A Breakdown of ISO 27001:2022 Annex A Controls

December 15, 2022 | ISO 27001

When working toward certification to ISO/IEC 27001, your organization will select relevant controls to implement from a checklist called Annex A. Think of Annex A as a catalog of information. Like a portfolio or archive, Annex A consists of a detailed list of security controls that organizations can use to improve their Information Security Management System (ISMS). 

This year, the ISO/IEC 27001 standard was updated to reflect current security challenges, and one of the biggest changes was within the Annex A controls. 

Let’s take a look at our breakdown of the ISO/IEC 27001:2022 Annex A controls so your organization can easily understand what to expect and feel confident going into your audit.  

Annex A Controls and Domains

Annex A controls have been both reduced and restructured to reflect the updated ISO/IEC 27001:2022 changes; the number of controls decreased from 114 to 93 and are now categorized from 14 domains into four overarching groups—organizational, people, physical, and technological. 

The good news is, these changes make the standard easier to digest and simpler to implement. Here’s more information of each domain, where to find them, and a non-exhaustive list of the type of controls they contain. 

Section 5, Organizational (37 controls)

  • Organizational information policies
  • Cloud service use
  • Asset use

Section 6, People (8 controls)

  • Remote work
  • Confidentiality
  • Non-disclosures
  • Screening

Section 7, Physical (14 controls)

  • Security monitoring
  • Storage media
  • Maintenance
  • Facilities security

Section 8, Technological (34 controls)

  • Authentication
  • Encryption
  • Data leak prevention 

Newly Added Annex A Controls

While several of the Annex A controls have been renamed and merged to reduce the total number of controls, the requirements within those controls are almost all the same. The biggest change has been the addition of 11 new controls, added to reflect new and evolving security areas. 

Specifically, the control categories are as follows: 

  • Threat intelligence
  • Information security for the use of cloud services
  • Information and communications technology for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering 
  • Secure coding

For further details and descriptions of these controls, we recommend purchasing the ISO 27001 and 27002 standard and reviewing those documents with your team.

Transitioning to ISO 27001:2022

No matter what stage your organization is in when it comes to ISO/IEC 27001:2022 certification, don’t worry—there’s plenty of time to make the necessary changes. 

When conforming to the newly updated ISO 27001:2022 standard, all organizations have a three year transition period. ISO 27001:2013 certificates will expire or be withdrawn no later than October 31, 2025, and organizations are eligible to certify against the 2013 version up until October 31, 2023.

For organizations working toward a certification or those with an active certification, you can start incorporating the new standards into your preparations today. Certification bodies, such as BARR, will be required to be ready to certify against the new standard by April 30 of 2023, though most will be ready to certify prior.

A few tips for transitioning your certification to the updated ISO standard include:

  • Start by reviewing the standards and updating your ISMS and statement of applicability to align with the revised requirements;
  • Incorporate these changes into your risk assessment and management review so that key parties at your organization are on board with the changes; and,
  • Reach out to BARR for guidance on the logistics of the transition. We’re happy to help!

Interested in learning more about BARR’s ISO/IEC 27001 certification services? Contact us today.

Let's Talk