Key Takeaways
| Point |
Summary |
| Total controls |
93 controls in ISO 27001:2022 (reduced from 114 in 2013 version) |
| 4 themes |
Organizational (37), People (8), Physical (14), Technological (34) |
| New in 2022 |
11 new controls including threat intelligence, cloud security, data masking, DLP |
| Statement of Applicability |
Must justify inclusion or exclusion of each control |
| Not all required |
Select controls based on your risk assessment; justify exclusions |
Quick Answer: ISO 27001:2022 has 93 controls in 4 themes. You must review all controls and document which apply to your organization in the Statement of Applicability (SoA). Selection is based on your risk assessment, not a checklist.
Annex A Overview
Structure Changes in 2022
The 2022 version reorganized controls from 14 domains to 4 themes:
| Version |
Structure |
| ISO 27001:2013 |
114 controls in 14 domains (A.5-A.18) |
| ISO 27001:2022 |
93 controls in 4 themes |
The Four Themes
ISO 27001:2022 Annex A Structure (93 Total Controls):
1. Organizational (37):
- Policies, roles, asset management
- Access control, vendor management
2. People (8):
- Screening, awareness, responsibilities
- Remote working
3. Physical (14):
- Perimeters, equipment, secure areas
- Working in secure areas
4. Technological (34):
- Endpoints, access, networks, applications
- Data protection, monitoring
New Controls in 2022
11 new controls were added:
| Control |
Theme |
Description |
| 5.7 |
Organizational |
Threat intelligence |
| 5.23 |
Organizational |
Information security for cloud services |
| 5.30 |
Organizational |
ICT readiness for business continuity |
| 7.4 |
Physical |
Physical security monitoring |
| 8.9 |
Technological |
Configuration management |
| 8.10 |
Technological |
Information deletion |
| 8.11 |
Technological |
Data masking |
| 8.12 |
Technological |
Data leakage prevention |
| 8.16 |
Technological |
Monitoring activities |
| 8.23 |
Technological |
Web filtering |
| 8.28 |
Technological |
Secure coding |
Theme 5: Organizational Controls (37)
Policies and Governance (5.1-5.8)
| Control |
Title |
Purpose |
| 5.1 |
Policies for information security |
Establish management direction |
| 5.2 |
Information security roles |
Define responsibilities |
| 5.3 |
Segregation of duties |
Prevent conflicts of interest |
| 5.4 |
Management responsibilities |
Ensure adherence to policies |
| 5.5 |
Contact with authorities |
Maintain appropriate contacts |
| 5.6 |
Contact with special interest groups |
Stay informed on security |
| 5.7 |
Threat intelligence |
Collect and analyze threat info |
| 5.8 |
Information security in project management |
Include security in projects |
Asset Management (5.9-5.14)
| Control |
Title |
Purpose |
| 5.9 |
Inventory of information and assets |
Know what you have |
| 5.10 |
Acceptable use of assets |
Define proper usage |
| 5.11 |
Return of assets |
Recover assets on termination |
| 5.12 |
Classification of information |
Categorize data sensitivity |
| 5.13 |
Labelling of information |
Mark sensitive information |
| 5.14 |
Information transfer |
Secure data in transit |
Access Control (5.15-5.18)
| Control |
Title |
Purpose |
| 5.15 |
Access control |
Limit access to authorized users |
| 5.16 |
Identity management |
Manage user identities |
| 5.17 |
Authentication information |
Secure authentication secrets |
| 5.18 |
Access rights |
Manage access privileges |
Vendor Management (5.19-5.23)
| Control |
Title |
Purpose |
| 5.19 |
Information security in supplier relationships |
Address security with suppliers |
| 5.20 |
Addressing security in supplier agreements |
Contract requirements |
| 5.21 |
Managing information security in ICT supply chain |
Supply chain security |
| 5.22 |
Monitoring, review of supplier services |
Ongoing oversight |
| 5.23 |
Information security for cloud services |
Cloud security management |
Incident Management (5.24-5.28)
| Control |
Title |
Purpose |
| 5.24 |
Information security incident management planning |
Prepare for incidents |
| 5.25 |
Assessment and decision on events |
Evaluate security events |
| 5.26 |
Response to incidents |
Handle incidents appropriately |
| 5.27 |
Learning from incidents |
Improve from experience |
| 5.28 |
Collection of evidence |
Preserve forensic evidence |
