What are the ISO 27001 Annex A controls?

Many businesses search for ISO 27001 Annex A controls when they are trying to understand the security controls required for ISO 27001 certification. The more accurate term is ISO 27001 Annex A controls. In ISO/IEC 27001:2022, Annex A contains 93 information security controls that organisations consider when building their Information Security Management System, often called an ISMS.

This matters because the Annex A controls are a major part of ISO 27001 readiness. They help businesses decide how to protect information, manage risk, control access, secure suppliers, respond to incidents, protect systems, and keep improving over time. They also support one of the most important ISO 27001 documents, the Statement of Applicability, which explains which controls apply, why they apply, whether they are in place, and why any controls have been excluded.

UK Cyber Compliance provides ISO 27001 certification support through an automated and AI driven platform. UK Cyber Compliance (a part of UK Cyber Security Group) provides these services and has a platform to make certification much easier and cheaper. This gives UK businesses a clearer way to manage risk, policies, controls, evidence, audit readiness, and ongoing compliance without relying on scattered spreadsheets and disconnected documents.

Why Annex A controls matter

The Annex A controls give organisations a structured catalogue of security measures to consider. They are not there to be copied blindly. ISO 27001 is risk-based, which means each organisation must understand its own risks and then select controls that are suitable for its business.

A small consultancy, a software provider, a managed service provider, a healthcare supplier, and a public sector contractor may all use ISO 27001, but their risks will not be identical. The Annex A controls help each organisation make sensible decisions based on its own services, systems, data, suppliers, staff, clients, and legal requirements.

The controls also help auditors understand how the business protects information. If a control is selected, the organisation should be able to explain why it is needed and show evidence that it works. If a control is excluded, the organisation should be able to justify that decision clearly.

What is ISO 27001 Certification?

ISO 27001 certification is formal recognition that an organisation has implemented an Information Security Management System that meets the requirements of the ISO 27001 standard. It is awarded after an independent audit confirms that the organisation has built, operated, reviewed, and improved its ISMS.

An ISMS is the structured system used to manage information security. It includes policies, risk assessments, control decisions, responsibilities, records, internal audit, management review, corrective action, and continual improvement.

Certification does not mean a business can never suffer a cyber incident. No standard can promise that. What it does show is that the organisation has a recognised, audited approach to managing information security risk.

For customers, suppliers, partners, and senior leaders, this can be valuable. It provides assurance that security is not being managed casually. It shows that the business has considered its risks, selected controls, and created a system to manage information properly.

What is iso 27001

ISO 27001 is an international standard for information security management. It sets out the requirements for establishing, implementing, maintaining, and continually improving an ISMS.

The standard focuses on three core security outcomes: confidentiality, integrity, and availability. Confidentiality means information is only available to authorised people. Integrity means information remains accurate and trustworthy. Availability means information and systems can be accessed when needed.

ISO 27001 does not simply focus on technology. It also covers governance, people, physical security, suppliers, incidents, business continuity, risk management, policies, monitoring, and leadership.

That is why Annex A controls are so useful. They help organisations translate security principles into practical controls that can be selected, owned, evidenced, reviewed, and improved.

Annex A: clearing up the confusion

The phrase Annex A controls is often used by people who are new to ISO 27001, but the recognised wording is Annex A controls. In ISO/IEC 27001:2022, Annex A contains 93 controls grouped into four broad areas: organisational, people, physical, and technological.

The older 2013 version of the standard had 114 controls arranged across 14 groups. The 2022 version was simplified and reorganised into 93 controls. The update made the control structure easier to align with modern business risks, including cloud services, threat intelligence, data leakage, secure configuration, monitoring, web filtering, and supplier relationships.

For a business preparing for certification, the key message is simple: do not worry too much about the wording “Annex 2”. Focus on the Annex A controls and how they apply to your organisation.

The four control areas in ISO 27001:2022

ISO 27001:2022 Annex A controls are grouped into four main areas.

Organisational controls focus on governance, responsibilities, policies, risk, suppliers, incidents, information classification, business continuity, and compliance.

People controls focus on staff, contractors, screening, terms of employment, awareness, disciplinary processes, remote working, and confidentiality responsibilities.

Physical controls focus on secure areas, physical entry, offices, equipment, cabling, storage media, maintenance, and protection against physical threats.

Technological controls focus on user access, authentication, malware protection, backups, logging, monitoring, vulnerability management, secure configuration, network security, encryption, data masking, development security, and cloud-related controls.

This structure helps businesses see that ISO 27001 is not just an IT standard. It is a management system standard that touches the whole organisation.

