Login There are 93 controls in ISO/IEC 27001:2022, grouped into four themes — Organisational, People, Physical and Technological.
The 2013 version had 114 controls, so the latest update simplified and merged several to make them easier to apply.
ISO 27001 controls explained
Introduction
When you hear “ISO 27001 controls,” it might sound technical or overwhelming. But in reality, these controls are simply the security measures your business uses to keep its information safe.
They cover everything from how your people handle data, to how your systems store and protect it, and even how your suppliers access it.
If you’re aiming for ISO 27001 certification, these controls are the engine room of your Information Security Management System (ISMS). They’re how you prove you’re reducing risk and keeping sensitive data safe.
Here’s a quick snapshot:
- Number of controls: 93 (ISO/IEC 27001:2022 update)
- Structure: 4 themes – Organisational, People, Physical, Technological
- Key reference: Annex A of the Standard
- Applicability: Controls are chosen through a risk assessment and documented in the Statement of Applicability (SoA)
- Latest version: 2022 revision streamlined controls from 114 to 93
The controls are what turns ISO 27001 from a piece of paper into real-world protection for your business.
What are ISO 27001 controls?
ISO 27001 controls are the practical measures your organisation uses to reduce information security risks.
They can be:
- Procedural – like staff training or access policies.
- Technical – like firewalls or encryption.
- Physical – like secure locks and CCTV.
Together, they protect the confidentiality, integrity, and availability of your information.
There are 93 controls in the 2022 version of the Standard. Together, they form the backbone of ISO 27001’s approach to managing information security. Find out how these controls fit into the wider ISO 27001 certification process.
Key fact
How many controls are in ISO 27001? There are 93 controls in the ISO/IEC 27001:2022 version of the Standard.
These controls aren’t just technical rules — they’re good business practice. When applied properly, they help you protect data, meet legal requirements, win new contracts, and build trust with customers.
How are ISO 27001 controls structured?
The 2022 revision simplified Annex A by grouping controls into four themes, making the framework clearer and easier to apply:
-
Organisational
– Policies, processes, and governance measures that set the foundation for security. Example: risk management and supplier agreements.
-
People
– Controls involving human factors like training, awareness, and responsibility — ensuring employees understand and follow good security practice.
-
Physical
– Measures that protect your premises and equipment — like entry controls and secure areas.
-
Technological
– IT and cyber-specific safeguards, from access control to malware protection.
Each control is also tagged with attributes such as:
- Risk type (cyber security, privacy, operational, compliance.)
- Security property (confidentiality, integrity, availability)
- Operational capability (detect, prevent, respond.)
This tagging system helps organisations map controls to their specific risks more effectively during ISO 27001 implementation.
ISO 27001 Annex A controls list
The full Annex A list is often what businesses want to see most — so here it is.
Below is a searchable and scrollable table of all 93 ISO 27001:2022 controls, grouped by theme.
Organisational Controls (37 controls)
| Control No. | |
|---|---|
| A.5.1 | Policies for information security |
| A.5.2 | Information security roles and responsibilities |
| A.5.3 | Segregation of duties |
| A.5.4 | Management responsibilities |
| A.5.5 | Contact with authorities |
| A.5.6 | Contact with special interest groups |
| A.5.7 | Threat intelligence |
| A.5.8 | Information security in project management |
| A.5.9 | Inventory of information and other assets |
| A.5.10 | Acceptable use of information and assets |
| A.5.11 | Return of assets |
| A.5.12 | Classification of information |
| A.5.13 | Labelling of information |
| A.5.14 | Information transfer |
| A.5.15 | Access control |
| A.5.16 | Identity management |
| A.5.17 | Authentication information |
| A.5.18 | Access rights |
| A.5.19 | Information security in supplier relationships |
| A.5.20 | Addressing information security within supplier agreements |
| A.5.21 | Managing information security in the ICT supply chain |
| A.5.22 | Monitoring, review and change management of supplier services |
| A.5.23 | Information security for use of cloud services |
| A.5.24 | Information security incident management planning and preparation |
| A.5.25 | Assessment and decision on information security events |
| A.5.26 | Response to information security incidents |
| A.5.27 | Learning from information security incidents |
| A.5.28 | Collection of evidence |
| A.5.29 | Information security during disruption |
| A.5.30 | ICT readiness for business continuity |
| A.5.31 | Legal, statutory, regulatory and contractual requirements |
| A.5.32 | Intellectual property rights |
| A.5.33 | Protection of records |
| A.5.34 | Privacy and protection of PII (personally identifiable information) |
| A.5.35 | Independent review of information security |
| A.5.36 | Compliance with policies, rules and standards for information security |
| A.5.37 | Documented operating procedures |
Scroll
People Controls (8 controls)
| Control No. | Control Title |
|---|---|
| A.6.1 | Screening |
| A.6.2 | Terms and conditions of employment |
| A.6.3 | Information security awareness, education and training |
| A.6.4 | Disciplinary process |
| A.6.5 | Responsibilities after termination or change of employment |