Business Continuity and Compliance (5.29-5.37)
| Control |
Title |
Purpose |
| 5.29 |
Information security during disruption |
Maintain security in crises |
| 5.30 |
ICT readiness for business continuity |
IT recovery capabilities |
| 5.31 |
Legal, statutory, regulatory requirements |
Identify legal requirements |
| 5.32 |
Intellectual property rights |
Protect IP |
| 5.33 |
Protection of records |
Maintain records properly |
| 5.34 |
Privacy and protection of PII |
Protect personal data |
| 5.35 |
Independent review of information security |
External assessment |
| 5.36 |
Compliance with security policies |
Ensure policy adherence |
| 5.37 |
Documented operating procedures |
Document operations |
Theme 6: People Controls (8)
Human Resource Security
| Control |
Title |
Purpose |
Key Requirements |
| 6.1 |
Screening |
Verify backgrounds |
Background checks |
| 6.2 |
Terms and conditions of employment |
Security in contracts |
Include security obligations |
| 6.3 |
Information security awareness, education, training |
Build security knowledge |
Regular training programs |
| 6.4 |
Disciplinary process |
Address violations |
Formal disciplinary procedure |
| 6.5 |
Responsibilities after termination |
Ongoing obligations |
Confidentiality agreements |
| 6.6 |
Confidentiality or non-disclosure agreements |
Protect information |
NDAs for sensitive access |
| 6.7 |
Remote working |
Secure remote access |
Remote work security measures |
| 6.8 |
Information security event reporting |
Enable reporting |
Incident reporting mechanism |
Theme 7: Physical Controls (14)
Physical Security
| Control |
Title |
Purpose |
| 7.1 |
Physical security perimeters |
Define secure boundaries |
| 7.2 |
Physical entry |
Control access to facilities |
| 7.3 |
Securing offices, rooms and facilities |
Protect work areas |
| 7.4 |
Physical security monitoring |
Detect unauthorized access |
| 7.5 |
Protecting against physical and environmental threats |
Environmental controls |
| 7.6 |
Working in secure areas |
Secure area procedures |
| 7.7 |
Clear desk and clear screen |
Prevent information exposure |
| 7.8 |
Equipment siting and protection |
Secure equipment placement |
| 7.9 |
Security of assets off-premises |
Protect mobile equipment |
| 7.10 |
Storage media |
Secure storage media |
| 7.11 |
Supporting utilities |
Power, cooling, etc. |
| 7.12 |
Cabling security |
Protect network cabling |
| 7.13 |
Equipment maintenance |
Maintain securely |
| 7.14 |
Secure disposal or re-use of equipment |
Prevent data leakage |
Theme 8: Technological Controls (34)
Endpoint and Access Controls (8.1-8.8)
| Control |
Title |
Purpose |
| 8.1 |
User endpoint devices |
Secure end-user devices |
| 8.2 |
Privileged access rights |
Control elevated privileges |
| 8.3 |
Information access restriction |
Limit data access |
| 8.4 |
Access to source code |
Protect source code |
| 8.5 |
Secure authentication |
Strong authentication |
| 8.6 |
Capacity management |
Ensure adequate capacity |
| 8.7 |
Protection against malware |
Malware defenses |
| 8.8 |
Management of technical vulnerabilities |
Vulnerability management |
Configuration and Data Protection (8.9-8.14)
| Control |
Title |
Purpose |
| 8.9 |
Configuration management |
Control configurations |
| 8.10 |
Information deletion |
Delete data when required |
| 8.11 |
Data masking |
Protect sensitive data |
| 8.12 |
Data leakage prevention |
Prevent unauthorized disclosure |
| 8.13 |
Information backup |
Enable recovery |
| 8.14 |
Redundancy of information processing facilities |
High availability |
Logging and Monitoring (8.15-8.17)
| Control |
Title |
Purpose |
| 8.15 |
Logging |
Record security events |
| 8.16 |
Monitoring activities |
Active security monitoring |
| 8.17 |
Clock synchronization |
Accurate timestamps |
Network and Communications (8.18-8.22)
| Control |
Title |
Purpose |
| 8.18 |
Use of privileged utility programs |
Control powerful utilities |
| 8.19 |
Installation of software on operational systems |
Control software installation |
| 8.20 |
Networks security |
Secure network infrastructure |
| 8.21 |
Security of network services |
Secure network services |
| 8.22 |
Segregation of networks |
Network segmentation |
Web and Application Security (8.23-8.28)
| Control |
Title |
