Understanding ISO 27001 Controls: A Guide to Annex A

Understanding ISO 27001 Controls A Guide to Annex A

What's Inside

ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim to strengthen your organization’s information security defenses.

ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim to strengthen your organization’s information security defenses. 

Security controls are an essential part of the ISO 27001 standard. These ISO 27001 safeguards function as minimum baseline controls, offering guidance for how organizations can adopt them as listed or tailor them to their specific organization.  

ISO 27001 was established in 2005 and has since been updated in 2013 and most recently in 2022. The most recent version is referred to as ISO 27001:2022 and comes with significant changes to how security controls are structured within Annex A, which lists out each objective and security control. 

Below, we dive into those structural changes as well as new control additions to be aware of.

New to ISO 27001?

Learn how to get started and save time with our Beginner's ISO 27001: 2022 Guide.

Download Guide

What Are the ISO 27001 Security Controls?

ISO 27001 is an international standard designed to help organizations protect the confidentiality, integrity, and availability of their information. The standard includes a list of security controls companies can implement to safeguard their sensitive data. 

The ISO 27001 controls outline the measures organizations must take by way of policies, processes, and procedures to meet the document’s security requirements. These security controls are grouped into four control themes—people, organizational, technological, and physical—that aim to reduce risks to an acceptable level.

How Many Controls Does ISO 27001 Annex A Have?

Changes to the ISO 27001 document in 2022 reduced the number of controls in Annex A from 114 to 93. There have also been noteworthy changes to existing controls, including renaming and merging controls. ISO 27001:2022 consolidated old controls and added new ones, but are not all-encompassing.  

The changes in the 2022 version aim to address the changing business landscape, such as the rise of remote work and the evolving nature of cybersecurity threats. The new version puts an emphasis on streamlining controls under thematic topics to make the implementation process easier.

Summary of ISO 27001:2022 Control ChangesImage depicting the changes from ISO 27001:2013 to ISO 27001:2022

There are 11 new controls that have been added to the ISO 27001 document, which include: 

  • Threat intelligence (5.7): requires companies to collect and analyze information relating to information security threats 

  • Information security for use of cloud services (5.23): requires companies to specify and manage information security for the use of cloud services

  • ICT readiness for business continuity (5.30): requires companies to create an ICT continuity plan to maintain operational resilience 

  • Physical security monitoring (7.4): requires companies to detect and prevent external and internal intruders by deploying suitable surveillance tools

  • Configuration management (8.9): requires companies to establish policies to manage how they document, implement, monitor, and review the use of configurations across their entire network 

  • Information deletion (8.10): provides guidance on how to manage data deletion to comply with laws and regulations 

  • Data masking (8.11): provides data masking techniques for personal identifiable information (PII) to comply with laws and regulations

  • Data leakage protection (8.12): requires companies to implement technical measures that detect and prevent the disclosure and/or extraction of information

  • Monitoring activities (8.16): provides guidance on improving network monitoring activities to identify anomalous behavior and address security events and incidents 

  • Web filtering (8.23): requires companies to enforce access controls and measures to restrict and control access to external websites 

  • Secure coding (8.28): requires companies to follow secure coding principles to prevent vulnerabilities caused by poor coding methods

11 New ISO 27001 Controls Image depicting a chart of the 11 new ISO 27001 controls

What Are the Control Attributes?

Control attributes are a new addition to the standard introduced in ISO 27001:2022. These five attributes are intended to help easily classify and group the controls based on what makes sense to their organization and security needs. 

Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us take you from security novice to continuous monitoring in a few hours.

Learn More

ISO 27002:2022—(which provides guidance for how to implement controls outlined in ISO 27001)—states in section 4.2 Themes and Attributes: 

"The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences." 

The five attributes are:

  • Control type: preventative, detective, corrective  

  • Operational capabilities: governance, asset management, information protection, human resource security, etc.

  • Security domains: governance and ecosystem, protection, defense, resilience 

  • Cybersecurity concepts: identify, protect, detect, respond, recover

  • Information security properties: confidentiality, integrity, availability

What Are the Four Control Themes?

The previous version of ISO 27001 spread out the security controls into 14 categories. The newest version (ISO 27001:2022) has merged the original 14 categories into four themes.

  • Section 5: People (eight controls)

  • Section 6: Organizational (37 controls)

  • Section 7: Physical (14 controls)

  • Section 8: Technological (34 controls)

This consolidated grouping of controls removes redundancies from previous versions of the standard. It also helps companies by grouping controls together based on who’s responsible for carrying them out. For example, technological controls may be carried out by IT, whereas organizational controls might be handled by your system operations team.

ISO 27001 Annex A Control ThemesImage depicting the four ISO 27001 Annex A themes

Organizational (Section 5)

Organizational controls cover information security policies, use of assets, and cloud service use. This category covers everything that doesn’t fit under the people, technological, or physical themes such as identity management, the responsibilities of management and information security professionals, and evidence collection. 

New organizational controls include:

  • 5.7: Threat Intelligence

  • 5.23: Information security for use of cloud services 

  • 5.30: ICT readiness for business continuity 

Threat intelligence is a noteworthy control addition under this theme. This control goes beyond recognizing a malicious domain name to help organizations better understand how they may be targeted and then using that threat intelligence information to better inform their information security approach.

People (Section 6) 

With only eight total controls, this theme deals with remote work, confidentiality, nondisclosures, and screening to help manage the way employees interact with sensitive information in their day-to-day roles. Controls include onboarding and offboarding processes and responsibilities for incident reporting.  

There weren’t any new controls introduced in ISO 27001:2022 to be aware of for this theme.

Physical (Section 7)

Physical controls cover security monitoring, maintenance, facilities security, and storage media. This category focuses on how you are protecting against physical and environmental threats such as natural disasters, theft, and intentional destruction. 

New physical controls include: 

  • 7.4: Physical security monitoring

Technological (Section 8)

Technological controls deal with authentication, encryption, and data leakage prevention. This category focuses on properly securing technology through various approaches, including access rights, network security, and data masking. 

New technological controls include: 

  • 8.1: Data masking 

  • 8.9: Configuration management 

  • 8.10: Information deletion 

  • 8.12: Data leakage prevention 

  • 8.16: Monitoring activities 

  • 8.23: Web filtering 

  • 8.28: Secure coding 

Data leakage prevention is one of the key new additions under this theme and will likely require a large time and financial investment to put in place for the first time. Web filtering is another notable net new control that outlines how organizations should filter web traffic to prevent users from visiting malicious sites.

How Drata Can Help You Streamline Your ISO 27001 Compliance

Whether you’re on the path to achieving ISO 27001 compliance or you’re looking to maintain your compliance standing, our compliance automation platform helps you streamline evidence collection, access control workflows, and ensure you have all the audit documentation you need. 

Get Audit-Ready Faster With Drata's ISO 27001 Compliance Solution

Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Keep Reading

ISO 27001 Risk Assessment 10 Step Guide to an Effective Assessment


ISO 27001 Risk Assessment: 10 Step Guide to an Effective Assessment

ISO 27001 How to Write a Statement of Applicability


ISO 27001: How to Write a Statement of Applicability

Understanding ISO 27001 Controls A Guide to Annex A


Understanding ISO 27001 Controls: A Guide to Annex A

Our Path to ISO 27001


5 Key Learnings From Our Path to ISO 27001

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.

Explore ISO 27001 Hub