The control set

Annex A: all 93 ISO 27001:2022 controls

Annex A is the standard's menu of 93 security controls in four themes. You do not implement all of them; you consider all of them, and your Statement of Applicability records what you decided and why. Here is the complete list, with the UK SME reality attached.

3D illustration of organisational controls

37 controls

Organisational controls (5.1 to 5.37)

Governance, suppliers, cloud, incidents, legal and records: the controls that live in policies and process rather than technology.

  • 5.1 Policies for information security
  • 5.2 Information security roles and responsibilities
  • 5.3 Segregation of duties
  • 5.4 Management responsibilities
  • 5.5 Contact with authorities
  • 5.6 Contact with special interest groups
  • 5.7 Threat intelligence
  • 5.8 Information security in project management
  • 5.9 Inventory of information and other associated assets
  • 5.10 Acceptable use of information and other associated assets
  • 5.11 Return of assets
  • 5.12 Classification of information
  • 5.13 Labelling of information
  • 5.14 Information transfer
  • 5.15 Access control
  • 5.16 Identity management
  • 5.17 Authentication information
  • 5.18 Access rights
  • 5.19 Information security in supplier relationships
  • 5.20 Addressing information security within supplier agreements
  • 5.21 Managing information security in the ICT supply chain
  • 5.22 Monitoring, review and change management of supplier services
  • 5.23 Information security for use of cloud services
  • 5.24 Information security incident management planning and preparation
  • 5.25 Assessment and decision on information security events
  • 5.26 Response to information security incidents
  • 5.27 Learning from information security incidents
  • 5.28 Collection of evidence
  • 5.29 Information security during disruption
  • 5.30 ICT readiness for business continuity
  • 5.31 Legal, statutory, regulatory and contractual requirements
  • 5.32 Intellectual property rights
  • 5.33 Protection of records
  • 5.34 Privacy and protection of PII
  • 5.35 Independent review of information security
  • 5.36 Compliance with policies, rules and standards for information security
  • 5.37 Documented operating procedures
3D illustration of people controls

8 controls

People controls (6.1 to 6.8)

The human lifecycle: hiring, training, discipline, leaving, NDAs and remote work.

  • 6.1 Screening
  • 6.2 Terms and conditions of employment
  • 6.3 Information security awareness, education and training
  • 6.4 Disciplinary process
  • 6.5 Responsibilities after termination or change of employment
  • 6.6 Confidentiality or non-disclosure agreements
  • 6.7 Remote working
  • 6.8 Information security event reporting
3D illustration of physical controls

14 controls

Physical controls (7.1 to 7.14)

Premises, equipment, media and disposal. The theme remote-first companies exclude most from, with justification.

  • 7.1 Physical security perimeters
  • 7.2 Physical entry
  • 7.3 Securing offices, rooms and facilities
  • 7.4 Physical security monitoring
  • 7.5 Protecting against physical and environmental threats
  • 7.6 Working in secure areas
  • 7.7 Clear desk and clear screen
  • 7.8 Equipment siting and protection
  • 7.9 Security of assets off-premises
  • 7.10 Storage media
  • 7.11 Supporting utilities
  • 7.12 Cabling security
  • 7.13 Equipment maintenance
  • 7.14 Secure disposal or re-use of equipment
3D illustration of technological controls

34 controls

Technological controls (8.1 to 8.34)

Endpoints, access, malware, vulnerabilities, logging, networks, cryptography and secure development.

  • 8.1 User endpoint devices
  • 8.2 Privileged access rights
  • 8.3 Information access restriction
  • 8.4 Access to source code
  • 8.5 Secure authentication
  • 8.6 Capacity management
  • 8.7 Protection against malware
  • 8.8 Management of technical vulnerabilities
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.13 Information backup
  • 8.14 Redundancy of information processing facilities
  • 8.15 Logging
  • 8.16 Monitoring activities
  • 8.17 Clock synchronisation
  • 8.18 Use of privileged utility programs
  • 8.19 Installation of software on operational systems
  • 8.20 Networks security
  • 8.21 Security of network services
  • 8.22 Segregation of networks
  • 8.23 Web filtering
  • 8.24 Use of cryptography
  • 8.25 Secure development life cycle
  • 8.26 Application security requirements
  • 8.27 Secure system architecture and engineering principles
  • 8.28 Secure coding
  • 8.29 Security testing in development and acceptance
  • 8.30 Outsourced development
  • 8.31 Separation of development, test and production environments
  • 8.32 Change management
  • 8.33 Test information
  • 8.34 Protection of information systems during audit testing

Control titles as listed in ISO/IEC 27001:2022 Annex A. The implementation guidance for each control lives in ISO/IEC 27002.

The UK SME reality

Which controls will actually apply to you

A fully remote 40-person SaaS business typically excludes a tranche of the physical theme and much of the secure development set if it does not build software, while carrying real weight in cloud, supplier and access controls. A manufacturer inverts that. The control list is fixed; the shape of your ISMS is not.

What decides it is your risk assessment, and what records it is the Statement of Applicability. Both are built in the first weeks of a readiness engagement.

Rule of thumb

If a control maps to a risk on your register, a clause in a customer contract or a legal obligation, it is in. If you find yourself inventing a reason, it is probably a justified exclusion. And if a consultant tells you all 93 always apply, they are selling implementation hours, not an ISMS.

Quick answers

Annex A questions, answered

How many controls are in ISO 27001?

The 2022 edition of Annex A contains 93 controls, organised into four themes: 37 organisational, 8 people, 14 physical and 34 technological. The 2013 edition's 114 controls were merged, renamed and supplemented with 11 new ones to produce the current set.

Do we have to implement all 93 controls?

No. You must consider all 93 and record a decision on each in your Statement of Applicability. Controls are implemented where your risks, contracts or legal obligations demand them, and excluded with justification where they genuinely do not apply, such as physical controls for a fully remote company.

How the SoA works

What is the difference between Annex A and ISO 27002?

Annex A lists the 93 controls; ISO 27002 is a separate guidance standard describing how to implement each one in detail. You certify against ISO 27001; you consult 27002 when you want implementation depth for a control.

Which Annex A controls matter most for a UK SME?

The ones your risk assessment says do, which is the answer the standard forces. In practice the controls that carry the most audit attention for UK SMEs are access control and privileged access, supplier and cloud security, logging and monitoring, vulnerability management and the incident management set. A gap analysis tells you which of the 93 will do real work for you.

Run the gap analysis

3D rocket illustration for booking a free ISO 27001 scoping call

93 controls, one decision each

Find out which controls your business actually needs

The gap analysis scores you against every control and clause in a week. A free 45 minute scoping call starts it.