Annex A of ISO 27001:2022 explained and tips to prepare for an audit

We wrote in the previous article ISO 27001:2022: chapter by chapter description about ISO 27001:2022 Annex A.

Annex A of ISO 27001:2022 is a vital component of the standard, outlining a comprehensive set of controls that organizations can implement to mitigate information security risks effectively.

These controls cover a wide range of areas, including physical security, human resources, access control, and cryptography.


In this article, we go in each category of the Annex A controls, explore practical implementation strategies, and discuss auditing methodologies to ensure compliance and effectiveness.

This article just describes the categories and the strategies for implementation, the next articles will address each category and its controls in details.

Understanding Annex A Controls

Annex A of ISO 27001:2022 contains 14 control categories, each addressing specific aspects of information security management.

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development, and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Continuity
  14. Compliance

Each of these categories encompasses a set of controls designed to address specific aspects of information security management within an organization. These categories encompass policies, procedures, and technical and organizational measures designed to safeguard critical assets, prevent unauthorized access, and mitigate security threats.


The primary purpose of Annex A controls is to guide organizations in selecting appropriate security measures based on their specific context and identified risks. They are not mandatory requirements but serve as best practices for information security management.

Compared to the 2013 version, ISO 27001:2022 streamlines Annex A. The number of controls is reduced from 114 to 93, with 11 new additions reflecting evolving security threats.

The 2022 revision of ISO 27001 restructured Annex A controls into four main categories:

Main Categories of ISO 27001:2022 Controls

1. Organizational Security

This category focuses on establishing the organizational framework and governance structure necessary to manage information security effectively. It encompasses policies, procedures, and responsibilities for safeguarding information assets and ensuring compliance with regulatory requirements.


  • Information Security Policies (A.5)
  • Organization of Information Security (A.6)
  • Human Resource Security (A.7)
  • Asset Management (A.8)

2. Technical Security

This category addresses the technical aspects of information security, including access control, cryptography, and secure system development and maintenance. It involves implementing controls and measures to protect information assets from unauthorized access, alteration, or disclosure.


  • Access Control (A.9)
  • Cryptography (A.10)
  • Physical and Environmental Security (A.11)
  • Operations Security (A.12)
  • Communications Security (A.13)
  • System Acquisition, Development, and Maintenance (A.14)

3. External Relationships

This category focuses on managing security risks associated with external relationships, such as third-party suppliers and service providers. It involves assessing and monitoring the security posture of external parties and establishing contractual agreements to ensure compliance and data protection.


  • Supplier Relationships (A.15)


4. Incident Management and Continuity Planning

This category addresses preparedness and response to security incidents, as well as ensuring business continuity in the event of disruptions. It involves developing incident response plans, conducting drills, and implementing measures to minimize the impact of incidents on business operations.


  • Information Security Incident Management (A.16)
  • Information Security Continuity (A.17)
  • Compliance (A.18)

By categorizing the controls into these main categories, organizations can better understand the holistic approach required to manage information security effectively. Each category addresses specific aspects of security management, ensuring comprehensive coverage and alignment with ISO 27001:2022 requirements.


Implementation in Practice

Implementing Annex A controls requires a systematic approach tailored to the organization’s unique needs and risk profile.

Organizations should start by conducting a gap analysis and a comprehensive risk assessment to identify vulnerabilities and prioritize control implementation.

Based on the assessment findings, organizations can develop action plans to address gaps and deploy appropriate controls across different layers of their information systems.

For example,

  • implementing access control measures may involve defining user roles and privileges, implementing authentication mechanisms, and enforcing least privilege principles.
  • deploying encryption controls may require selecting suitable encryption algorithms, managing encryption keys, and implementing secure transmission protocols.

While Annex A offers a rich library of controls, remember, it’s not a one-size-fits-all approach. Organizations should conduct a risk assessment to identify their specific vulnerabilities and choose the most relevant controls.


  • Risk-Based Approach: Always prioritize controls that address the most significant information security risks identified in your organization.
  • Documentation: Document the implemented controls and how they address identified risks. This is crucial for audit purposes.
  • Continuous Improvement: Regularly review the effectiveness of your controls and update them as needed to adapt to evolving threats and organizational changes.


Summary of the 14 control categories of ISO 27001:2022


1. Information Security Policies (A.5)


Develop comprehensive policies outlining security objectives, roles, and responsibilities.


Review policy documents for completeness, relevance, and alignment with organizational goals. Assess the effectiveness of policy communication and awareness initiatives.

2. Organization of Information Security (A.6)


Designate an Information Security Officer (ISO) and establish clear reporting lines. Develop procedures for risk management and incident response.



Evaluate the clarity of roles and responsibilities within the security hierarchy. Review documentation for consistency and effectiveness.

3. Human Resource Security (A.7)


Conduct background checks during recruitment, provide security training, and define procedures for employee departures.



Verify the existence of background checks and training records. Review access controls and permissions to ensure alignment with job roles.

4. Asset Management (A.8)


Conduct an inventory of assets, classify based on criticality, and implement procedures for handling, storing, and disposing of assets.



Verify the accuracy of the asset inventory, assess the effectiveness of controls for managing assets, and review compliance with data protection regulations.

5. Access Control (A.9)


Define access control policies, implement authentication mechanisms, and enforce least privilege principles.



Review access control lists, test authentication mechanisms, and analyze access logs for unauthorized activities.

6. Cryptography (A.10)


Identify cryptographic requirements, implement encryption algorithms, and manage encryption keys securely.



Review cryptographic policies, assess the strength of encryption algorithms, and verify the integrity of key management practices.

7. Physical and Environmental Security (A.11)


Implement physical access controls, surveillance systems, and environmental controls.


Conduct site visits to assess physical security measures, review access logs, and verify compliance with environmental control standards.

8. Operations Security (A.12)

Develop procedures for system backups, change management, and incident response.


Review operational procedures, assess the effectiveness of malware protection, and analyze incident response plans.

9. Communications Security (A.13)

Secure communication channels, implement encryption protocols, and establish procedures for remote access.


Review network configurations, assess the strength of encryption protocols, and analyze network logs for suspicious activities.

10. System Acquisition, Development, and Maintenance (A.14)

Define secure coding practices, conduct security assessments, and implement change management procedures.


Review software development policies, assess code review and testing processes, and analyze change management records.

11. Supplier Relationships (A.15)

Assess supplier security posture, establish contractual agreements, and monitor supplier performance.


Review supplier contracts, assess supplier assessment processes, and verify compliance with contractual security requirements.

12. Information Security Incident Management (A.16)

Develop an incident response plan, define roles and responsibilities, and conduct regular drills.


Review the incident response plan, assess incident detection and response procedures, and analyze incident reports.

13. Information Security Continuity (A.17)

Develop a business continuity plan, implement backup and recovery procedures, and conduct regular tests.


Review the business continuity plan, assess backup and recovery procedures, and analyze test results.

14. Compliance (A.18)

Identify applicable regulations, develop policies and procedures, and conduct regular audits.


Review compliance documentation, assess compliance monitoring processes, and verify compliance with regulatory requirements.

Next article:

We analyze each of the categories of the Annex A ISO 27001:2022.

The post Annex A of ISO 27001:2022 explained and tips to prepare for an audit first appeared on Sorin Mustaca on Cybersecurity.