ISO 27001 Controls: A Guide to Annex A

drata.com/grc-central/iso-27001/controls

Privacy Settings
This website stores data such as cookies to enable essential site functionality, as well as marketing, personalization,
and analytics. By remaining on this website you indicate your consent.

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually
only set in response to actions made by you which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some
parts of the site will not then work. These cookies do not store any personally identifiable information.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site.
They help us to know which pages are the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not
know when you have visited our site, and will not be able to monitor its performance.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by
third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of
these services may not function properly.

These cookies may be set through our site by our advertising partners. They may be used by those companies to build
a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information,
but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.

Home GRC Central ISO 27001 ISO 27001 Controls

Understanding ISO 27001 Controls: A Guide to Annex A

What's Inside
ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim
to strengthen your organization’s information security defenses.

Contents
What Are the ISO 27001 Security Controls?How Many Controls Does ISO 27001 Annex A Have?What Are the Control
Attributes?What Are the Four Control Themes?How Drata Can Help You Streamline Your ISO 27001 Compliance

1/9
ISO 27001:2022 controls are broken into four themes—people, organizational, operational, and technological—that aim
to strengthen your organization’s information security defenses.

Security controls are an essential part of the ISO 27001 standard. These ISO 27001 safeguards function as minimum
baseline controls, offering guidance for how organizations can adopt them as listed or tailor them to their specific
organization.

ISO 27001 was established in 2005 and has since been updated in 2013 and most recently in 2022. The most recent
version is referred to as ISO 27001:2022 and comes with significant changes to how security controls are structured
within Annex A, which lists out each objective and security control.

Below, we dive into those structural changes as well as new control additions to be aware of.

New to ISO 27001?

Learn how to get started and save time with our Beginner's ISO 27001: 2022 Guide.

Download Guide

What Are the ISO 27001 Security Controls?

ISO 27001 is an international standard designed to help organizations protect the confidentiality, integrity, and
availability of their information. The standard includes a list of security controls companies can implement to safeguard
their sensitive data.

The ISO 27001 controls outline the measures organizations must take by way of policies, processes, and procedures to
meet the document’s security requirements. These security controls are grouped into four control themes—people,
organizational, technological, and physical—that aim to reduce risks to an acceptable level.

How Many Controls Does ISO 27001 Annex A Have?

Changes to the ISO 27001 document in 2022 reduced the number of controls in Annex A from 114 to 93. There have
also been noteworthy changes to existing controls, including renaming and merging controls. ISO 27001:2022
consolidated old controls and added new ones, but are not all-encompassing.

The changes in the 2022 version aim to address the changing business landscape, such as the rise of remote work and
the evolving nature of cybersecurity threats. The new version puts an emphasis on streamlining controls under thematic
topics to make the implementation process easier.

2/9
Image depicting the changes from ISO 27001:2013 to ISO 27001:2022
There are 11 new controls that have been added to the ISO 27001 document, which include:

Threat intelligence (5.7): requires companies to collect and analyze information relating to information security
threats

Information security for use of cloud services (5.23): requires companies to specify and manage information
security for the use of cloud services

ICT readiness for business continuity (5.30): requires companies to create an ICT continuity plan to maintain
operational resilience

Physical security monitoring (7.4): requires companies to detect and prevent external and internal intruders by
deploying suitable surveillance tools

Configuration management (8.9): requires companies to establish policies to manage how they document,
implement, monitor, and review the use of configurations across their entire network

Information deletion (8.10): provides guidance on how to manage data deletion to comply with laws and
regulations

3/9
 Data masking (8.11): provides data masking techniques for personal identifiable information (PII) to comply with
laws and regulations

Data leakage protection (8.12): requires companies to implement technical measures that detect and prevent the
disclosure and/or extraction of information

Monitoring activities (8.16): provides guidance on improving network monitoring activities to identify anomalous
behavior and address security events and incidents

Web filtering (8.23): requires companies to enforce access controls and measures to restrict and control access
to external websites

Secure coding (8.28): requires companies to follow secure coding principles to prevent vulnerabilities caused by
poor coding methods

Image depicting a chart of the 11 new ISO 27001 controls

What Are the Control Attributes?

