The Raptoric Journal/Security Program & Risk
Security Program & RiskJun 16, 2026 · 11 min read

ISO 27001 Annex A: 93 controls in four themes

Annex A is the catalog of security controls that ISO 27001 relies on. Here is how it is organized into four themes, what the controls cover, and how you choose the ones that apply to you.
Compliance specialists reviewing a structured control catalog on a large screen.
Written by
R
Raptoric Security Program & Risk
Share
LinkedInX / TwitterCopy link

Annex A is the list of security controls that accompanies ISO 27001. The main body of the standard sets out how to run an information security management system, while Annex A provides a catalog of concrete controls from which a company selects the ones that reduce its risks. The 2022 revision cut the number of controls and reorganized them into four themes. This post explains how Annex A is structured and how the controls are chosen.

This is part of our security program overview. We guide the selection and rollout of controls through governance, risk, and compliance.

What Annex A is

Annex A is a list of reference controls, while the detailed description of each one lives in the companion standard ISO/IEC 27002.2 The split matters in practice: Annex A names the control and states its objective in a single line, and ISO 27002 explains how to implement it, what it is for, and what to watch out for. When you design controls you work from both, but the certificate is issued against ISO 27001 and its Annex A.

The most important thing to understand is that Annex A is not a list of obligations you must all satisfy. It is a catalog from which a company selects the controls relevant to its own risks. The selection and the reasoning behind it are recorded in the Statement of Applicability. A control may be left out, as long as the company can explain why it does not apply. That is what keeps an ISMS proportionate instead of forcing every organization to implement every control regardless of context.

The four themes

The 2022 revision reorganized the controls into four clear themes.1

ThemeWhat it covers
OrganizationalPolicies, roles, risk management, and supplier relationships.
PeopleEmployees: screening, awareness, obligations, and conduct.
PhysicalProtection of premises, equipment, and physical access.
TechnologicalTechnical controls: access, cryptography, logging, and network security.
Annex A 2022: the four control themes.

The four themes replace the older structure but do not change the goal: to cover the full surface of information security, not only the technical part. Most companies instinctively reach for the technological controls first, yet many real incidents start with a person, a supplier, or an unguarded door. Grouping the controls this way is a reminder that the organizational and people themes carry as much weight as the technology.

How controls are chosen

The choice of controls follows directly from the risk assessment. For each identified risk, the company considers which Annex A controls reduce it and which it will put in place. If a control does not apply, that is allowed, but it has to be justified. This is how Annex A connects risks to concrete measures, rather than leaving security at the level of good intentions.

The direction matters. Controls follow risk, not the other way around. A company that starts by copying the full Annex A list and then tries to invent risks to justify each control has the process backwards, and an auditor will see it. Sound risk management gives every control a reason to exist, and gives every exclusion a defensible explanation.

  1. 01
    Assess your risks
    Identify what the company is exposed to and how badly.
  2. 02
    Map to controls
    For each risk, consider which Annex A controls reduce it.
  3. 03
    Decide applicability
    Determine which controls you implement, which you do not, and why.
  4. 04
    Document the choice
    Record the decisions in the Statement of Applicability (SoA).

Supplier risk is a common place where this mapping gets thin. Several organizational controls in Annex A deal with the security of the relationships you depend on, so vendor risk management is not a separate exercise bolted on later; it is part of selecting and justifying the right controls from the start.

What the 2022 revision changed

The previous version had more controls spread across 14 domains. The 2022 revision merged and modernized them, bringing the total down to 93 across four themes, and added new controls for topics such as cloud security and threat monitoring. The aim was a clearer, more current framework that maps closer to the risks organizations actually face today.

If you certified under the older structure, the change is not a reason to panic. The underlying expectations are largely the same, and the main work is re-mapping your existing controls and Statement of Applicability to the new themes and numbering. We cover the wider path to certification in our ISO 27001 certification guide.

How Raptoric helps

We help connect your risks to the right Annex A controls and prepare the documentation for the audit, through governance, risk, and compliance. Book a scoping call.

Frequently asked questions

How many controls does Annex A have?
In the 2022 revision of ISO 27001, Annex A contains 93 controls organized into four themes: organizational, people, physical, and technological. The previous version had more controls spread across 14 domains.
Do you have to implement every Annex A control?
No. Annex A is a catalog, not a checklist of obligations. A company selects the controls that apply to its risks based on a risk assessment, and justifies both the selections and the exclusions in the Statement of Applicability.
What are the four themes of Annex A?
Organizational controls, people controls, physical controls, and technological controls. This grouping was introduced in the 2022 revision to give a clearer and more current framework.
How are controls chosen?
The choice follows from the risk assessment: for each risk you consider which Annex A controls reduce it and which you will implement. The decisions are documented in the Statement of Applicability.

Sources

  1. 1ISO/IEC. ISO/IEC 27001:2022 — Annex A. International Organization for Standardization, 2022. Link
  2. 2ISO/IEC. ISO/IEC 27002:2022: Information security controls. International Organization for Standardization, 2022. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →