The Complete Guide to ISO 27001 Annex A Controls (2026 edition)
All 93 Annex A controls grouped by Organizational, People, Physical, and Technological categories — with practical implementation guidance for each set.
ISO 27001:2022 Annex A lists 93 reference controls grouped into four categories. They are not a checklist — they are a menu of safeguards you apply selectively based on your risk assessment. This guide walks through each group and explains how to make sensible scoping decisions.
Why Annex A exists
Clause 6.1.3 of the main standard requires you to compare your risk treatment plan against Annex A to make sure you haven't missed an obvious control. Your Statement of Applicability then documents which controls are in scope and which are excluded (with justification).
A.5 Organizational controls (37 controls)
This is the largest group. It covers policies, roles, supplier relationships, threat intelligence (new in 2022 — A.5.7), incident management, and continuity. Most of these are documentation and governance controls. If you don't have an information security policy approved by top management, this is where you start.
Practical tip: don't write 37 separate policies. Most organisations consolidate A.5 into 6–10 policy documents (Information Security Policy, Acceptable Use, Supplier Security, Incident Response, Business Continuity, Access Control, etc.).
A.6 People controls (8 controls)
Screening, terms of employment, awareness training, disciplinary process, responsibilities after termination, NDAs, and remote working. The audit evidence here is mostly HR records — make sure your HR colleague is briefed early.
A.7 Physical controls (14 controls)
Physical perimeter, entry controls, workspace security, equipment maintenance, secure disposal, clear desk/clear screen, etc. For cloud-only SaaS companies most A.7 controls are inherited from the cloud provider — document the inheritance in your SoA.
A.8 Technological controls (34 controls)
The longest technical chapter. Highlights: A.8.1 user endpoint devices, A.8.5 secure authentication, A.8.16 monitoring activities, A.8.23 web filtering, A.8.28 secure coding. If you're a software company, A.8.25–A.8.31 (the development lifecycle controls) deserve careful attention.
Common mistakes
- Marking everything "applicable" without thinking. Auditors will probe — if a control is in scope, you need evidence.
- Forgetting to update the SoA after a change. The SoA is a living document, not a one-off artefact.
- Copying generic policy templates verbatim. Templates are fine as a starting point, but tailor them to your actual processes.
Related posts
Related: external
For implementation support, see RGI bv — ISO 27001 implementation.
Keep reading
- ISO 27001 vs NIS2: How They Overlap and Where They Don't
A practical comparison of ISO 27001 and the NIS2 Directive — what overlaps, what doesn't, and why NIS2-obligated organisations should use ISO 27001 as their baseline.
- Statement of Applicability (SoA): The Single Most Important ISO 27001 Document
Everything you need to know about writing, maintaining, and defending your Statement of Applicability — the document auditors will spend the most time on.
- How Long Does ISO 27001 Certification Actually Take? (Real-world timelines)
Honest, evidence-based timelines for ISO 27001 certification across small, medium, and large organisations — including what causes delays.