Cyber threats are more sophisticated than ever, and regulatory requirements continue to evolve. For organizations looking to protect sensitive data, ensure compliance, and build a resilient security posture, ISO 27001 remains the global gold standard. At the heart of this framework lies Annex A, a structured set of security controls that organizations must implement to manage risks effectively.
But what exactly are these ISO 27001 controls, and how have they changed? With the 2022 update, the ISO 27001 controls list has been streamlined from 114 to 93 controls, making it more adaptable and aligned with today’s cybersecurity challenges. Whether you’re aiming for certification, enhancing existing security measures, or ensuring regulatory compliance, understanding ISO 27001 Annex A controls is essential for safeguarding your organization.
This guide breaks down the ISO 27001 number of controls, their control objectives, and how they help businesses tackle modern security threats while maintaining compliance. Let’s dive into how these controls work and what they mean for organizations in 2025.
Understanding ISO 27001 and Annex A
ISO/IEC 27001:2022 is the global standard for an Information Security Management System (ISMS). The ISO 27001 controls list is outlined in Annex A, providing the essential security measures organizations must implement. The 2022 revision reorganized these controls into four categories: Organizational, People, Physical, and Technological. Each category aligns with a set of ISO 27001 control objectives, ensuring security measures address business risks effectively.
Organizational controls: Establishing governance and risk management
Organizational controls in ISO 27001 Annex A form the backbone of an organization’s information security governance. These controls define the policies, roles, responsibilities, and risk management strategies that guide an organization’s security posture. Without strong governance, even the most advanced technical security measures can be ineffective.
The ISO 27001 control objectives for this category focus on ensuring that security policies align with business goals, legal requirements are met, and risks are proactively managed. These controls help organizations:
- Establish clear security policies and procedures.
- Define roles and responsibilities to ensure accountability.
- Ensure compliance with regulations such as GDPR and NIS 2 Directive.
- Integrate security considerations into business processes and supplier relationships.
- Improve incident response and business continuity planning.
Organizational controls list
| Control Number | Control Name | Control Objective | Description |
| A.5.1 | Policies for information security | Establish a framework for managing information security. | Defining, implementing, and maintaining an information security policy that aligns with business objectives. |
| A.5.2 | Information security roles and responsibilities | Ensure accountability for security-related activities. | Assigning and communicating specific security roles and responsibilities within the organization. |
| A.5.3 | Segregation of duties | Reduce the risk of fraud or unauthorized actions. | Separating critical security tasks so that no single individual has full control over sensitive operations. |
| A.5.4 | Management responsibilities | Ensure leadership support for information security initiatives. | Requiring management to actively endorse and promote security measures and policies. |
| A.5.5 | Contact with authorities | Facilitate collaboration with regulators and law enforcement. | Establishing communication channels with authorities to ensure compliance with legal and regulatory requirements. |
| A.5.6 | Contact with special interest groups | Stay informed about emerging threats and industry best practices. | Engaging with security forums, professional associations, and threat intelligence networks. |
| A.5.7 | Threat intelligence | Proactively identify and mitigate security threats. | Collecting and analyzing cybersecurity intelligence to enhance preparedness against evolving threats. |
| A.5.8 | Information security in project management | Integrate security considerations into project planning. | Ensuring security risks are identified and addressed at all stages of a project’s lifecycle. |
| A.5.9 | Inventory of information and assets | Maintain an up-to-date record of critical assets. | Identifying, classifying, and documenting information assets to ensure they are adequately protected. |
| A.5.10 | Acceptable use of information assets | Define rules for the responsible use of company data and systems. | Establishing guidelines on how employees and third parties can use organizational information securely. |
| A.5.11 | Return of assets | Ensure company-owned assets are recovered when employees leave. | Implementing procedures for employees and contractors to return hardware, software, and data upon termination. |
| A.5.12 | Classification of information | Ensure data is categorized and protected according to its sensitivity. | Defining a classification system for information based on confidentiality, integrity, and availability requirements. |
| A.5.13 | Labelling of information | Enhance security by visibly marking sensitive data. | Implementing labeling mechanisms to indicate data classification levels (e.g., confidential, internal, public). |
| A.5.14 | Information transfer | Secure the exchange of data within and outside the organization. | Defining policies for protecting sensitive information during transmission via email, cloud storage, or other channels. |
| A.5.15 | Access control | Prevent unauthorized access to systems and data. | Implementing measures to restrict access to information based on user roles and responsibilities. |
| A.5.16 | Identity management | Ensure that only authorized individuals have system access. | Managing user identities, authentication, and permissions to prevent unauthorized access. |
| A.5.17 | Authentication information | Protect credentials and authentication mechanisms. | Establishing policies for password management, multi-factor authentication (MFA), and secure credential storage. |
| A.5.18 | Access rights | Review and manage user permissions to maintain security. | Conducting regular access reviews to ensure that employees have appropriate system privileges. |
| A.5.19 | Information security in supplier relationships | Extend security controls to third-party vendors and partners. | Requiring suppliers to comply with the organization’s security policies and standards. |
| A.5.20 | Managing information security in the ICT supply chain | Mitigate risks associated with external service providers. | Implementing security requirements for suppliers that handle the organization’s information systems or data. |
| A.5.21 | Monitoring, review, and change management of supplier services | Ensure third-party services remain secure over time. | Regularly auditing and reviewing supplier security measures to ensure compliance with contractual agreements. |
| A.5.22 | Information security for cloud services | Securely manage cloud-based applications and data. | Establishing policies for data storage, access controls, and encryption in cloud environments. |
| A.5.23 | Information security incident management | Establish a structured approach for handling security incidents. | Defining processes for detecting, reporting, investigating, and responding to security incidents. |
| A.5.24 | Learning from security incidents | Improve security measures based on past breaches and threats. | Conducting post-incident reviews to analyze security failures and implement corrective actions. |
| A.5.25 | Business continuity and disaster recovery | Ensure critical business operations can continue during disruptions. | Developing and testing continuity plans that address IT failures, cyberattacks, and natural disasters. |
| A.5.26 | Legal, regulatory, and contractual compliance | Adhere to industry standards and legal obligations. | Monitoring and enforcing compliance with security regulations such as GDPR and NIS 2 Directive. |
By applying these controls, organizations ensure that security policies, risk management frameworks, and compliance efforts are continuously updated to address emerging threats and regulatory changes.