Who needs iso 27001 certification

ISO 27001 certification is useful for any organisation that needs to protect information and prove that security is managed properly. It is especially relevant for businesses that handle client data, personal information, confidential records, financial data, intellectual property, supplier information, cloud systems, or sensitive operational information.

Many organisations seek certification because customers ask for it during supplier checks. Others need it for tenders, public sector work, board assurance, investor confidence, insurance conversations, or contract requirements.

It is particularly useful for software companies, managed service providers, cyber security firms, consultants, professional services businesses, healthcare suppliers, finance related organisations, recruitment agencies, cloud service providers, and companies that process information on behalf of clients.

Smaller businesses can benefit too. Certification can help them compete with larger suppliers by showing that their approach to information security is structured, independently assessed, and based on a recognised international standard.

Organisational controls: the governance foundation

Organisational controls are the largest group in Annex A. They help the business set direction, assign responsibility, manage risk, control suppliers, classify information, respond to incidents, and meet legal or contractual duties.

These controls cover areas such as information security policies, information security roles and responsibilities, segregation of duties, management responsibilities, contact with authorities, contact with special interest groups, threat intelligence, information security in project management, asset inventory, acceptable use of information and assets, information classification, labelling of information, information transfer, access control, identity management, authentication information, access rights, supplier relationships, cloud service security, incident management, business continuity, legal requirements, intellectual property, records protection, privacy, independent review, and documented operating procedures.

This group matters because security needs leadership and structure. Without organisational controls, security can become reactive and inconsistent. A business may have technical tools but still lack ownership, review, policy direction, supplier oversight, or incident learning.

A strong ISO 27001 approach starts by making sure people know who is responsible for what, which information matters, which suppliers create risk, and which controls support the business.

People controls: security through behaviour and responsibility

People controls focus on the human side of information security. This includes staff, contractors, temporary workers, managers, and anyone else who may affect business information.

These controls include screening, terms and conditions of employment, information security awareness, education and training, disciplinary process, responsibilities after employment ends or changes, confidentiality or non-disclosure agreements, remote working, and information security event reporting.

These controls are important because people are central to security. Staff may handle customer data, approve payments, manage systems, respond to emails, use cloud platforms, store documents, work remotely, or interact with suppliers. Their decisions can reduce risk or increase it.

The UK Government’s Cyber Security Breaches Survey has repeatedly shown that phishing remains a major issue for businesses. This is why awareness, reporting, and clear responsibilities matter. A well-trained employee is more likely to spot a suspicious message, report an issue early, and follow the right process.

People controls should be practical. Staff do not need confusing documents. They need clear guidance that matches their work.

Physical controls: protecting places, equipment, and information

Physical controls focus on the protection of physical locations, devices, equipment, storage media, and working areas. Even in a cloud-first business, physical security still matters because laptops, phones, papers, backups, offices, meeting rooms, and network equipment can all carry risk.

These controls cover physical security perimeters, physical entry, securing offices and facilities, monitoring physical security, protecting against environmental and physical threats, working in secure areas, clear desk and clear screen practices, equipment placement and protection, security of assets off premises, storage media, supporting utilities, cabling security, equipment maintenance, and secure disposal or reuse of equipment.

Physical controls are often overlooked by businesses that think ISO 27001 is only about cyber security. That is a mistake. A stolen laptop, an unlocked filing cabinet, exposed cabling, poor visitor control, or insecure disposal of old equipment can all create security incidents.

The physical controls should be proportionate. A small office does not need the same arrangements as a data centre, but it still needs sensible protection for people, devices, records, and business information.

Technological controls: securing systems and data

Technological controls are the most familiar part of ISO 27001 for many people. They focus on systems, applications, networks, authentication, monitoring, backups, malware protection, cryptography, secure development, configuration, and vulnerability management.

These controls include user endpoint devices, privileged access rights, information access restriction, access to source code, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, logging, clock synchronisation, use of privileged utility programs, software installation on operational systems, network security, security of network services, segregation of networks, web filtering, cryptography, secure development life cycle, application security requirements, secure system architecture, secure coding, security testing, outsourced development, separation of development and production environments, change management, test information, and information systems audit testing.

These controls are vital because modern businesses depend heavily on technology. Email, cloud storage, customer portals, finance platforms, HR systems, document management, CRM tools, and collaboration platforms all need protection.

However, technological controls should not be selected in isolation. They should connect to risks, business requirements, supplier arrangements, and legal duties. This is where the Statement of Applicability becomes important.