Purpose |
| 8.23 |
Web filtering |
Control web access |
| 8.24 |
Use of cryptography |
Encrypt data |
| 8.25 |
Secure development life cycle |
Security in SDLC |
| 8.26 |
Application security requirements |
Define security requirements |
| 8.27 |
Secure system architecture and engineering |
Security by design |
| 8.28 |
Secure coding |
Prevent code vulnerabilities |
Development and Testing (8.29-8.34)
| Control |
Title |
Purpose |
| 8.29 |
Security testing in development and acceptance |
Test security |
| 8.30 |
Outsourced development |
Third-party development security |
| 8.31 |
Separation of development, test and production |
Environment separation |
| 8.32 |
Change management |
Control changes |
| 8.33 |
Test information |
Protect test data |
| 8.34 |
Protection of information systems during audit testing |
Secure audit tests |
Control Selection Process
Step 1: Conduct Risk Assessment
Identify risks that need to be treated:
Risk to Control Mapping:
- Unauthorized access → Controls: 5.15, 5.16, 8.2, 8.5
- Malware infection → Controls: 8.7, 8.1, 6.3
- Data breach → Controls: 8.12, 8.24, 5.12
- Insider threat → Controls: 6.1, 5.3, 8.15
- Supply chain compromise → Controls: 5.19-5.22, 8.30
Step 2: Evaluate Annex A Controls
For each control, determine:
| Question |
Options |
| Is it applicable? |
Yes / No |
| If yes, is it implemented? |
Full / Partial / Not yet |
| If no, what's the justification? |
Document reason |
Step 3: Create Statement of Applicability (SoA)
Document all 93 controls with:
- Applicability status
- Implementation status
- Justification for exclusions
Control Implementation Priorities
High Priority (Implement First)
| Control |
Reason |
| 5.1 |
Policies foundation for ISMS |
| 5.15-5.18 |
Access control fundamental |
| 6.3 |
Awareness prevents incidents |
| 8.5 |
Authentication critical |
| 8.7 |
Malware protection essential |
| 8.15 |
Logging enables detection |
| 8.24 |
Encryption protects data |
Medium Priority
| Control |
Reason |
| 5.9 |
Asset inventory supports other controls |
| 5.24-5.27 |
Incident response for when things fail |
| 8.8 |
Vulnerability management ongoing |
| 8.32 |
Change management reduces risk |
Lower Priority (Based on Risk)
| Control |
Consideration |
| 7.1-7.14 |
May be less relevant for cloud-native |
| 8.4 |
Only if developing software |
| 8.33 |
Only if using test data |
Common Control Implementations
For SaaS Companies
| Control Area |
Typical Implementation |
| Access Control (5.15-5.18) |
SSO, MFA, RBAC in applications |
| Asset Management (5.9-5.14) |
Cloud asset inventory tools |
| Vendor Management (5.19-5.23) |
Vendor assessment questionnaires, SOC 2 reviews |
| Incident Management (5.24-5.28) |
SIEM, incident response playbooks |
| Endpoint (8.1) |
MDM, endpoint security tools |
| Cryptography (8.24) |
TLS everywhere, encryption at rest |
| Secure Development (8.25-8.28) |
SAST/DAST, code review, secure SDLC |
For Cloud-Native Organizations
Physical controls often addressed by:
- Cloud provider certifications (AWS, GCP, Azure SOC 2/ISO 27001)
- Documented reliance in SoA
- Complementary controls where needed
Mapping to Other Frameworks
ISO 27001 to SOC 2 Mapping
| ISO 27001 Theme |
SOC 2 Criteria |
| Organizational |
CC1, CC2, CC3, CC9 |
| People |
CC1.4, CC1.5 |
| Physical |
CC6.4, CC6.5 |
| Technological |
CC6, CC7, CC8 |
ISO 27001 to NIST CSF Mapping
| ISO 27001 Theme |
NIST CSF Functions |
| Organizational |
Govern, Identify |
| People |
Protect (PR.AT) |
| Physical |
Protect (PR.AC, PR.PT) |
| Technological |
Protect, Detect, Respond |
The Bastion Approach
Control Implementation Made Simple
Bastion streamlines Annex A control implementation:
| Challenge |
Bastion Solution |
| Understanding 93 controls |
Expert guidance on what applies |
| Prioritizing implementation |
Risk-based roadmap |
| Documenting controls |
Pre-built control documentation |
| Collecting evidence |
Automated evidence collection |
| Creating SoA |
Template with guided completion |
Automated Evidence Mapping
Controls automatically mapped to evidence sources:
- Access reviews → 5.18, 8.2
- Training records → 6.3
- Vulnerability scans → 8.8
- Change records → 8.32
- Encryption configurations → 8.24
Need help implementing Annex A controls? Talk to our team →