People controls: Managing human risk and security responsibilities
People are often the weakest link in cybersecurity. Even with the most advanced firewalls and encryption, a single human error—such as falling for a phishing scam or misconfiguring access permissions—can lead to a serious security breach. People controls in ISO 27001 Annex A address this challenge by ensuring that employees, contractors, and third parties understand their security responsibilities and follow best practices.
The ISO 27001 control objectives for people security focus on:
- Screening and hiring: Ensuring that only trusted individuals are given access to sensitive information.
- Training and awareness: Educating employees on threats like phishing, social engineering, and password security.
- Accountability and enforcement: Defining responsibilities and disciplinary measures for security violations.
- Access control and remote work security: Managing privileged accounts and securing work-from-home environments.
People controls list
| Control Number | Control Name | Control Objective | Description |
| A.6.1 | Screening | Prevent unauthorized individuals from accessing sensitive information. | Conducting background checks on employees before granting access to critical systems or data. |
| A.6.2 | Terms and conditions of employment | Ensure employees understand their security responsibilities. | Including security-related obligations in employment contracts and agreements. |
| A.6.3 | Security awareness, education, and training | Equip employees with the knowledge to recognize and mitigate security threats. | Providing regular training on phishing, social engineering, and secure handling of sensitive data. |
| A.6.4 | Disciplinary process | Deter security violations through formal consequences. | Defining disciplinary actions for employees who violate security policies or fail to follow ISMS procedures. |
| A.6.5 | Responsibilities after termination | Prevent ex-employees from retaining access to critical systems. | Ensuring that all access rights are revoked and organizational assets are returned after employment termination. |
| A.6.6 | Confidentiality agreements | Ensure employees and contractors protect sensitive information. | Requiring signed agreements that prohibit unauthorized disclosure of business and personal data. |
| A.6.7 | Remote working security | Mitigate risks associated with remote access to company systems. | Implementing policies to secure remote work environments, including VPNs, endpoint protection, and access control. |
| A.6.8 | Secure use of privileged accounts | Prevent misuse of privileged access rights. | Enforcing multi-factor authentication (MFA) and monitoring privileged account activities. |
These controls ensure that security is not just a technical concern but an integral part of an organization’s culture, minimizing risks posed by human factors.
Physical controls: Securing facilities, equipment, and physical access
While cybersecurity often focuses on digital threats, physical security remains a critical component of ISO 27001 Annex A controls. Unauthorized physical access to offices, data centers, or IT infrastructure can result in data breaches, system disruptions, or even theft of sensitive assets. Physical controls ensure that security measures protect both the digital and physical aspects of an organization’s environment.
The ISO 27001 control objectives for physical security focus on:
- Preventing unauthorized access to buildings, secure areas, and IT infrastructure.
- Protecting against environmental threats such as fire, flooding, and power failures.
- Ensuring secure disposal of equipment to prevent data leaks from discarded devices.
