Understanding ISO 27001 Controls: A Guide

to Annex A

What's Inside
ISO 27001:2022 controls are broken into four themes—people, organizational,
operational, and technological—that aim to strengthen your organization’s
information security defenses.

Get Started With Drata

Automate ISO 27001 Watch Stories

View Integrations Get a Demo

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Contents

What Are the ISO 27001 Security Controls?

How Many Controls Does ISO 27001 Annex A Have?
What Are the Control Attributes?
What Are the Four Control Themes?
How Drata Can Help You Streamline Your ISO 27001 Compliance

ISO 27001:2022 controls are broken into four themes—people, organizational,

operational, and technological—that aim to strengthen your organization’s
information security defenses.

Security controls are an essential part of the ISO 27001 standard. These ISO
27001 safeguards function as minimum baseline controls, offering guidance for
how organizations can adopt them as listed or tailor them to their specific
organization.

ISO 27001 was established in 2005 and has since been updated in 2013 and most
recently in 2022. The most recent version is referred to as ISO 27001:2022 and
comes with significant changes to how security controls are structured within
Annex A, which lists out each objective and security control.

Below, we dive into those structural changes as well as new control additions to
be aware of.

New to ISO 27001?

Learn how to get started and save time with our Beginner's ISO 27001: 2022
Guide.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Download Guide

What Are the ISO 27001 Security Controls?

ISO 27001 is an international standard designed to help organizations protect the
confidentiality, integrity, and availability of their information. The standard
includes a list of security controls companies can implement to safeguard their
sensitive data.

The ISO 27001 controls outline the measures organizations must take by way of
policies, processes, and procedures to meet the document’s security
requirements. These security controls are grouped into four control themes—
people, organizational, technological, and physical—that aim to reduce risks to an
acceptable level.

How Many Controls Does ISO 27001 Annex A Have?

Changes to the ISO 27001 document in 2022 reduced the number of controls in
Annex A from 114 to 93. There have also been noteworthy changes to existing
controls, including renaming and merging controls. ISO 27001:2022 consolidated
old controls and added new ones, but are not all-encompassing.

The changes in the 2022 version aim to address the changing business
landscape, such as the rise of remote work and the evolving nature of
cybersecurity threats. The new version puts an emphasis on streamlining
controls under thematic topics to make the implementation process easier.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Image depicting the changes from ISO 27001:2013 to ISO 27001:2022

There are 11 new controls that have been added to the ISO 27001 document,
which include:

Threat intelligence (5.7): requires companies to collect and analyze

information relating to information security threats
Information security for use of cloud services (5.23): requires companies to
specify and manage information security for the use of cloud services
ICT readiness for business continuity (5.30): requires companies to create
an ICT continuity plan to maintain operational resilience
Physical security monitoring (7.4): requires companies to detect and
prevent external and internal intruders by deploying suitable surveillance
Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 tools
Configuration management (8.9): requires companies to establish policies
to manage how they document, implement, monitor, and review the use of
configurations across their entire network
Information deletion (8.10): provides guidance on how to manage data
deletion to comply with laws and regulations
Data masking (8.11): provides data masking techniques for personal
identifiable information (PII) to comply with laws and regulations
Data leakage protection (8.12): requires companies to implement technical
measures that detect and prevent the disclosure and/or extraction of
information
Monitoring activities (8.16): provides guidance on improving network
monitoring activities to identify anomalous behavior and address security
events and incidents
Web filtering (8.23): requires companies to enforce access controls and
measures to restrict and control access to external websites
Secure coding (8.28): requires companies to follow secure coding principles
to prevent vulnerabilities caused by poor coding methods

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Image depicting a chart of the 11 new ISO 27001 controls

What Are the Control Attributes?

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Control attributes are a new addition to the standard introduced in ISO
27001:2022. These five attributes are intended to help easily classify and group
the controls based on what makes sense to their organization and security
needs.

Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us
take you from security novice to continuous monitoring in a few hours.

Learn More

ISO 27002:2022—(which provides guidance for how to implement controls

outlined in ISO 27001)—states in section 4.2 Themes and Attributes:

"The organization can use attributes to create different

views which are different categorizations of controls as
seen from a different perspective to the themes. Attributes
can be used to filter, sort or present controls in different
views for different audiences."
The five attributes are:

Control type: preventative, detective, corrective

Operational capabilities: governance, asset management, information
protection, human resource security, etc.
Security domains: governance and ecosystem, protection, defense,
resilience
Cybersecurity concepts: identify, protect, detect, respond, recover
Information security properties: confidentiality, integrity, availability

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
What Are the Four Control Themes?
The previous version of ISO 27001 spread out the security controls into 14
categories. The newest version (ISO 27001:2022) has merged the original 14
categories into four themes.

