Table of all Annex A controls

ISO 27001:2022 Organisational Controls

ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Organisational Annex A 5.1.1 Policies for Information

Annex A 5.1
Controls Annex A 5.1.2 Security

Information Security
Organisational
Annex A 5.2 Annex A 6.1.1 Roles and
Controls
Responsibilities

Organisational
Annex A 5.3 Annex A 6.1.2 Segregation of Duties
Controls

Organisational Management
Annex A 5.4 Annex A 7.2.1
Controls Responsibilities

Organisational
Annex A 5.5 Annex A 6.1.3 Contact With Authorities
Controls

Organisational Contact With Special

Annex A 5.6 Annex A 6.1.4
Controls Interest Groups

Organisational
Annex A 5.7 NEW Threat Intelligence
Controls

Organisational Annex A 6.1.5 Information Security in

Annex A 5.8
Controls Annex A 14.1.1 Project Management

Inventory of Information
Organisational Annex A 8.1.1
Annex A 5.9 and Other Associated
Controls Annex A 8.1.2
Assets

Organisational Annex A 5.10 Annex A 8.1.3 Acceptable Use of

 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Information and Other

Controls Annex A 8.2.3
Associated Assets

Organisational
Annex A 5.11 Annex A 8.1.4 Return of Assets
Controls

Organisational Classification of
Annex A 5.12 Annex A 8.2.1
Controls Information

Organisational
Annex A 5.13 Annex A 8.2.2 Labelling of Information
Controls

Annex A 13.2.1
Organisational
Annex A 5.14 Annex A 13.2.2 Information Transfer
Controls
Annex A 13.2.3

Organisational Annex A 9.1.1

Annex A 5.15 Access Control
Controls Annex A 9.1.2

Organisational
Annex A 5.16 Annex A 9.2.1 Identity Management
Controls

Annex A 9.2.4
Organisational Authentication
Annex A 5.17 Annex A 9.3.1
Controls Information
Annex A 9.4.3

Annex A 9.2.2
Organisational
Annex A 5.18 Annex A 9.2.5 Access Rights
Controls
Annex A 9.2.6

Organisational Information Security in

Annex A 5.19 Annex A 15.1.1
Controls Supplier Relationships

Addressing Information
Organisational
Annex A 5.20 Annex A 15.1.2 Security Within Supplier
Controls
Agreements
 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Managing Information
Organisational
Annex A 5.21 Annex A 15.1.3 Security in the ICT
Controls
Supply Chain

Monitoring, Review and

Organisational Annex A 15.2.1
Annex A 5.22 Change Management of
Controls Annex A 15.2.2
Supplier Services

Organisational Information Security for

Annex A 5.23 NEW
Controls Use of Cloud Services

Information Security
Organisational
Annex A 5.24 Annex A 16.1.1 Incident Management
Controls
Planning and Preparation

Assessment and Decision

Organisational
Annex A 5.25 Annex A 16.1.4 on Information Security
Controls
Events

Organisational Response to Information

Annex A 5.26 Annex A 16.1.5
Controls Security Incidents

Learning From
Organisational
Annex A 5.27 Annex A 16.1.6 Information Security
Controls
Incidents

Organisational
Annex A 5.28 Annex A 16.1.7 Collection of Evidence
Controls

Annex A 17.1.1
Organisational Information Security
Annex A 5.29 Annex A 17.1.2
Controls During Disruption
Annex A 17.1.3

Organisational ICT Readiness for

Annex A 5.30 NEW
Controls Business Continuity
 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Legal, Statutory,
Organisational Annex A 18.1.1
Annex A 5.31 Regulatory and
Controls Annex A 18.1.5
Contractual Requirements

Organisational Intellectual Property

Annex A 5.32 Annex A 18.1.2
Controls Rights

Organisational
Annex A 5.33 Annex A 18.1.3 Protection of Records
Controls

Organisational Privacy and Protection of

Annex A 5.34 Annex A 18.1.4
Controls PII

Organisational Independent Review of

Annex A 5.35 Annex A 18.2.1
Controls Information Security

Compliance With
Organisational Annex A 18.2.2 Policies, Rules and
Annex A 5.36
Controls Annex A 18.2.3 Standards for Information
Security

Organisational Documented Operating

Annex A 5.37 Annex A 12.1.1
Controls Procedures

ISO 27001:2022 People Controls

ISO/IEC ISO/IEC
Annex A
27001:2022 27001:2013
Control Annex A Name
Annex A Annex A
Type
Identifier Identifier

People
Annex A 6.1 Annex A 7.1.1 Screening
Controls

People Terms and Conditions of

Annex A 6.2 Annex A 7.1.2
Controls Employment
 ISO/IEC ISO/IEC
Annex A
27001:2022 27001:2013
Control Annex A Name
Annex A Annex A
Type
Identifier Identifier

Information Security
People
Annex A 6.3 Annex A 7.2.2 Awareness, Education and
Controls
Training

People
Annex A 6.4 Annex A 7.2.3 Disciplinary Process
Controls

Responsibilities After
People
Annex A 6.5 Annex A 7.3.1 Termination or Change of
Controls
Employment

People Confidentiality or Non-

Annex A 6.6 Annex A 13.2.4
Controls Disclosure Agreements

People
Annex A 6.7 Annex A 6.2.2 Remote Working
Controls

People Annex A 16.1.2 Information Security

Annex A 6.8
Controls Annex A 16.1.3 Event Reporting

ISO 27001:2022 Physical Controls

Annex A ISO/IEC ISO/IEC
Control 27001:2022 Annex 27001:2013 Annex Annex A Name
Type A Identifier A Identifier

