilities Direct
A.7.2.2 Information security awareness, education, and training A.6.4 Information security awareness, education, and training Direct
A.7.2.3 Disciplinary process A.6.5 Disciplinary process Direct
A.7.3 Termination/responsibilities A.5.9 Return of assets Consolidated
A.8.1.1 Inventory of assets A.5.9 Inventory of information and other assets Direct
A.8.1.2 Ownership of assets A.5.9 Inventory of information and other assets Consolidated
A.8.1.3 Acceptable use of assets A.5.10 Acceptable use of information and other assets Direct
A.8.1.4 Return of assets A.5.11 Return of assets Direct
A.8.2.1 Classification of information A.5.12 Classification of information Direct
A.8.2.2 Labeling of information A.5.13 Labelling of information Direct
A.8.2.3 Handling of assets A.5.14 Handling of information Direct
A.8.3.1 Management of removable media A.8.10 Information deletion Merged/expanded
A.8.3.2 Disposal of media A.8.10 Information deletion Direct
A.8.3.3 Physical media transfer A.5.14 Handling of information Consolidated
A.9.1.1 Access control policy A.5.15 Access control Direct
A.9.1.2 Access to networks and services A.5.16 Access to network and network services Direct
A.9.2.x User access management (all) A.5.17–A.5.18 Consolidated
A.9.3 User responsibilities A.5.18 Access rights Direct
A.9.4 System and application access A.5.19–A.5.22 Expanded
A.10.1.1 Policy on cryptographic controls A.8.24 Use of cryptography Direct
A.10.1.2 Key management A.8.25 Key management Direct
A.11.x Physical and environmental controls A.7.1–A.7.4 Simplified/merged
A.12.1.x Operational procedures A.8.1–A.8.8 Direct
A.12.4.1–A.12.4.3 Logging & monitoring A.8.15–A.8.16 Monitoring activities Merged
A.12.5.x Control of operational software A.8.7–A.8.9 Consolidated
A.12.6.x Technical vulnerability mgmt. A.8.8 Management of technical vulnerabilities Direct
A.13.1.x Network security controls A.8.20 Network security Direct
A.13.2.x Information transfer A.5.14 Handling of information Consolidated
A.14.1.x Security requirements for IS A.8.26 Application security requirements Direct
A.14.2.1 Secure development policy A.8.28 Secure coding Expanded
A.14.2.5 Secure system engineering A.8.27 Secure system architecture and engineering principles Direct
A.15.1 Supplier security A.5.19 Supplier relationships Direct
A.15.2 Supplier service delivery mgmt. A.5.20–A.5.21 Consolidated
A.16.1.x Incident mgmt. A.5.25–A.5.27 Direct
A.17.1 Business continuity planning A.5.29 ICT readiness for business continuity Expanded
A.18.1 Compliance with legal A.5.32 Compliance obligations Direct
A.18.2 Information security reviews A.5.33 Independent review of information security Direct

 

 

Conclusions

  • The shift from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 is less about reducing the number of controls and more about modernizing and simplifying them.

While the 2013 version spread 114 controls across 14 domains, the 2022 edition organizes 93 controls into just four clear themes. This makes the standard easier to understand and apply.

The addition of 11 new controls shows how the standard has kept pace with today’s security challenges: cloud services, secure coding, threat intelligence, data leakage prevention, and stronger monitoring.

At the same time, many older controls were merged or rephrased, removing overlaps and making the framework more practical.

  • Perhaps the biggest improvement is the introduction of attributes. These tags let organizations view the controls through different lenses — confidentiality, integrity, availability, NIST CSF functions, or operational capabilities. That flexibility makes it much easier to map ISO 27001 to other frameworks and compliance requirements.
  • For organizations, the transition means more than just updating documentation. It is an opportunity to strengthen governance, align with modern practices, and close gaps in areas that were not well covered before, such as cloud and DevSecOps.

The post Comparing Annex A in ISO/IEC 27001:2013 vs. ISO/IEC 27001:2022 first appeared on Sorin Mustaca’s blog.

