ISO27001 Annex A controls
You always wanted a comprehensive list of ISO27001 Annex A controls, right?
Your wish is our command!
Whether you’re a cybersecurity wizard or a curious newbie, this document gives you access to everything you ever wanted to know about the ISO27001:2022 Annex A controls.
We created this list and the resources they link to, because the most common question we get is, “What do I need for X Annex A control?”
There are 93 Annex A controls in ISO27001:2022, and every one of them has at some point caused some confusion for people implementing the standard.
Our list provides a link to detailed information about the control, what is expected, why it’s needed, what the auditor expects to see and what you need to do to comply with the control. We’ve also included a few typical questions we get asked about the control.
Note that some ISO27001 controls should not be read in isolation as they are related to other controls and where this happens, we’ve provided links to the other controls.
How you get started is up to you. Jump into the control or controls that you are most confused about or start from A5.1 and finish at A8.37. The choice is yours.
We have linked each control to easy-to-use policies and procedures that you can purchase from our online store, so that you can get started right away.
Organisational Controls
A5.1 - Policies for information security
A5.2 - Information security roles and responsibilities
A5.3 - Segregation of duties
A5.4 - Management responsibilities
A5.5 - Contact with authorities
A5.6 - Contact with special interest groups
A5.7 - Threat Intelligence
A5.8 - Information security in project management
A5.9 - Inventory of information and other associated assets
A5.10 - Acceptable use of information and other associated assets
A5.11 - Return of assets
A5.12 - Classification of information
A5.13 - Labelling of information
A5.14 - Information transfer
A5.15 - Access control
A5.16 - Identity management
A5.17 - Authentication Information
A5.18 - Access rights
A5.19 - Information security in supplier relationships
A5.20 - Addressing information security within supplier agreements
A5.21 - Managing information security in the ICT supply chain
A5.22 - Monitoring, review and change management of supplier services
A5.23 - Information Security for use of Cloud Services
A5.24 - Information security incident management planning and preparation
A5.25 - Assessment and decision on information security events
A5.26 - Response to information security incidents
A5.27 - Learning from information security incidents
A5.28 - Collection of evidence
A5.29 - Information security during disruption
A5.30 - ICT Readiness for Business Continuity
A5.31 - Identification of legal, statutory, regulatory and contractual requirements
A5.32 - Intellectual property rights
A5.33 - Protection of records
A5.34 - Privacy and protection of PII
A5.35 - Independent review of information security
A5.36 - Compliance with policies and standards for information security
A5.37 - Documented operating procedures
A6.1 – Screening