Physical Physical Security

Annex A 7.1 Annex A 11.1.1
Controls Perimeters

Physical Annex A 11.1.2

Annex A 7.2 Physical Entry
Controls Annex A 11.1.6

Physical Securing Offices,

Annex A 7.3 Annex A 11.1.3
Controls Rooms and Facilities

Physical Physical Security

Annex A 7.4 NEW
Controls Monitoring
Annex A ISO/IEC ISO/IEC
Control 27001:2022 Annex 27001:2013 Annex Annex A Name
Type A Identifier A Identifier

Protecting Against
Physical
Annex A 7.5 Annex A 11.1.4 Physical and
Controls
Environmental Threats

Physical Working In Secure

Annex A 7.6 Annex A 11.1.5
Controls Areas

Physical Clear Desk and Clear

Annex A 7.7 Annex A 11.2.9
Controls Screen

Physical Equipment Siting and

Annex A 7.8 Annex A 11.2.1
Controls Protection

Physical Security of Assets Off-

Annex A 7.9 Annex A 11.2.6
Controls Premises

Annex A 8.3.1
Physical Annex A 8.3.2
Annex A 7.10 Storage Media
Controls Annex A 8.3.3
Annex A 11.2.5

Physical
Annex A 7.11 Annex A 11.2.2 Supporting Utilities
Controls

Physical
Annex A 7.12 Annex A 11.2.3 Cabling Security
Controls

Physical
Annex A 7.13 Annex A 11.2.4 Equipment Maintenance
Controls

Physical Secure Disposal or Re-

Annex A 7.14 Annex A 11.2.7
Controls Use of Equipment

ISO 27001:2022 Technological Controls

 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Technological Annex A 6.2.1

Annex A 8.1 User Endpoint Devices
Controls Annex A 11.2.8

Technological
Annex A 8.2 Annex A 9.2.3 Privileged Access Rights
Controls

Technological Information Access

Annex A 8.3 Annex A 9.4.1
Controls Restriction

Technological
Annex A 8.4 Annex A 9.4.5 Access to Source Code
Controls

Technological
Annex A 8.5 Annex A 9.4.2 Secure Authentication
Controls

Technological
Annex A 8.6 Annex A 12.1.3 Capacity Management
Controls

Technological Protection Against

Annex A 8.7 Annex A 12.2.1
Controls Malware

Technological Annex A 12.6.1 Management of

Annex A 8.8
Controls Annex A 18.2.3 Technical Vulnerabilities

Technological Configuration
Annex A 8.9 NEW
Controls Management

Technological
Annex A 8.10 NEW Information Deletion
Controls

Technological
Annex A 8.11 NEW Data Masking
Controls

Technological
Annex A 8.12 NEW Data Leakage Prevention
Controls
 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Technological
Annex A 8.13 Annex A 12.3.1 Information Backup
Controls

Redundancy of
Technological
Annex A 8.14 Annex A 17.2.1 Information Processing
Controls
Facilities

Annex A 12.4.1
Technological
Annex A 8.15 Annex A 12.4.2 Logging
Controls
Annex A 12.4.3

Technological
Annex A 8.16 NEW Monitoring Activities
Controls

Technological
Annex A 8.17 Annex A 12.4.4 Clock Synchronization
Controls

Technological Use of Privileged Utility

Annex A 8.18 Annex A 9.4.4
Controls Programs

Technological Annex A 12.5.1 Installation of Software

Annex A 8.19
Controls Annex A 12.6.2 on Operational Systems

Technological
Annex A 8.20 Annex A 13.1.1 Networks Security
Controls

Technological Security of Network

Annex A 8.21 Annex A 13.1.2
Controls Services

Technological
Annex A 8.22 Annex A 13.1.3 Segregation of Networks
Controls

Technological
Annex A 8.23 NEW Web filtering
Controls

Technological Annex A 8.24 Annex A 10.1.1 Use of Cryptography

 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Controls Annex A 10.1.2

Technological Secure Development

Annex A 8.25 Annex A 14.2.1
Controls Life Cycle

Technological Annex A 14.1.2 Application Security

Annex A 8.26
Controls Annex A 14.1.3 Requirements

Secure System
Technological
Annex A 8.27 Annex A 14.2.5 Architecture and
Controls
Engineering Principles

Technological
Annex A 8.28 NEW Secure Coding
Controls

Security Testing in
Technological Annex A 14.2.8
Annex A 8.29 Development and
Controls Annex A 14.2.9
Acceptance

Technological Outsourced
Annex A 8.30 Annex A 14.2.7
Controls Development

Separation of
Technological Annex A 12.1.4 Development, Test and
Annex A 8.31
Controls Annex A 14.2.6 Production
Environments

Annex A 12.1.2
Technological Annex A 14.2.2
Annex A 8.32 Change Management
Controls Annex A 14.2.3
Annex A 14.2.4

Technological
Annex A 8.33 Annex A 14.3.1 Test Information
Controls

Technological Annex A 8.34 Annex A 12.7.1 Protection of Information

 ISO/IEC ISO/IEC
Annex A 27001:2022 27001:2013
Annex A Name
Control Type Annex A Annex A
Identifier Identifier

Systems During Audit

Controls
Testing