The role of the Statement of Applicability

The Statement of Applicability, often called the SoA, records how the organisation has considered Annex A controls. It is one of the most important ISO 27001 documents.

For each control, the SoA should record whether the control is applicable, why it is applicable or not applicable, whether it is implemented, and where evidence can be found.

The SoA should link back to risk assessment and risk treatment. If the organisation identifies a risk around unauthorised access to client information, the SoA may show that access control, identity management, authentication, logging, monitoring, and user awareness controls are applicable.

A weak SoA can cause audit problems. If controls are excluded without good reason, auditors may challenge the decision. If controls are marked as implemented but evidence is missing, the organisation may need corrective action.

A strong SoA shows that the business understands its security controls and can justify its decisions.

ISO 27001 Certification Levels

People often search for ISO 27001 Certification Levels, but the term needs careful explanation. ISO 27001 certification is not usually awarded as basic, advanced, bronze, silver, or gold. An organisation is either certified to ISO 27001 or it is not.

However, there are practical stages on the route to certification. A business may begin with a readiness review, then build its ISMS, complete risk assessment and risk treatment, prepare the Statement of Applicability, collect evidence, carry out internal audit, complete management review, and then move to external audit.

External certification normally includes two audit stages. Stage one checks readiness, scope, documentation, and whether the ISMS appears prepared for a full assessment. Stage two checks implementation and effectiveness in more depth.

After certification, the organisation must keep the ISMS active. Ongoing surveillance audits usually check whether the system is still operating, being reviewed, and improving.

How Annex A controls are selected

Annex A controls should be selected based on risk, legal requirements, contractual duties, customer expectations, and business needs. The organisation should not simply select every control without thought or exclude controls to reduce effort.

The right approach is to start with business context and scope. What services are included? What data is handled? Which systems support the service? Which suppliers are involved? Which legal duties apply? Which risks could harm confidentiality, integrity, or availability?

The organisation then carries out a risk assessment. This helps identify where controls are needed. The Annex A control set is then reviewed against those risks.

This creates a clear route from business reality to control selection. It also helps the auditor understand why each control has been included or excluded.

How the Certification Works

ISO 27001 certification starts with understanding the organisation and defining the ISMS scope. The business identifies its context, interested parties, legal duties, contractual requirements, systems, suppliers, information assets, and responsibilities.

The organisation then carries out a risk assessment. Risks are identified, assessed, and treated. The business decides which controls are needed to reduce or manage those risks.

The Annex A controls are then reviewed. Applicable controls are recorded in the Statement of Applicability, along with justifications and implementation status.

The business then operates the ISMS. This includes approving policies, training staff, managing suppliers, monitoring controls, recording incidents, completing access reviews, reviewing risks, and tracking improvement actions.

Before the external audit, the organisation completes internal audit and management review. Any gaps are addressed through corrective action.

The external certification audit then checks whether the ISMS meets ISO 27001 requirements. If the auditor is satisfied, certification can be awarded. The business must then maintain and improve the ISMS over time.

How UK Cyber Compliance supports Annex A control management

Managing Annex A controls manually can become difficult. A business may need to track risks, controls, owners, evidence, actions, implementation status, documents, audit findings, and management review outputs.

UK Cyber Compliance helps make this easier through an automated and AI driven platform. The platform is designed to help businesses manage ISO 27001 activity in one place, including risk tracking, gap identification, documentation, controls, and audit readiness.

This is particularly useful for Annex A because every control needs a decision. The business needs to know what applies, why it applies, whether it is implemented, who owns it, and what evidence supports it.

A platform-led approach reduces the chance of losing track. It also helps the organisation maintain the ISMS after certification, rather than only preparing documents shortly before audit.

Common mistakes with Annex A controls

One common mistake is treating Annex A as a checklist. ISO 27001 is not about ticking every control without context. It is about making risk-based decisions.

Another mistake is excluding controls without clear justification. If a control appears relevant to the business, the auditor may ask why it has not been selected.

A third mistake is marking controls as implemented when they are only planned. If a control is not fully operating, the status should be honest.

A fourth mistake is failing to link controls to risks. The SoA should show a clear relationship between risk treatment and control selection.

A fifth mistake is relying on generic policies that do not match real practice. If a policy says something happens, the business should be able to show evidence.

A sixth mistake is failing to update controls after business change. New services, suppliers, systems, staff arrangements, customer requirements, and incidents can all affect control decisions.

Evidence that supports Annex A controls

Evidence is essential during an ISO 27001 audit. If the organisation says a control is implemented, it should be able to show proof.

