SarangWhat if your organisation already has security controls in place… but the ones attackers actually exploit aren’t even on your checklist?
According to IBM’s Cost of a Data Breach Report 2025, the global average cost of a breach has climbed to $4.44 million. Even more telling, organisations that lack structured security frameworks tend to face higher costs and longer recovery times. For organisations holding sensitive data, the question is no longer whether to implement structured security controls, but which framework to use.
ISO/IEC 27001 is the answer for organisations worldwide. It is the only internationally recognised standard for an Information Security Management System (ISMS). At its core is Annex A: a structured control library of 93 security controls.
This guide walks you through the ISO 27001 controls checklist in a way that’s clear and usable. You’ll see how Annex A is structured, what changed in the 2022 update, and how to apply these controls without overcomplicating your compliance efforts.
Mitigata – Your Complete ISO 27001 Compliance Partner
Mitigata, India’s top cyber resilience company with solutions across insurance, security and compliance, can be your best partner in the compliance journey. Our platform serves as a central hub, helping businesses to manage the entire ISO 27001 process with ease.
Over 800+ businesses across 25+ industries trust us to simplify compliance, reduce risks, and prepare them for audits.
Here’s what our platform – Gordon offers:
- Automate Compliance – It automates repetitive tasks such as evidence gathering, monitoring, and reminders for pending actions.
- Risk Management – It provides a real-time overview of organisational risks. It uses automated risk registers to track threats and maintain libraries of known vulnerabilities, enabling early identification of potential problems.
- Documentation – It helps organise all documentation, policies, and evidence in one place.
- Expert Support – It provides round-the-clock access to expert support, helping with gap assessments, ISMS setup, policy creation, and more.
- Training – Mitigata offers free training on educating employees about their role in maintaining information security.
- VAPT Services – Run vulnerability scans and penetration tests to detect and fix real security gaps fast.
One Tool to Manage Your End-to-End ISO 27001 Process
Use Gordon to handle everything, from scope analysis and risk to audits and even staff training.
What Are ISO 27001 Annex A Controls?
ISO 27001 Annex A Controls are designed to ensure that an organisation’s information assets maintain the CIA (Confidentiality, Integrity, and Availability) required to protect the core tenets of confidentiality and information privacy.
Organisations choose their applicable controls from Annex A because it offers an implementation menu that differs from traditional prescriptive requirements.
The risk-based methodology of ISO 27001 enables organisations of all sizes and industry sectors to use the standard. The organisation must determine which controls to use based on its existing threat model, rather than necessarily implementing the 93 standard controls.
From 14 Domains to 4 Categories: What Changed in ISO 27001:2022?
The previous framework includes ISO 27001 (2013), which contains 14 controls distributed across 14 domains, including Asset Management and Cryptography. The 2022 revision replaced these with four streamlined categories, improving the framework’s usability by aligning it with current business operations.
| ISO 27001:2013 (14 Domains) | ISO 27001:2022 (4 Categories) |
|---|---|
| A.5 – A.18 (14 clause domains) | Organisational Controls (37) |
| 114 total controls | People Controls (8) |
| Redundant overlaps across domains | Physical Controls (14) |
| Less aligned with cloud/remote work | Technological Controls (34) |
Think your systems are secure? A proper VAPT assessment reveals hidden vulnerabilities most teams completely overlook.
ISO 27001 Controls Checklist: The 4-Category Breakdown
Use this high-level ISO 27001 controls checklist to understand what each category covers and how many controls fall under each:
| Category | # of Controls | Primary Focus |
|---|---|---|
| Organisational Controls (A.5) | 37 | Governance, policies, risk management, supplier security |
| People Controls (A.6) | 8 | Employee screening, training, HR security, and remote work |
| Physical Controls (A.7) | 14 | Facility security, equipment protection, and secure disposal |
| Technological Controls (A.8) | 34 | IAM, encryption, monitoring, secure development, logging |
Deep Dive: ISO 27001 Annex A Control Categories Explained
(A.5) Organisational Controls – Governance & Risk Management
With 37 controls, this is the largest category and serves as the governance backbone of your ISMS. It covers information security policies, access control frameworks, supplier security management, legal and regulatory compliance, and incident management procedures.