Control attributes are a new addition to the standard introduced in ISO 27001:2022. These five attributes are intended to
help easily classify and group the controls based on what makes sense to their organization and security needs.

4/9
Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us take you from security novice to
continuous monitoring in a few hours.

Learn More
ISO 27002:2022—(which provides guidance for how to implement controls outlined in ISO 27001)—states in section 4.2
Themes and Attributes:

"The organization can use attributes to create different views which are different categorizations of controls as
seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different
views for different audiences."

The five attributes are:

Control type: preventative, detective, corrective

Operational capabilities: governance, asset management, information protection, human resource security, etc.

Security domains: governance and ecosystem, protection, defense, resilience

Cybersecurity concepts: identify, protect, detect, respond, recover

Information security properties: confidentiality, integrity, availability

What Are the Four Control Themes?

The previous version of ISO 27001 spread out the security controls into 14 categories. The newest version (ISO
27001:2022) has merged the original 14 categories into four themes.

Section 5: People (eight controls)

Section 6: Organizational (37 controls)

Section 7: Physical (14 controls)

Section 8: Technological (34 controls)

This consolidated grouping of controls removes redundancies from previous versions of the standard. It also helps
companies by grouping controls together based on who’s responsible for carrying them out. For example, technological
controls may be carried out by IT, whereas organizational controls might be handled by your system operations team.

5/9
Image depicting the four ISO 27001 Annex A themes

Organizational (Section 5)

Organizational controls cover information security policies, use of assets, and cloud service use. This category covers
everything that doesn’t fit under the people, technological, or physical themes such as identity management, the
responsibilities of management and information security professionals, and evidence collection.

New organizational controls include:

5.7: Threat Intelligence

5.23: Information security for use of cloud services

5.30: ICT readiness for business continuity

Threat intelligence is a noteworthy control addition under this theme. This control goes beyond recognizing a malicious
domain name to help organizations better understand how they may be targeted and then using that threat intelligence
information to better inform their information security approach.

People (Section 6)

6/9
With only eight total controls, this theme deals with remote work, confidentiality, nondisclosures, and screening to help
manage the way employees interact with sensitive information in their day-to-day roles. Controls include onboarding
and offboarding processes and responsibilities for incident reporting.

There weren’t any new controls introduced in ISO 27001:2022 to be aware of for this theme.

Physical (Section 7)

Physical controls cover security monitoring, maintenance, facilities security, and storage media. This category focuses
on how you are protecting against physical and environmental threats such as natural disasters, theft, and intentional
destruction.

New physical controls include:

7.4: Physical security monitoring

Technological (Section 8)
Technological controls deal with authentication, encryption, and data leakage prevention. This category focuses on
properly securing technology through various approaches, including access rights, network security, and data masking.

New technological controls include:

8.1: Data masking

8.9: Configuration management

8.10: Information deletion

8.12: Data leakage prevention

8.16: Monitoring activities

8.23: Web filtering

8.28: Secure coding

Data leakage prevention is one of the key new additions under this theme and will likely require a large time and
financial investment to put in place for the first time. Web filtering is another notable net new control that outlines how
organizations should filter web traffic to prevent users from visiting malicious sites.

How Drata Can Help You Streamline Your ISO 27001 Compliance
Whether you’re on the path to achieving ISO 27001 compliance or you’re looking to maintain your compliance standing,
our compliance automation platform helps you streamline evidence collection, access control workflows, and ensure
you have all the audit documentation you need.

Get Audit-Ready Faster With Drata's ISO 27001 Compliance Solution

Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Keep Reading
See More
ARTICLE

7/9
ISO 27001 Risk Assessment: 10 Step Guide to an Effective Assessment

ARTICLE

ISO 27001: How to Write a Statement of Applicability

ARTICLE

Understanding ISO 27001 Controls: A Guide to Annex A

ARTICLE

8/9
5 Key Learnings From Our Path to ISO 27001

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.

Explore ISO 27001 Hub

© 2024 Drata Inc. All rights reserved.

9/9