| A.6.6 | Confidentiality or non-disclosure agreements |
| A.6.7 | Remote working |
| A.6.8 | Information security event reporting |
Scroll
Physical Controls (14 controls)
| Control No. | Control Title |
|---|---|
| A.7.1 | Physical security perimeters |
| A.7.2 | Physical entry controls |
| A.7.3 | Securing offices, rooms and facilities |
| A.7.4 | Physical security monitoring |
| A.7.5 | Protecting against physical and environmental threats |
| A.7.6 | Working in secure areas |
| A.7.7 | Clear desk and clear screen |
| A.7.8 | Equipment siting and protection |
| A.7.9 | Security of assets off-premises |
| A.7.10 | Storage media |
| A.7.11 | Supporting utilities |
| A.7.12 | Cabling security |
| A.7.13 | Equipment maintenance |
| A.7.14 | Secure disposal or reuse of equipment |
Scroll
Technological Controls (34 controls)
| Control No. | Control Title |
|---|---|
| A.8.1 | User endpoint devices |
| A.8.2 | Privileged access rights |
| A.8.3 | Information access restriction |
| A.8.4 | Access to source code |
| A.8.5 | Secure authentication |
| A.8.6 | Capacity management |
| A.8.7 | Protection against malware |
| A.8.8 | Management of technical vulnerabilities |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.13 | Information backup |
| A.8.14 | Redundancy of information processing facilities |
| A.8.15 | Logging |
| A.8.16 | Monitoring activities |
| A.8.17 | Clock synchronisation |
| A.8.18 | Use of privileged utility programs |
| A.8.19 | Installation of software on operational systems |
| A.8.20 | Networks security |
| A.8.21 | Security of network services |
| A.8.22 | Segregation of networks |
| A.8.23 | Web filtering |
| A.8.24 | Use of cryptography |
| A.8.25 | Secure development in life cycle |
| A.8.26 | Application security requirements |
| A.8.27 | Secure system architecture and engineering principles |
| A.8.28 | Secure coding |
| A.8.29 | Security testing in development and acceptance |
| A.8.30 | Outsourced development |
| A.8.31 | Separation of development, test and production environments |
| A.8.32 | Change management |
| A.8.33 | Test information |
| A.8.34 | Protection of information systems during audit testing |
Scroll
What changed in the 2022 update?
The ISO 27001:2022 update made the Standard clearer, leaner, and more aligned to today’s risks. The changes reflect modern business realities — from remote working to cloud computing and supply chain risk.
Here’s what changed compared to the 2013 version:
- Number of controls reduced: from 114 to 93
- Domains replaced with 4 themes: Organisational, People, Physical, Technological
- 11 new controls introduced (including threat intelligence, cloud services, and secure coding)
- Controls merged or restructured: to remove duplication
- Attributes introduced: a tagging system for easier mapping
ISO 27001:2013 vs ISO 27001:2022 comparison table
| 2013 Control / Domain | What changed | 2022 Equivalent / Theme |
|---|---|---|
| A.6.1.5 Information security in project management | Simplified & renumbered | A.5.8 Information security in project management (Organisational). |
| A.6.2.1 Mobile device policy | Reframed for device endpoints | A.8.1 User endpoint devices (Technological). |
| A.6.2.2 Teleworking | Modernised for hybrid work | A.6.7 Remote working (People). |
| A.7.2.2 Awareness, education & training | Streamlined | A.6.3 Information security awareness, education and training (People). |
| A.9.2.3 Privileged access rights | Renumbered | A.8.2 Privileged access rights (Technological). |
| A.9.4.2 Secure log-on procedures | Consolidated under authentication | A.8.5 Secure authentication (Technological). |
| A.12.6.1 Management of technical vulnerabilities | Retained & updated | A.8.8 Management of technical vulnerabilities (Technological). |
| A.12.4.1 Event logging; A.12.4.3 Admin/operator logs | Combined into logging | A.8.15 Logging (Technological). (Note: A.8.16 Monitoring activities is new.) |
| A.14.1.1 InfoSec requirements analysis & specification | Split/redirected | A.5.8 Information security in project management (Organisational). |
| A.14.1.2 Securing app services on public networks | Consolidated | A.8.26 Application security requirements (Technological). |
| A.14.1.3 Protecting application service transactions | Consolidated | A.8.26 Application security requirements (Technological). |
| A.14.2.1 Secure development policy | Becomes SDL | A.8.25 Secure development life cycle (Technological). |
| A.14.2.8 System security testing; A.14.2.9 System acceptance testing | Combined | A.8.29 Security testing in development and acceptance (Technological). |
| A.14.2.7 Outsourced software development | Renamed/renumbered | A.8.30 Outsourced development (Technological). |
| A.14.3.1 Protection of test data | Renamed/renumbered | A.8.33 Test information (Technological). |
| A.15.1.1 / A.15.1.2 / A.15.1.3; A.15.2.1 / A.15.2.2 | Expanded supplier coverage | A.5.19–A.5.22 (Supplier controls) (Organisational). |
| A.16.1.x Incident management set | Restructured | A.5.24–A.5.28 (Org. incident management) and A.6.8 (event reporting). |
| A.17.1.x IS continuity | Merged & simplified | A.5.29 Information security during disruption; A.5.30 ICT readiness for business continuity (new). |
| A.18.1.3 Protection of records | Retained/renumbered | A.5.33 Protection of records (Organisational). |
Scroll
Why it changed and the 11 new controls in ISO 27001:2022
The new framework is more practical and risk driven. It helps SMEs apply controls in a way that fits their real-world context. The latest revision introduces 11 brand-new controls designed to help organisations tackle modern risks such as cyber attacks, remote work, and cloud reliance.