Key controls include:
| Control | Title | What It Requires |
|---|---|---|
| A.5.1 | Policies for information security | Documented, approved, and communicated security policies |
| A.5.2 | Information security roles and responsibilities | Named ownership for security functions |
| A.5.5 | Contact with authorities | Defined contacts with law enforcement and regulators |
| A.5.7 | Threat intelligence | New in 2022 – proactive collection and analysis of threat data |
| A.5.15 | Access control | Policy governing access to information and systems |
| A.5.19 | Information security in supplier relationships | Security requirements built into vendor contracts |
| A.5.23 | Information security for use of cloud services | New in 2022 – security requirements specific to cloud providers |
| A.5.24 | Information security incident management planning | Documented incident response procedures |
| A.5.30 | ICT readiness for business continuity | New in 2022 – IT systems designed to support recovery |
Get ISO 27001 Certified Without Breaking Your Budget
Test the platform for free, explore all features, and see why our pricing beats the rest.
(A.6) People Controls – The Human Firewall
Verizon’s 2023 DBIR report states that human error causes approximately 74% of all data breaches. People Controls protects this security risk by implementing employee screening systems, conducting security training programs, enforcing disciplinary actions for policy breaches and establishing remote work security protocols.
| Control | Title | What It Requires |
|---|---|---|
| A.6.1 | Screening | Pre-employment background verification |
| A.6.2 | Terms and conditions of employment | Security responsibilities documented in contracts |
| A.6.3 | Information security awareness, education and training | Ongoing security training for all staff |
| A.6.4 | Disciplinary process | Defined consequences for security policy violations |
| A.6.5 | Responsibilities after termination or change of employment | Access revocation and data return on departure |
| A.6.6 | Confidentiality or non-disclosure agreements | NDAs covering information security obligations |
| A.6.7 | Remote working | New in 2022 – controls for distributed and hybrid work |
| A.6.8 | Information security event reporting | Mechanism for staff to report security incidents |
(A.7) Physical Controls – Securing the Physical Layer
Physical security requirements are mandatory compliance obligations that organisations must fulfil throughout their cloud-first operations.
The 14 controls establish requirements for securing office spaces and building perimeters, protecting equipment from theft or damage, ensuring secure disposal of media and devices, and protecting against environmental and natural-disaster threats.
| Control | Title | What It Requires |
|---|---|---|
| A.7.1 | Physical security perimeters | Defined and secured boundaries for sensitive areas |
| A.7.2 | Physical entry | Controlled access to secure zones |
| A.7.4 | Physical security monitoring | New in 2022 – surveillance of sensitive areas |
| A.7.6 | Working in secure areas | Procedures for operating within sensitive spaces |
| A.7.8 | Equipment siting and protection | Protection from environmental and physical threats |
| A.7.10 | Storage media | Secure management of portable storage devices |
| A.7.14 | Secure disposal or re-use of equipment | Verified data destruction before disposal or reuse |
VPNs aren’t as secure as you think. Here’s a VPN alternative modern teams are quietly switching to.
(A.8) Technological Controls – Your Digital Defence Layer
The most expansive technical category, with 34 controls, directly aligned with modern security frameworks such as Zero Trust.
Key controls include:
| Control | Title | What It Requires |
|---|---|---|
| A.8.2 | Privileged access rights | Controlled allocation and use of admin privileges |
| A.8.5 | Secure authentication | MFA and strong authentication for all systems |
| A.8.8 | Management of technical vulnerabilities | Vulnerability scanning and patch management |
| A.8.10 | Information deletion | New in 2022 – secure and compliant data disposal |
| A.8.11 | Data masking | New in 2022 – protection of sensitive data in non-production environments |
| A.8.12 | Data leakage prevention | New in 2022 – controls preventing unauthorised data exfiltration |
| A.8.16 | Monitoring activities | New in 2022 – ongoing oversight of systems and user behaviour |
| A.8.23 | Web filtering | New in 2022 – controls on access to malicious web content |
| A.8.25 | Secure development life cycle | Security requirements across the full SDLC |
| A.8.28 | Secure coding | New in 2022 – embedding security into software development |
| A.8.34 | Protection of information systems during audit testing | Safeguards during audit activities |
Simplify ISO 27001 Compliance Today
Achieve ISO 27001 compliance faster with Mitigata’s expert led compliance readiness services.
