ISO 27001 Annex A Controls Explained | Neutral Partners

Written by Ray Watts | Feb 9, 2026 5:00:26 PM

What is ISO 27001 Annex A

ISO/IEC 27001 is the standard for building and operating an Information Security Management System (ISMS). Annex A is the section that lists a set of information security controls you can use to address risks.

Annex A supports a key requirement: you must define your control set and document it in the Statement of Applicability (SoA). The SoA shows which controls you selected, which you excluded, and the justification for each decision.

Annex A and ISO 27002

Annex A aligns closely with ISO/IEC 27002, which provides implementation guidance for controls. If ISO 27001 is the management system, ISO 27002 is the how-to playbook for running many of the controls in practice.

You do not need to implement every control in ISO 27002. You need to implement the controls that treat the risks in your scope, and be able to prove they operate as described.

Who needs Annex A controls

If you are pursuing ISO 27001 certification, you will need to address Annex A. It applies to organizations of all sizes, especially:

SaaS and cloud companies: where access control, logging, and supplier management are critical.
Companies selling to enterprise buyers: where procurement expects ISO 27001 artifacts and evidence.
Regulated industries: where security requirements overlap with privacy and compliance obligations.

What Annex A controls cover

Annex A covers a wide range of security topics. Auditors expect to see both governance and technical control operation, depending on your scope and risks.

Common control themes include:

Organizational controls: policies, roles, risk management, supplier security, security in projects.
People controls: onboarding, training, acceptable use, remote work practices.
Physical controls: facilities, access to offices, asset protection, visitor controls.
Technological controls: identity and access management, encryption, logging, vulnerability management, secure development.

Evidence auditors expect

Annex A audits rely on evidence that a control is implemented and operating. Auditors typically sample evidence across teams, systems, and time periods.

Common evidence includes:

Governance: approved policies, risk assessments, SoA, internal audit results, management review outputs.
Operational: access reviews, ticketing records, change approvals, incident response exercises.
Technical: configuration exports, screenshots, logs, vulnerability scans, patching evidence.
Supplier: vendor risk reviews, contracts, subprocessor lists, due diligence evidence.

Rule of thumb: If you cannot show the evidence trail, the control is not really operating.

Annex A control selection roadmap

1. Define scope and context

Confirm what products, services, locations, and systems are in scope. Define interested parties and obligations.

Deliverable: ISMS scope statement

2. Perform risk assessment

Identify and evaluate risks that apply to your scope. This drives which Annex A controls apply.

Deliverable: Risk register and risk treatment plan

3. Select controls and document the SoA

Choose Annex A controls that treat identified risks. Document inclusions and exclusions with justification.

Deliverable: Statement of Applicability

4. Implement and operationalize

Translate controls into procedures, tooling, and consistent operating rhythms. Assign ownership.

Deliverable: Implemented controls and runbooks

5. Build evidence and validate

Collect evidence as you operate. Run internal audits and management review before the certification audit.

Deliverable: Evidence library and readiness results

Common Annex A gaps

SoA mismatch: The Statement of Applicability does not match what teams actually do.
Policy without operation: Policies exist but there is no proof of execution.
Weak access evidence: Access is managed, but reviews and approvals are not documented.
Supplier blind spots: Third parties are in scope but vendor assurance is missing.

How Neutral Partners helps

We help you translate Annex A into a control operating model that fits your business. That means selecting the right controls, documenting the SoA, implementing what matters, and building evidence that auditors trust.

Since 2017, we have maintained a 100% audit success rate across more than 700 successful audits and assessments.

FAQs

Do we need to implement every Annex A control?

No. You need to select controls based on risk and scope, and justify exclusions in your SoA.

Is Annex A the same as ISO 27002?

They are related. Annex A lists control topics. ISO 27002 provides detailed guidance on implementing many controls.

What do auditors check first?

Auditors often start with scope, risk assessment, the SoA, and whether evidence aligns with your documented approach.

How do we make Annex A manageable?

Focus on scope clarity, strong ownership, and evidence routines. Implement controls that reduce risk and support your buyers.

Key resources

ISO/IEC 27001 overview: https://www.iso.org/isoiec-27001-information-security.html
ISO/IEC 27002 (control guidance): https://www.iso.org/standard/75652.html
ISO 27001 requirements overview: https://www.schellman.com/blog/iso-certifications/iso-27001-requirements

Schedule a Discovery Session

If you want help mapping Annex A to your scope, selecting controls, and building evidence that supports certification, we can walk through it with you.

Schedule a Discovery Session

View full post