Here’s what they are — and the practical value each brings to your business:
| New control | Benefits to your business |
|---|---|
| A.5.7 Threat intelligence | Proactive risk-based thinking. Gather and analyse threats to take action and reduce risk. |
| A.5.23 Information security for the use of cloud services | Cloud control! As organisations rely more and more on cloud services, it’s essential to have robust controls in place. Safeguard your data, ensure backups, and swiftly recover in the event of loss. |
| A.5.30 ICT readiness for business continuity | How long could your business operate if you lose email access? Get your Information and Communication Technology (ICT) prepared for any disruptive events. |
| A.7.4 Physical security monitoring | Work smarter, not harder. Prevent unauthorised access to your site and make sure physical access is secure. |
| A.8.9 Configuration management | Get better at managing change. Keep your hardware, software, services, and networks running smoothly with the right security settings. Avoid unauthorised changes and maintain the integrity of your systems. |
| A.8.10 Information deletion | Build a structured system and approach to data retention. Minimise sensitive data leaks and improve compliance with regulatory requirements. |
| A.8.11 Data masking | Reduce access to sensitive information where possible, such as in testing, development or analysis. Reduce the potential impact of any data breach and improve compliance with GDPR. |
| A.8.12 Data leakage prevention | Prevent the risk of leaking data from your organisation. |
| A.8.16 Monitoring activities | Detect information security incidents. Manage and monitor systems to identify unusual activities. |
| A.8.23 Web filtering | Protect your IT systems from being compromised and increase staff awareness about their use of online resources. |
| A.8.28 Secure coding | Reduce information security vulnerabilities in your software. Make sure security is considered at every stage of development with secure coding practices. |
Scroll
If you’re transitioning from the 2013 version, you’ll need to review your Statement of Applicability and update your risk register to reflect the new structure. A short gap analysis or transition audit with a Citation ISO Certification consultant can help ensure a smooth move to the 2022 version.
Are all controls mandatory?
No — not all ISO 27001 controls are mandatory.
ISO 27001 works on a risk-based approach. This means you only apply the controls that are relevant to your organisation’s risks.
You document which controls you’re applying (and which you’re not) in a key document called the Statement of Applicability (SoA).
So don’t worry — certification doesn’t mean ticking off all 93. It means showing you’ve selected and applied the right ones for your business.
For example, a fully remote company might exclude physical entry controls but strengthen remote access and training measures.
How to apply ISO 27001 controls in your organisation
Getting controls off the page and into practice is where the value lies. Here’s how to get started:
-
Carry out a risk assessment
Identify what information needs protecting, what could go wrong, and the potential impact. -
Map risks to controls
Choose the Annex A controls that reduce or eliminate each risk. For instance, to reduce phishing risk, you might apply A.6.3 (awareness training) and A.8.7 (malware protection). -
Document your decisions in the Statement of Applicability (SoA)
This is your audit anchor. It shows auditors (and your stakeholders) why you’ve chosen certain controls and left others out. Read more about the ISO 27001 audit process. -
Integrate into everyday practice
Turn controls into living processes: update policies, train staff, monitor systems, and review performance regularly.With the right support, this process is straightforward and achievable. Many businesses find they’re already doing some of the controls informally — ISO 27001 simply formalises them.
Example: A marketing agency working with client data used ISO 27001 controls to tighten access rights, add secure password policies, and run quarterly awareness sessions. Result: a clean audit and stronger client trust.