ISO27001:2022 Annex A controls
You always wanted a comprehensive list of ISO27001 Annex A controls, right?
Your wish is our command!
Whether you’re a cybersecurity wizard or a curious newbie, this document gives you access to everything you ever wanted to know about the ISO27001:2022 Annex A controls.
We created this list and the resources they link to, because the most common question we get is, “What do I need for X Annex A control?”
​
There are 93 Annex A controls in ISO27001:2022, and every one of them has at some point caused some confusion for people implementing the standard.
Our list provides a link to detailed information about the control, what is expected, why it’s needed, what the auditor expects to see and what you need to do to comply with the control. We’ve also included a few typical questions we get asked about the control.
Note that some ISO27001 controls should not be read in isolation as they are related to other controls and where this happens, we’ve provided links to the other controls.
How you get started is up to you. Jump into the control or controls that you are most confused about or start from A5.1 and finish at A8.37. The choice is yours.
We have linked each control to easy-to-use policies and procedures that you can purchase from our online store, so that you can get started right away.
​​
​Organisational Controls
​​
A5.1 - Policies for information security
Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties and reviewed at planned intervals and if significant changes occur.
​
A5.2 - Information security roles and responsibilities
Information security roles and responsibilities shall be defined and allocated according to the organisations needs.
​
A5.3 - Segregation of duties
Conflicting duties and conflicting areas of responsibility should be segregated.
​
A5.4 - Management responsibilities
Management shall require all personnel to apply information security in accordance with the established Information security policy, topic-specific policies and procedures of the organisation.
​
A5.5 - Contact with authorities
The organisation shall establish and maintain contact with relevant authorities.
​
A5.6 - Contact with special interest groups
The organisation shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.
​
A5.7 - Threat Intelligence
Information relating to information security threats shall be collected and analysed to produce threat intelligence.
​
A5.8 - Information security in project management
Information Security shall be integrated in project management.
​
A5.9 - Inventory of information and other associated assets
An inventory of information and other associated assets, including owners, should be developed and maintained.
​
A5.10 - Acceptable use of information and other associated assets
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
​
A5.11 - Return of assets
Personnel and other interested parties as appropriate shall return all the organisations assets in their possession upon change or termination of their employment, contract or agreement.
​
A5.12 - Classification of information
Information shall be classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements..
​
A5.13 - Labelling of information
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organisation.
​
A5.14 - Information transfer
Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organisation and between the organisation and other parties..
​
A5.15 - Access control
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
​
A5.16 - Identity management
The full life cycle of identities should be managed.
​
A5.17 - Authentication Information
Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
​
A5.18 - Access rights
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organisations topic-specific policy on, and rules for access control.
​
A5.19 - Information security in supplier relationships
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of suppliers products or services.
​
A5.20 - Addressing information security within supplier agreements
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
​
A5.21 - Managing information security in the ICT supply chain
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
​
A5.22 - Monitoring, review and change management of supplier services
The organisations shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
​
A5.23 - Information Security for use of Cloud Services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisations information security requirements..
​
A5.24 - Information security incident management planning and preparation
The organisation shall plan and prepare for managing information security incidents by defining, establishing, and communicating information security incident management processes, roles and responsibilities.
​
A5.25 - Assessment and decision on information security events
The organisations shall assess information security events and decide if they are to be categorised as information security incidents.
​
A5.26 - Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures
​
A5.27 - Learning from information security incidents
Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
​
A5.28 - Collection of evidence
The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
​
A5.29 - Information security during disruption
The organisation shall plan how to maintain information security at an appropriate level during disruption.
​
A5.30 - ICT Readiness for Business Continuity
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
​
A5.31 - Identification of legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements shall be identified, documented and kept up to date..
​
A5.32 - Intellectual property rights
The organisation shall implement appropriate procedures to protect intellectual property rights.
​
A5.33 - Protection of records
Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
​
A5.34 - Privacy and protection of PII
Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
​
A5.35 - Independent review of information security
“The organisations approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
​
A5.36 - Compliance with policies and standards for information security
Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
​
A5.37 - Documented operating procedures
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
​​
​People Controls
​
A6.1 – Screening
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organisation and on an ongoing basis taking into consideration applicable laws, regulations and this and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
​
ISO27001:2022 - A6.2 – Terms and conditions of employment
The employment contractual agreements shall state the personnel's and the organisations responsibilities for information security.
