top of page

ISO27001 Annex A controls

You always wanted a comprehensive list of ISO27001 Annex A controls, right?


Your wish is our command!


Whether you’re a cybersecurity wizard or a curious newbie, this document gives you access to everything you ever wanted to know about the ISO27001:2022 Annex A controls.


We created this list and the resources they link to, because the most common question we get is, “What do I need for X Annex A control?”

There are 93 Annex A controls in ISO27001:2022, and every one of them has at some point caused some confusion for people implementing the standard.


Our list provides a link to detailed information about the control, what is expected, why it’s needed, what the auditor expects to see and what you need to do to comply with the control. We’ve also included a few typical questions we get asked about the control.

Note that some ISO27001 controls should not be read in isolation as they are related to other controls and where this happens, we’ve provided links to the other controls.


How you get started is up to you. Jump into the control or controls that you are most confused about or start from A5.1 and finish at A8.37. The choice is yours.


We have linked each control to easy-to-use policies and procedures that you can purchase from our online store, so that you can get started right away.

Organisational Controls

A5.1 - Policies for information security

A5.2 - Information security roles and responsibilities

A5.3 - Segregation of duties

A5.4 - Management responsibilities

A5.5 - Contact with authorities

A5.6 - Contact with special interest groups

A5.7 - Threat Intelligence

A5.8 - Information security in project management

A5.9 - Inventory of information and other associated assets

A5.10 - Acceptable use of information and other associated assets

A5.11 - Return of assets

A5.12 - Classification of information

A5.13 - Labelling of information

A5.14 - Information transfer

A5.15 - Access control

A5.16 - Identity management

A5.17 - Authentication Information

A5.18 - Access rights

A5.19 - Information security in supplier relationships

A5.20 - Addressing information security within supplier agreements

A5.21 - Managing information security in the ICT supply chain

A5.22 - Monitoring, review and change management of supplier services

A5.23 - Information Security for use of Cloud Services

A5.24 - Information security incident management planning and preparation

A5.25 - Assessment and decision on information security events 

A5.26 - Response to information security incidents

A5.27 - Learning from information security incidents

A5.28 - Collection of evidence

A5.29 - Information security during disruption

A5.30 - ICT Readiness for Business Continuity

A5.31 - Identification of legal, statutory, regulatory and contractual requirements

A5.32 - Intellectual property rights

A5.33 - Protection of records

A5.34 - Privacy and protection of PII

A5.35 - Independent review of information security

A5.36 - Compliance with policies and standards for information security

A5.37 - Documented operating procedures

What Our Clients Say

Name, Title

"I'm a testimonial. Click to edit me and add text that says something nice about you and your services. Let your customers review you and tell their friends how great you are."
bottom of page