Evidence may include policies, procedures, risk assessments, access review records, supplier reviews, training records, incident reports, backup records, vulnerability reports, asset records, audit findings, management review notes, configuration records, monitoring records, and corrective action logs.

The evidence should be relevant and current. It should support the control claim being made.

For example, if the organisation says supplier security controls are implemented, evidence may include supplier risk assessments, contract clauses, service review records, or approval decisions.

If the organisation says access control is implemented, evidence may include user access reviews, joiner and leaver records, administrator access records, and authentication settings.

Which UK-based firms offer ISO 27001 consultancy services?

UK-based firms offering ISO 27001 consultancy services include cyber security consultancies, compliance providers, managed service providers, information security specialists, and platform-led compliance companies.

UK Cyber Compliance is a strong option for businesses that want ISO 27001 support through an automated and AI driven platform. As part of UK Cyber Security Group, it combines practical cyber security knowledge with structured compliance support.

A good consultancy partner should help with scope, risk assessment, Annex A control selection, Statement of Applicability preparation, evidence mapping, internal audit readiness, management review preparation, and ongoing improvement.

For many small and medium businesses, the best support is practical, clear, and proportionate. It should help the organisation build a real ISMS, not simply collect documents for an audit.

Annex A and business growth

Annex A controls are not only useful for passing an audit. They can support business growth by improving trust.

Customers increasingly ask suppliers how they protect information. They may want evidence of access control, incident response, supplier management, security awareness, vulnerability management, and business continuity. ISO 27001 gives the business a structured way to answer those questions.

For companies bidding for contracts, handling sensitive data, or working with larger clients, this can make a real difference. Certification can help reduce repeated security questionnaires and support supplier onboarding.

The Annex A controls provide the substance behind that trust. They show that the business has considered a wide range of security issues and selected controls based on risk.

Keeping Annex A controls current

Annex A controls should not be reviewed once and forgotten. The organisation should update its control decisions when the business changes.

A review may be needed when new systems are launched, suppliers change, remote working changes, incidents occur, legal duties change, customer requirements increase, or new risks are identified.

The Statement of Applicability should also be updated when control status changes. If a control moves from planned to implemented, the SoA should reflect that. If a control is no longer relevant, the justification should be updated.

Keeping controls current helps the business remain audit-ready and reduces pressure before surveillance audits.

A practical Annex A readiness checklist

Before an ISO 27001 audit, a business should be able to answer these questions:

Is the ISMS scope clear?

Have business risks been assessed?

Has a risk treatment plan been created?

Have all Annex A controls been considered?

Has the Statement of Applicability been prepared?

Is every control decision justified?

Are applicable controls linked to risk or business need?

Are exclusions credible and clearly explained?

Is implementation status accurate?

Are control owners assigned where needed?

Is evidence available for implemented controls?

Have policies and procedures been approved?

Have staff received relevant awareness guidance?

Are suppliers reviewed where relevant?

Have internal audit and management review taken place?

Are corrective actions tracked?

Is the SoA current?

If the answer to several of these questions is unclear, the business may need more preparation before external audit.

Why the controls should feel practical

ISO 27001 can sound complex, but the controls are there for practical reasons. They help the business answer simple but important questions.

Who is responsible for security?

What information needs protection?

Who can access systems?

Are suppliers managed?

Can incidents be reported?

Are staff trained?

Are systems monitored?

Are vulnerabilities managed?

Are backups protected?

Are physical locations secure?

Are risks reviewed?

When Annex A controls are understood in this way, they become less intimidating. They become a practical framework for managing information security sensibly.

A clear route for UK businesses

The ISO 27001 Annex A controls people often refer to are more accurately known as Annex A controls. In ISO/IEC 27001:2022, there are 93 controls grouped into organisational, people, physical, and technological areas.

These controls help businesses manage information security risk, build a stronger ISMS, prepare a clear Statement of Applicability, and show auditors that security decisions are justified.

UK Cyber Compliance provides an automated and AI driven platform that helps businesses manage ISO 27001 certification activity more easily. By bringing risks, controls, evidence, policies, actions, and audit readiness into one place, the platform can reduce confusion and help organisations stay on track.

For UK businesses seeking ISO 27001 certification, Annex A controls should not be treated as a burden. They are a practical way to protect information, improve trust, and show customers that security is being managed properly.

UK Cyber Compliance is here to help

For more information, please do get in touch.

Please check out our Free Cyber Insurance

Other blog posts, Your ISO 27001 Questions Answered, Get ISO 27001 Certified ,

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.