​
ISO27001:2022 - A6.3 – Information security awareness, education and training
Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.
​
ISO27001:2022 - A6.4 – Disciplinary process
A disciplinary process shall be formalised and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
​
ISO27001:2022 - A6.5 – Termination or change of employment responsibilities
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
​
ISO27001:2022 - A6.6 – Confidentiality or non-disclosure agreements
Confidentiality or non-disclosure agreements reflecting the organisations needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
​
ISO27001:2022 - A6.7 – Remote Working
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed, or stored outside the organisation's premises...
​
ISO27001:2022 - A6.8 – Information security event reporting
The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
​​
​Physical Controls
​
​ISO27001:2022 - A7.1 – Physical security perimeter
Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
​
ISO27001:2022 - A7.2 – Physical entry controls
Secure areas shall be protected by appropriate entry controls and access points.
​
ISO27001:2022 - A7.3 – Securing offices, rooms and facilities
Physical security for offices, rooms and facilities shall be designed and Implemented.
​
ISO27001:2022 - A7.4 – Physical Security Monitoring
Premises shall be continuously monitored for unauthorised physical access.
​
ISO27001:2022 - A7.5 – Protecting against physical and environmental threats
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
​
ISO27001:2022 - A7.6 – Working in secure areas
Security measures for working in secure areas shall be designed and implemented.
​
ISO27001:2022 - A7.7 – Clear desk and clear screen
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
​
ISO27001:2022 - A7.8 – Equipment siting and protection
Equipment shall be sited securely and protected.
​
ISO27001:2022 - A7.9 – Security of assets off-premises
Off-site assets shall be protected..
​
ISO27001:2022 - A7.10 – Storage media
Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organisations classification scheme and handling requirements.
​
ISO27001:2022 - A7.11 – Supporting utilities
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
​
ISO27001:2022 - A7.12 – Cabling Security
Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.
​
ISO27001:2022 - A7.13 – Equipment maintenance
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
​
ISO27001:2022 - A7.14 – Secure disposal or re-use of equipment
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
​
​Technical Controls
​
ISO27001:2022 A8.1 – User endpoint devices
Information stored on, processed by or accessible via user endpoint devices shall be protected.
​
ISO27001:2022 A8.2 – Privileged access rights
The allocation and use of privileged access rights shall be restricted and managed.
​
ISO27001:2022 A8.3 – Information access restriction
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
​
ISO27001:2022 A8.4 – Access to source code
Read and write access to source code, development tools and software libraries shall be appropriately managed..
​
ISO27001:2022 A8.5 – Secure Authentication
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control
​
ISO27001:2022 A8.6 – Capacity management
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
​
ISO27001:2002 A8.7 – Protection against malware
Protection against malware shall be implemented and supported by appropriate user awareness.
​
ISO27001:2002 A8.8 – Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use shall be obtained, the organisations exposure to such vulnerability shall be evaluated and appropriate measures shall be taken.
​
ISO27001:2022 A8.9 – Configuration Management Deletion
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed..
​
ISO27001:2022 A8.10 – Information Deletion
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
​
ISO27001:2022 - A8.11 – Data Masking
Data masking shall be used in accordance with the organisations topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
​
ISO27001:2022 – A8.12 – Data Leakage Prevention
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information..
​
ISO27001:2022 – A8.13 – Information backup
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
​
ISO27001:2022 – A8.14 – Redundancy of information processing facilities
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
​
ISO27001:2022 – A8.15 – Logging
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
​
ISO27001:2022 – A8.16 – Monitoring Activities
Networks, systems and applications shall be monitored for anomalous behaviours and appropriate actions taken to evaluate potential information security incidents.
​
ISO27001:2022 – A8.17 – Clock synchronization
The clocks of information processing systems used by the organisation shall be synchronised to approved Time sources.
​
ISO27001:2022 – A8.18 – Use of privileged utility programs
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
​
ISO27001:2022 – A8.19 – Installation of software on operational systems
Procedures and measures shall be implemented to securely manage software installation on operational systems.
​
ISO27001:2022 – A8.20 – Network Controls
​Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​
​
Need some help impementing these controls?
​
We'd love to help you get your ISO27001 controls under control - drop us a line and we'll be in touch.