- Enforcing workspace security policies like clear desk and clear screen rules
Physical controls list
| Control Number | Control Name | Control Objective | Description |
| A.7.1 | Physical security perimeter | Prevent unauthorized physical access to company facilities. | Establishing secure perimeters, such as fences, gates, and security checkpoints, to restrict entry. |
| A.7.2 | Physical entry controls | Control and monitor access to buildings, offices, and data centers. | Implementing access control systems (e.g., keycards, biometric scanners, and security guards) to regulate entry. |
| A.7.3 | Securing offices, rooms, and facilities | Ensure that only authorized personnel can enter sensitive areas. | Using locks, restricted zones, and security protocols to prevent unauthorized access. |
| A.7.4 | Protecting against environmental threats | Reduce risks from natural disasters, fire, and power failures. | Implementing climate control, fire suppression systems, and backup power solutions. |
| A.7.5 | Working in secure areas | Maintain security in high-risk operational areas. | Establishing protocols for personnel working in sensitive locations, such as server rooms or executive offices. |
| A.7.6 | Equipment security | Protect IT equipment from unauthorized access or damage. | Securing workstations, servers, and networking devices with locks, cages, and surveillance. |
| A.7.7 | Secure disposal or reuse of equipment | Prevent unauthorized retrieval of sensitive data from disposed assets. | Ensuring data is completely wiped from storage devices before disposal or repurposing hardware securely. |
| A.7.8 | Unattended user equipment | Prevent unauthorized access to devices left unattended. | Enforcing policies such as automatic screen locking and requiring users to secure laptops when not in use. |
| A.7.9 | Clear desk and clear screen policy | Reduce the risk of information exposure in shared spaces. | Implementing policies requiring employees to clear their desks of sensitive documents and lock their screens. |
By applying these controls, organizations reduce the risk of unauthorized physical access, ensuring that critical assets and infrastructure remain protected.
Technological controls: Strengthening cyber defenses and data protection
In today’s digital landscape, cyber threats are more sophisticated than ever. Technological controls in ISO 27001 Annex A provide the foundation for protecting IT systems, networks, applications, and data from attacks, breaches, and unauthorized access. These controls focus on implementing, monitoring, and maintaining cybersecurity technologies that safeguard an organization’s digital assets.
The ISO 27001 control objectives for technological security focus on:
- Protecting IT infrastructure from cyber threats like malware, hacking, and unauthorized access.
- Securing sensitive data through encryption, access control, and secure authentication.
- Ensuring system availability with backup and disaster recovery strategies.
- Monitoring and detecting threats using logging, SIEM (Security Information and Event Management) solutions, and intrusion detection.
- Ensuring compliance with security best practices, such as secure system configurations and vulnerability management.
Technological controls list
| Control Number | Control Name | Control Objective | Description |
| A.8.1 | User endpoint protection | Secure employee devices against malware and unauthorized access. | Implementing antivirus software, endpoint protection solutions, and encryption on workstations and mobile devices. |
| A.8.2 | Network security | Prevent unauthorized access and mitigate network-based threats. | Using firewalls, intrusion detection/prevention systems (IDS/IPS), and virtual private networks (VPNs). |
| A.8.3 | Application security | Protect software applications from vulnerabilities and attacks. | Enforcing secure coding practices, conducting penetration testing, and applying regular security patches. |
| A.8.4 | Secure system configuration | Reduce system vulnerabilities through standardized security settings. | Defining secure configurations for operating systems, databases, and applications. |
| A.8.5 | Malware protection | Detect and prevent malware infections in IT environments. | Deploying anti-malware solutions, implementing email filtering, and restricting the execution of unauthorized software. |
| A.8.6 | Data encryption | Ensure sensitive data remains protected against unauthorized access. | Applying encryption to data in transit and at rest using strong cryptographic algorithms. |
| A.8.7 | Logging and monitoring | Detect security incidents through real-time monitoring. | Using security information and event management (SIEM) systems to track and analyze security events. |
| A.8.8 | Backup and recovery | Ensure data availability in case of cyberattacks or system failures. | Implementing automated backups, offsite data storage, and regular recovery testing. |
| A.8.9 | Identity and access management | Control user access to systems and sensitive information. | Implementing role-based access control (RBAC), multi-factor authentication (MFA), and privileged access management. |
| A.8.10 | Secure authentication | Prevent unauthorized logins and credential theft. | Enforcing strong password policies, biometric authentication, and single sign-on (SSO) mechanisms. |
| A.8.11 | Cloud security | Protect data stored and processed in cloud environments. | Implementing cloud access security brokers (CASB), encryption, and cloud security posture management (CSPM). |
| A.8.12 | Security testing and vulnerability management | Identify and remediate security weaknesses in IT systems. | Conducting regular vulnerability assessments, patch management, and security audits. |
By enforcing these technological controls, organizations ensure that IT infrastructure, applications, and digital assets are well-protected against cyber threats. These measures are essential in defending against modern attacks such as ransomware, phishing, and insider threats while maintaining a resilient cybersecurity posture.
How many controls in ISO 27001?
One of the most frequently asked questions is: How many controls are in ISO 27001? The 2022 update streamlined the framework, reducing the total ISO 27001 number of controls from 114 to 93. This revision wasn’t just about cutting numbers—it was about enhancing efficiency and relevance. The updated structure aligns security controls with emerging cyber threats, evolving regulatory requirements, and modern risk management practices, ensuring organizations can implement a more effective and adaptable security strategy.
Final thoughts: Is your security framework future-ready?
Cyber threats and regulatory requirements are constantly evolving. Organizations that align with ISO 27001 annex A controls gain a strategic advantage by ensuring their security framework remains robust, compliant, and adaptable to emerging challenges.
By embedding ISO 27001 controls into daily operations, businesses can safeguard sensitive information, build customer trust, and reduce the likelihood of costly security incidents. Whether you’re seeking certification or enhancing your security posture, a strong ISMS built on ISO 27001 control objectives ensures long-term resilience and success in an increasingly digital world.
