What is Annex A Controls?

Annex A controls are the 93 reference information security controls listed in ISO/IEC 27001:2022, grouped into four themes: 37 Organizational, 8 People, 14 Physical, and 34 Technological. You do not implement all 93 by default -- you select applicable controls from your risk assessment and justify each inclusion or exclusion in a Statement of Applicability.

Annex A is the catalog of controls an organization considers when treating information security risks under ISO/IEC 27001. The 2022 revision consolidated the previous 114 controls (across 14 domains) into 93 controls across four themes and added 11 new controls, including threat intelligence, secure coding, data leakage prevention, and information security for cloud services. Detailed implementation guidance for each control lives in the companion standard ISO/IEC 27002.

Critically, Annex A is a reference set, not a mandatory checklist. Your risk assessment and risk treatment plan determine which controls apply; for example, a fully cloud-hosted SaaS company may exclude certain physical controls and document why. Every decision -- include or exclude -- must be recorded and justified in the Statement of Applicability.

Templates accelerate this work by giving you policies and procedures already mapped to the 93 controls, so you tailor existing documents instead of drafting from zero. That removes the longest part of getting audit-ready, but the controls still have to operate in your business and generate real evidence -- buying the documents does not by itself make you compliant or certified.

Related terms: Statement of Applicability (SoA) · ISO/IEC 27002 · Risk Treatment Plan · Security Control

Frequently asked questions

How many Annex A controls are there in ISO 27001:2022?
There are 93 controls, organized into four themes: 37 Organizational, 8 People, 14 Physical, and 34 Technological. The prior 2013 edition had 114 controls across 14 domains.
Do I have to implement all 93 Annex A controls?
No. Annex A is a reference set. You select the controls that are applicable based on your risk assessment and justify any exclusions, all documented in your Statement of Applicability.
What are the 11 new controls added in 2022?
The 2022 edition introduced 11 new controls, including threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.

Toolkits that cover Annex A Controls

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Toolkit for SaaS Companies

17 editable ISO/IEC 27001:2022 policies written natively for cloud-native SaaS — including a Customer Data Isolation & Multi-Tenancy Security Policy — plus a SaaS-specific risk register and the 93-control Statement of Applicability.

$6930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.