ISO 27001 Annex A Controls Guide | Neutral Partners

Annex A is where ISO/IEC 27001 becomes real for most teams. It is the list of controls you select to treat your information security risks. It is also where auditors will look for alignment between what you said you do and what you can prove.

If your Statement of Applicability (SoA) is clean and your evidence matches it, your audit moves faster.

What Annex A is and how auditors use it

Annex A is a catalog of controls associated with ISO/IEC 27001. It is commonly aligned to ISO/IEC 27002 guidance.

Auditors use Annex A in two practical ways:

• They confirm you selected controls based on risk and scope.
• They test whether the selected controls are effectively implemented and maintained.

Annex A is not a checklist you must complete end to end. It is a structured set of security measures you tailor to your organization.

How Annex A connects to your risk management process

A good ISO 27001 implementation flows like this:

1. Define ISMS scope: products, systems, and locations in scope.
2. Identify risks: confidentiality, integrity, and availability risks across information systems.
3. Choose treatments: accept, avoid, transfer, or reduce risk.
4. Select controls: choose Annex A controls that reduce risk.
5. Document the SoA: list controls, applicability, implementation status, and justification.

If your SoA and your risk treatment plan disagree, the auditor will notice.

The four Annex A control themes

Annex A controls are typically grouped into four themes. This helps you build a practical implementation plan.

• Organizational controls: governance, asset management, supplier management, incident response, information security roles.
• People controls: security awareness, training, screening, acceptable use.
• Physical controls: physical access, equipment protection, secure areas.
• Technological controls: access controls, encryption, logging, secure development, vulnerability management.

Most SaaS teams spend the majority of their effort in organizational and technological controls, then validate people and physical controls are right sized for their footprint.

A practical way to select Annex A controls for SaaS

If you are a software company, avoid two extremes:

• Selecting every control and claiming it is implemented
• Selecting too few controls and leaving obvious risks untreated

Instead, use a decision process:

• Start with data: what data do you store, process, or transmit? Where does it flow? Who can access it?
• Map shared responsibility: what is inherited from your cloud provider and what is yours?
• Prioritize high impact areas: identity, logging, vulnerability management, change control, incident response, supplier security.
• Write evidence expectations early: for every selected control, define what evidence you will show.

This keeps Annex A selection tied to reality, not to templates.

Evidence examples for common Annex A controls

Annex A audits run on evidence. Here are examples that usually satisfy auditors because they are repeatable and tied to operations.

• Access control: joiner mover leaver records, role definitions, multi-factor authentication configuration, quarterly access reviews.
• Logging and monitoring: log coverage list, alerting rules, evidence of log review or triage, incident tickets linked to alerts.
• Vulnerability management: scan reports, patch tickets, exception approvals, remediation verification.
• Supplier management: vendor inventory, due diligence records, contract clauses, periodic reviews of critical suppliers.
• Secure development: change tickets, pull request reviews, CI/CD controls, production deployment approvals.
• Incident response: incident runbook, tabletop results, incident tickets, lessons learned and corrective actions.

If your evidence is a one-off screenshot, expect extra questions. Evidence should be repeatable.

Common Annex A gaps that slow certification

• SoA overclaims: the SoA says "implemented" but evidence is missing or inconsistent.
• Unclear applicability: controls marked not applicable without justification tied to scope and risk.
• No traceability: evidence exists, but no one can find it quickly during the audit.
• Weak supplier controls: third-party services are in scope, but there is no supplier review cadence.
• Physical controls ignored: even small offices need basic physical access evidence if they are in scope.

How Neutral Partners helps

We help you treat Annex A like an operating model, not a document exercise. We define scope, run risk treatment, build the SoA, and map each selected control to evidence.

Learn more about ISO 27001 and how we support certification:

• ISO 27001 framework overview
• ISO 27001 services

Since 2017, we have maintained a 100% audit success rate across more than 700 successful audits and assessments.

Key resources

• ISO/IEC 27001 overview: https://www.iso.org/standard/27001
• ISO/IEC 27002 overview: https://www.iso.org/standard/75652.html
• Example SoA and ISO 27001 guidance: https://www.schellman.com/blog/iso-certifications/iso-27001-requirements

Schedule a working session

If you want a defensible SoA and an evidence map that makes Stage 2 predictable, start with a short working session.

Schedule a Discovery Session