By Girija Togarati, ISO/IEC 27001 Lead Auditor (CISA, CCSK). Reviewed by Murty Nisthala, Director, Audit and Assessment Services (CISA, CISSP, CCSP).
Annex A of ISO/IEC 27001:2022 lists 93 information security controls grouped into four themes. You select the controls that treat your risks and record your choices in the Statement of Applicability.
The four control themes
The 2022 version organises Annex A into organisational controls (37), people controls (8), physical controls (14) and technological controls (34). This replaced the 14 control domains of the 2013 version, although the underlying protection is similar.
How controls are selected
You do not apply every control. Your risk assessment identifies the risks, the risk treatment selects the Annex A controls that reduce them, and the Statement of Applicability documents which controls apply and why. Excluded controls must be justified.
Examples
Organisational controls include policies, supplier security and threat intelligence. People controls cover screening and awareness. Physical controls cover secure areas and equipment. Technological controls cover access control, cryptography, logging and secure development.
Univate Solutions delivers ISO 27001 Certification in India end to end, led by an in-house ISO 27001 Lead Auditor. Book a free consultation and get a fixed quote. See all cybersecurity services.
