ISO 27001 Annex A Controls Explained
Summary
Annex A is where ISO 27001 connects your ISMS to a practical set of control topics. It is not a checklist you blindly implement. It is a structured menu that you select from, justify, and then operate with evidence.
- Annex A is a control reference: It points you to control objectives and themes that help you treat risk.
- Selection matters: You must justify which controls apply and why, based on risk and scope.
- Evidence wins audits: Auditors look for consistent operation, not perfect wording.
What is ISO 27001 Annex A
ISO/IEC 27001 is the standard for building and operating an Information Security Management System (ISMS). Annex A is the section that lists a set of information security controls you can use to address risks.
Annex A supports a key requirement: you must define your control set and document it in the Statement of Applicability (SoA). The SoA shows which controls you selected, which you excluded, and the justification for each decision.
Annex A and ISO 27002
Annex A aligns closely with ISO/IEC 27002, which provides implementation guidance for controls. If ISO 27001 is the management system, ISO 27002 is the how-to playbook for running many of the controls in practice.
You do not need to implement every control in ISO 27002. You need to implement the controls that treat the risks in your scope, and be able to prove they operate as described.
Who needs Annex A controls
If you are pursuing ISO 27001 certification, you will need to address Annex A. It applies to organizations of all sizes, especially:
- SaaS and cloud companies: where access control, logging, and supplier management are critical.
- Companies selling to enterprise buyers: where procurement expects ISO 27001 artifacts and evidence.
- Regulated industries: where security requirements overlap with privacy and compliance obligations.
What Annex A controls cover
Annex A covers a wide range of security topics. Auditors expect to see both governance and technical control operation, depending on your scope and risks.
Common control themes include:
- Organizational controls: policies, roles, risk management, supplier security, security in projects.
- People controls: onboarding, training, acceptable use, remote work practices.
- Physical controls: facilities, access to offices, asset protection, visitor controls.
- Technological controls: identity and access management, encryption, logging, vulnerability management, secure development.
Evidence auditors expect
Annex A audits rely on evidence that a control is implemented and operating. Auditors typically sample evidence across teams, systems, and time periods.
Common evidence includes:
- Governance: approved policies, risk assessments, SoA, internal audit results, management review outputs.
- Operational: access reviews, ticketing records, change approvals, incident response exercises.
- Technical: configuration exports, screenshots, logs, vulnerability scans, patching evidence.
- Supplier: vendor risk reviews, contracts, subprocessor lists, due diligence evidence.
Rule of thumb: If you cannot show the evidence trail, the control is not really operating.
Annex A control selection roadmap
1. Define scope and context
Confirm what products, services, locations, and systems are in scope. Define interested parties and obligations.
2. Perform risk assessment
Identify and evaluate risks that apply to your scope. This drives which Annex A controls apply.
3. Select controls and document the SoA
Choose Annex A controls that treat identified risks. Document inclusions and exclusions with justification.
4. Implement and operationalize
Translate controls into procedures, tooling, and consistent operating rhythms. Assign ownership.
5. Build evidence and validate
Collect evidence as you operate. Run internal audits and management review before the certification audit.
Common Annex A gaps
- SoA mismatch: The Statement of Applicability does not match what teams actually do.
- Policy without operation: Policies exist but there is no proof of execution.
- Weak access evidence: Access is managed, but reviews and approvals are not documented.
- Supplier blind spots: Third parties are in scope but vendor assurance is missing.
How Neutral Partners helps
We help you translate Annex A into a control operating model that fits your business. That means selecting the right controls, documenting the SoA, implementing what matters, and building evidence that auditors trust.
Since 2017, we have maintained a 100% audit success rate across more than 700 successful audits and assessments.
FAQs
Do we need to implement every Annex A control?
No. You need to select controls based on risk and scope, and justify exclusions in your SoA.
Is Annex A the same as ISO 27002?
They are related. Annex A lists control topics. ISO 27002 provides detailed guidance on implementing many controls.
What do auditors check first?
Auditors often start with scope, risk assessment, the SoA, and whether evidence aligns with your documented approach.
How do we make Annex A manageable?
Focus on scope clarity, strong ownership, and evidence routines. Implement controls that reduce risk and support your buyers.
Key resources
- ISO/IEC 27001 overview: https://www.iso.org/isoiec-27001-information-security.html
- ISO/IEC 27002 (control guidance): https://www.iso.org/standard/75652.html
- ISO 27001 requirements overview: https://www.schellman.com/blog/iso-certifications/iso-27001-requirements
Schedule a Discovery Session
If you want help mapping Annex A to your scope, selecting controls, and building evidence that supports certification, we can walk through it with you.