Annex A of ISO 27001:2022 explained and tips to prepare for an audit

/in

We wrote in the previous article ISO 27001:2022: chapter by chapter description about ISO 27001:2022 Annex A.

Annex A of ISO 27001:2022 is a vital component of the standard, outlining a comprehensive set of controls that organizations can implement to mitigate information security risks effectively.

These controls cover a wide range of areas, including physical security, human resources, access control, and cryptography.

 

In this article, we go in each category of the Annex A controls, explore practical implementation strategies, and discuss auditing methodologies to ensure compliance and effectiveness.

This article just describes the categories and the strategies for implementation, the next articles will address each category and its controls in details.

Understanding Annex A Controls

Annex A of ISO 27001:2022 contains 14 control categories, each addressing specific aspects of information security management.

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Continuity
  14. Compliance

Each of these categories encompasses a set of controls designed to address specific aspects of information security management within an organization. These categories encompass policies, procedures, and technical and organizational measures designed to safeguard critical assets, prevent unauthorized access, and mitigate security threats.

 

The primary purpose of Annex A controls is to guide organizations in selecting appropriate security measures based on their specific context and identified risks. They are not mandatory requirements but serve as best practices for information security management.

Compared to the 2013 version, ISO 27001:2022 streamlines Annex A. The number of controls is reduced from 114 to 93, with 11 new additions reflecting evolving security threats.

The 2022 revision of ISO 27001 restructured Annex A controls into four main categories:

Main Categories of ISO 27001:2022 Controls

1. Organizational Security

This category focuses on establishing the organizational framework and governance structure necessary to manage information security effectively. It encompasses policies, procedures, and responsibilities for safeguarding information assets and ensuring compliance with regulatory requirements.

Sub-Categories:

  • Information Security Policies (A.5)
  • Organization of Information Security (A.6)
  • Human Resource Security (A.7)
  • Asset Management (A.8)

2. Technical Security

This category addresses the technical aspects of information security, including access control, cryptography, and secure system development and maintenance. It involves implementing controls and measures to protect information assets from unauthorized access, alteration, or disclosure.

Sub-Categories:

  • Access Control (A.9)
  • Cryptography (A.10)
  • Physical and Environmental Security (A.11)
  • Operations Security (A.12)
  • Communications Security (A.13)
  • System Acquisition, Development, and Maintenance (A.14)

3. External Relationships

This category focuses on managing security risks associated with external relationships, such as third-party suppliers and service providers. It involves assessing and monitoring the security posture of external parties and establishing contractual agreements to ensure compliance and data protection.

Sub-Categories:

  • Supplier Relationships (A.15)

 

4. Incident Management and Continuity Planning

This category addresses preparedness and response to security incidents, as well as ensuring business continuity in the event of disruptions. It involves developing incident response plans, conducting drills, and implementing measures to minimize the impact of incidents on business operations.

Sub-Categories:

  • Information Security Incident Management (A.16)
  • Information Security Continuity (A.17)
  • Compliance (A.18)

By categorizing the controls into these main categories, organizations can better understand the holistic approach required to manage information security effectively. Each category addresses specific aspects of security management, ensuring comprehensive coverage and alignment with ISO 27001:2022 requirements.

 

Implementation in Practice

Implementing Annex A controls requires a systematic approach tailored to the organization’s unique needs and risk profile.

Organizations should start by conducting a gap analysis and a comprehensive risk assessment to identify vulnerabilities and prioritize control implementation.

Based on the assessment findings, organizations can develop action plans to address gaps and deploy appropriate controls across different layers of their information systems.

For example,

  • implementing access control measures may involve defining user roles and privileges, implementing authentication mechanisms, and enforcing least privilege principles.
  • deploying encryption controls may require selecting suitable encryption algorithms, managing encryption keys, and implementing secure transmission protocols.

While Annex A offers a rich library of controls, remember, it’s not a one-size-fits-all approach. Organizations should conduct a risk assessment to identify their specific vulnerabilities and choose the most relevant controls.