Section 5: People (eight controls)

Section 6: Organizational (37 controls)
Section 7: Physical (14 controls)
Section 8: Technological (34 controls)

This consolidated grouping of controls removes redundancies from previous

versions of the standard. It also helps companies by grouping controls together
based on who’s responsible for carrying them out. For example, technological
controls may be carried out by IT, whereas organizational controls might be
handled by your system operations team.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Image depicting the four ISO 27001 Annex A themes

Organizational (Section 5)
Organizational controls cover information security policies, use of assets, and
cloud service use. This category covers everything that doesn’t fit under the
people, technological, or physical themes such as identity management, the

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
responsibilities of management and information security professionals, and
evidence collection.

New organizational controls include:

5.7: Threat Intelligence

5.23: Information security for use of cloud services
5.30: ICT readiness for business continuity

Threat intelligence is a noteworthy control addition under this theme. This control
goes beyond recognizing a malicious domain name to help organizations better
understand how they may be targeted and then using that threat intelligence
information to better inform their information security approach.

People (Section 6)
With only eight total controls, this theme deals with remote work, confidentiality,
nondisclosures, and screening to help manage the way employees interact with
sensitive information in their day-to-day roles. Controls include onboarding and
offboarding processes and responsibilities for incident reporting.

There weren’t any new controls introduced in ISO 27001:2022 to be aware of for
this theme.

Physical (Section 7)
Physical controls cover security monitoring, maintenance, facilities security, and
storage media. This category focuses on how you are protecting against physical
and environmental threats such as natural disasters, theft, and intentional
destruction.

New physical controls include:

7.4: Physical security monitoring

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
Technological (Section 8)
Technological controls deal with authentication, encryption, and data leakage
prevention. This category focuses on properly securing technology through
various approaches, including access rights, network security, and data
masking.

New technological controls include:

8.1: Data masking

8.9: Configuration management
8.10: Information deletion
8.12: Data leakage prevention
8.16: Monitoring activities
8.23: Web filtering
8.28: Secure coding

Data leakage prevention is one of the key new additions under this theme and will
likely require a large time and financial investment to put in place for the first
time. Web filtering is another notable net new control that outlines how
organizations should filter web traffic to prevent users from visiting malicious
sites.

How Drata Can Help You Streamline Your ISO 27001

Compliance
Whether you’re on the path to achieving ISO 27001 compliance or you’re looking
to maintain your compliance standing, our compliance automation platform helps
you streamline evidence collection, access control workflows, and ensure you
have all the audit documentation you need.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Get Audit-Ready Faster With Drata's ISO 27001
Compliance Solution
Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready
faster.

Schedule a Demo

Keep Reading

ARTICLE
ISO 27001 Risk Assessment: 10 Step Guide to an Effective Assessment

ARTICLE
ISO 27001: How to Write a Statement of Applicability

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 ARTICLE
Understanding ISO 27001 Controls: A Guide to Annex A

ARTICLE
5 Key Learnings From Our Path to ISO 27001

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001
compliance.

Explore ISO 27001 Hub

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Drata is a security and compliance automation platform that continuously monitors and collects
evidence of a company’s security controls, while streamlining workflows to ensure audit-readiness.

Solutions

Startup Scale
Enhance Drata Platform
Integrations

Frameworks

SOC 2 ISO 27001

HIPAA GDPR
NIST AI Risk Management FedRAMP
Custom Frameworks All Frameworks

Resources

Blog Events
Webinars Reports
SOC 2 Hub ISO 27001 Hub
Product Updates Compliance Glossary
API Documentation

Company

Careers HIRING Customers

Auditors Partners
Press Contact Us
Legal

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF
 Trust

Security and Compliance Trust Center

System Status

Become a Trusted Newsletter Insider

The latest security and compliance news, delivered.

Work Email*

First Name*

Submit

Cookie Preferences Privacy Notice Legal

© 2024 Drata Inc. All rights reserved.

Explore our developer-friendly HTML to PDF API Printed using PDFCrowd HTML to PDF