ISO 27001 2022 New Controls: 11 Additions You Need to Know
The ISO 27001:2022 update streamlined Annex A from 114 controls (in the 2013 version) to 93 controls, which were divided into four intuitive categories. The following are the new controls:
| New ISO 27001 Control | Why It Matters |
|---|---|
| Threat Intelligence | Proactive identification of emerging threat actors and TTPs |
| Data Masking | Protects sensitive data in non-production environments |
| Data Leakage Prevention (DLP) | Stops unauthorised exfiltration of sensitive information |
| Web Filtering | Controls access to malicious or non-compliant web content |
| Secure Coding | Embeds security into the software development process |
| ICT Readiness for Business Continuity | Ensures IT systems support recovery and resilience plans |
| Remote Working Security | Addresses risks of distributed and hybrid work models |
| Physical Security Monitoring | Surveillance of sensitive areas for unauthorised access |
| Configuration Management | Secure baseline configurations for hardware and software |
| Information Deletion | Ensures secure and compliant data disposal |
| Monitoring Activities | Ongoing oversight of systems and user behaviour |
The Statement of Applicability: The Most Critical Document in ISO 27001
When you’re undergoing your information security risk treatment process, you need to go through Annex A to determine what controls your specific organisation needs and verify that no necessary controls have been omitted.
The output of that process is the Statement of Applicability (SoA), the single most important document in your ISO 27001 certification.
Your SoA must document every one of the 93 Annex A controls with:
- Applicability decision — included or excluded from your ISMS
- Justification — why each decision was made, tied to your risk assessment
- Implementation status — planned, in progress, or operational
- Control owner — the named individual responsible
Struggling with compliance delays? The right ISO 27001 tools can simplify and speed up everything.
How to Build an Effective ISO 27001 Controls Checklist
Building an ISO 27001 controls checklist involves five steps: conducting a formal risk assessment, mapping identified risks to Annex A controls, documenting applicability decisions in your Statement of Applicability, implementing selected controls with measurable KPIs and named ownership, and establishing continuous monitoring and internal audit cycles.
Follow these five steps:
- Conduct a formal risk assessment to identify threats and vulnerabilities
- Mapping identified risks to relevant Annex A controls
- Document applicability decisions in the Statement of Applicability (SoA)
- Implement selected controls with measurable KPIs and ownership
- Establish continuous monitoring, internal audit, and management review cycles
Fast-Track Your ISO 27001 Readiness
Get audit-ready frameworks, expert guidance, and faster ISO 27001 certification outcomes.
Common ISO 27001 Implementation Mistakes to Avoid
The following are the common ISO 27001 Implementation mistakes to avoid:
- Treating Annex A as a checkbox exercise rather than a risk-driven process
- Implementing all 93 controls without a risk assessment to justify inclusion
- Ignoring documentation requirements, an incomplete SoA is a top audit failure reason
- Neglecting continuous monitoring and assuming a one-time implementation is sufficient
- Overlooking the 11 new ISO 27001 2022 controls when migrating from the 2013 standard
Conclusion
The 2022 update modernised the standard for today’s threat environment: cloud security, remote work, AI-driven threats, and data leakage are now explicitly addressed. The 11 new controls reflect gaps in the 2013 standard that real-world attacks have exploited.
If your organisation is still operating under a 2013 certification, the transition deadline has passed. Act now.
Talk with our experts today and accelerate your ISO 27001 compliance.
Frequently Asked Questions (FAQs)
1. How many controls are in ISO 27001:2022?
ISO 27001:2022 Annex A contains 93 controls organised into 4 categories: Organisational (37), People (8), Physical (14), and Technological (34). This is a reduction from 114 controls in the 2013 version.
2. What were the 14 controls of ISO 27001?
The ’14 controls’ reference the 14 domain-based clauses in ISO 27001:2013, ranging from Information Security Policies (A.5) to Compliance (A.18). These have been consolidated into 4 streamlined categories in the 2022 update.
3. What are the new ISO 27001 controls in 2022?
ISO 27001:2022 introduced 11 new controls, including Threat Intelligence, Data Masking, Data Leakage Prevention, Web Filtering, Secure Coding, ICT Readiness for Business Continuity, Remote Working, and Physical Security Monitoring.
4. Is it mandatory to implement all 93 Annex A controls?
No. ISO 27001 is a risk-based framework. Organisations must select applicable controls based on their risk assessment and justify the inclusion or exclusion of each control in their Statement of Applicability (SoA).
5. What is an ISO 27001 controls checklist?
An ISO 27001 controls checklist is a structured document mapping all Annex A controls to your organisation’s risk profile, implementation status, responsible owner, and audit evidence. It is a core component of certification readiness.
6. When must organisations transition to ISO 27001:2022?
Organisations certified under ISO 27001:2013 had until October 31, 2025, to transition to the 2022 version. New certifications are issued only under the 2022 standard.
akshit k
areena g
deepthi s