Remember:

  • Risk-Based Approach: Always prioritize controls that address the most significant information security risks identified in your organization.
  • Documentation: Document the implemented controls and how they address identified risks. This is crucial for audit purposes.
  • Continuous Improvement: Regularly review the effectiveness of your controls and update them as needed to adapt to evolving threats and organizational changes.

 

Summary of the 14 control categories of ISO 27001:2022

 

1. Information Security Policies (A.5)

Implementation

Develop comprehensive policies outlining security objectives, roles, and responsibilities.

Audit

Review policy documents for completeness, relevance, and alignment with organizational goals. Assess the effectiveness of policy communication and awareness initiatives.

2. Organization of Information Security (A.6)

Implementation

Designate an Information Security Officer (ISO) and establish clear reporting lines. Develop procedures for risk management and incident response.

 

Audit

Evaluate the clarity of roles and responsibilities within the security hierarchy. Review documentation for consistency and effectiveness.

3. Human Resource Security (A.7)

Implementation

Conduct background checks during recruitment, provide security training, and define procedures for employee departures.

 

Audit

Verify the existence of background checks and training records. Review access controls and permissions to ensure alignment with job roles.

4. Asset Management (A.8)

Implementation

Conduct an inventory of assets, classify based on criticality, and implement procedures for handling, storing, and disposing of assets.

 

Audit

Verify the accuracy of the asset inventory, assess the effectiveness of controls for managing assets, and review compliance with data protection regulations.

5. Access Control (A.9)

Implementation

Define access control policies, implement authentication mechanisms, and enforce least privilege principles.

 

Audit

Review access control lists, test authentication mechanisms, and analyze access logs for unauthorized activities.

6. Cryptography (A.10)

Implementation

Identify cryptographic requirements, implement encryption algorithms, and manage encryption keys securely.

 

Audit

Review cryptographic policies, assess the strength of encryption algorithms, and verify the integrity of key management practices.

7. Physical and Environmental Security (A.11)

Implementation

Implement physical access controls, surveillance systems, and environmental controls.

Audit

Conduct site visits to assess physical security measures, review access logs, and verify compliance with environmental control standards.

8. Operations Security (A.12)

Implementation
Develop procedures for system backups, change management, and incident response.

 

Audit
Review operational procedures, assess the effectiveness of malware protection, and analyze incident response plans.

9. Communications Security (A.13)

Implementation
Secure communication channels, implement encryption protocols, and establish procedures for remote access.

 

Audit
Review network configurations, assess the strength of encryption protocols, and analyze network logs for suspicious activities.

10. System Acquisition, Development, and Maintenance (A.14)

Implementation
Define secure coding practices, conduct security assessments, and implement change management procedures.

 

Audit
Review software development policies, assess code review and testing processes, and analyze change management records.

11. Supplier Relationships (A.15)

Implementation
Assess supplier security posture, establish contractual agreements, and monitor supplier performance.

 

Audit
Review supplier contracts, assess supplier assessment processes, and verify compliance with contractual security requirements.

12. Information Security Incident Management (A.16)

Implementation
Develop an incident response plan, define roles and responsibilities, and conduct regular drills.

 

Audit
Review the incident response plan, assess incident detection and response procedures, and analyze incident reports.

13. Information Security Continuity (A.17)

Implementation
Develop a business continuity plan, implement backup and recovery procedures, and conduct regular tests.

 

Audit
Review the business continuity plan, assess backup and recovery procedures, and analyze test results.

14. Compliance (A.18)

Implementation
Identify applicable regulations, develop policies and procedures, and conduct regular audits.

 

Audit
Review compliance documentation, assess compliance monitoring processes, and verify compliance with regulatory requirements.

Next article:

We analyze each of the categories of the Annex A ISO 27001:2022.

The post Annex A of ISO 27001:2022 explained and tips to prepare for an audit first appeared on Sorin Mustaca on Cybersecurity.