Elevate

ISO 27001 Controls Decoded: Your Expert Guide to Annex A Mapping

ISO 27001 controls went through a most important transformation in 2022 that streamlined security measures for today’s evolving cybersecurity world. The standard lined up its Annex A controls with contemporary threats and regulatory requirements after ISO 27002:2022 came out in February 2022. The ISO 27001 controls list shrank from 114 to a more adaptable set of 93 controls.

The update brought 11 new controls and merged 24 controls from the 2013 version. The revised standard organizes these security measures into four distinct domains. Organizations can now find 37 organizational controls, 8 people controls, 14 physical actions, and 34 technological measures. This new structure helps organizations deal better with modern security challenges while staying compliant.

We’ll decode the updated ISO 27001 Annex A controls in this piece. You’ll learn about the key changes from the previous version and get practical steps to implement these controls in your organization. Understanding these controls forms the foundation of building a resilient information security management system, whether you’re seeking certification or deepening your security framework’s commitment.

Overview of ISO 27001 Annex A and Its 2022 Update

Annex A is vital to the ISO 27001 standard. It provides a reference list of security controls that organizations can use to handle information security risks. The 2022 update brought big changes to this controls framework to match today’s security challenges.

From 114 to 93: What Changed in the ISO 27001 Controls List

The biggest change in ISO/IEC 27001:2022 is the drop from 114 to 93 controls. This doesn’t mean security is any less strict. The standard has been reshaped and united to work better.

The reduction came from combining controls that overlapped. About 57 controls from the 2013 version became 24 controls in the 2022 version. Another 58 controls stayed mostly the same, with small updates to match current cybersecurity practices.

The reshaping included:

  • Combining 57 controls into 24 united controls

  • Adding 11 brand new controls

  • Splitting 1 control into two separate controls

  • Updating 58 existing controls with small changes

These updates show how information security has grown over the last several years since the last major update. Even with fewer controls, the protection is now broader to handle new threats and technologies.

New Control Categories: Organizational, People, Physical, Technological

The biggest structural change is the new organization of controls. They went from 14 domains in 2013 to just 4 themes in 2022. This simpler structure makes the standard easier to use.

The four new categories are:

  1. Organizational Controls (A.5) – Has 37 controls that cover company-wide processes like policies, asset management, access control, supplier relationships, and business continuity.

  2. People Controls (A.6) – Has 8 controls that deal with human aspects like screening, training, awareness, and remote work policies.

  3. Physical Controls (A.7) – Has 14 controls that handle physical security for facilities, equipment, and storage media.

  4. Technological Controls (A.8) – Has 34 controls that focus on technical measures like network security, encryption, monitoring, and secure development.

This new structure lets organizations think about security through these four key areas instead of many separate domains.

11 New Controls Introduced in ISO/IEC 27001:2022

The 2022 update added 11 new controls to tackle today’s security challenges. These controls reflect new threats and tech advances since 2013:

  1. Threat Intelligence (A.5.7) – Organizations must gather and analyze threat information to make security decisions.

  2. Information Security for Use of Cloud Services (A.5.23) – Sets rules for safe cloud service management.

  3. ICT Readiness for Business Continuity (A.5.30) – Keeps IT running during disruptions.

  4. Physical Security Monitoring (A.7.4) – Boosts surveillance of physical premises.

  5. Configuration Management (A.8.9) – Handles security settings across the organization.

  6. Information Deletion (A.8.10) – Shows how to delete data safely.

  7. Data Masking (A.8.11) – Protects sensitive data through masking, pseudonymization, and anonymization.

  8. Data Leakage Prevention (A.8.12) – Stops unauthorized information sharing.

  9. Monitoring Activities (A.8.16) – Spots unusual behavior on networks.

  10. Web Filtering (A.8.23) – Controls access to harmful websites.

  11. Secure Coding (A.8.28) – Sets rules for safe software development.

These new additions show how ISO 27001 has grown to handle modern challenges like cloud computing, threat intelligence, and data protection. Each new control helps close security gaps that have appeared as technology and threats have changed since the last standard.

The new ISO 27001 Annex A controls offer a simpler yet detailed framework. Organizations can use it to build reliable information security practices that match current industry needs.

Mapping ISO 27001:2013 to ISO 27001:2022

Image Source: Aikido

Organizations need a clear grasp of control reorganization to move from ISO 27001:2013 to the 2022 version. The mapping shows major structural changes while keeping complete security coverage. Let’s get into how the standard has grown through uniting, updating, and adding new controls.

Merged Controls: 24 United from Previous Versions

The most important changes in ISO 27001:2022 unite controls. The standard combined 57 controls from 2013 into just 24 controls in 2022. This restructuring helps organizations implement related security measures more effectively.

The standard combines multiple information transfer controls (A.13.2.1, A.13.2.2, and A.13.2.3 from 2013) into a single complete control (A.5.14) called “Information Transfer”. The three business continuity controls from 2013 (A.17.1.1, A.17.1.2, and A.17.1.3) now form one control (A.5.29) named “Information Security During Disruption”.

This unification brings several benefits:

  1. Reduced documentation requirements

  2. Streamlined implementation processes

  3. More coherent approach to related security measures

  4. Elimination of redundancy across controls

We combined controls that addressed similar security objectives or operated in related domains. The total number of controls decreased, but the protection scope remains equally complete.

Revised Controls: 58 Updated for Modern Threats

The 2022 standard has 58 controls revised from the 2013 version to tackle today’s security challenges. These updates keep the core security principles but refresh the implementation guidance to match current technologies and threats.

Updates affect about 63% of the control set, showing a major modernization effort. These changes ensure familiar controls now address modern security concerns like cloud computing, remote work, and sophisticated cyber threats.

Key examples of revised controls include:

  • Access Control (now united in A.5.15)

  • Authentication Information (combines password management and user responsibilities in A.5.17)

  • Identity Management (updated in A.5.16 to match modern identity practices)

These revisions keep the standard relevant as technology changes faster, giving organizations practical, current security guidance.

New Additions: Threat Intelligence, Data Masking, and More

ISO 27001:2022 introduces 11 new controls to address emerging security challenges. Threat Intelligence and Data Masking stand out as notable additions.

Threat Intelligence (A.5.7) asks organizations to collect and analyze threat information to guide their security decisions. This control emphasizes:

  • Strategic threat intelligence: Sharing high-level information about evolving threats

  • Tactical threat intelligence: Understanding attacker methodologies and tools

  • Operational threat intelligence: Analyzing specific attack indicators

Threat intelligence helps organizations spot potential vulnerabilities before attacks happen, enabling proactive risk management instead of reactive responses.

Data Masking (A.8.11) tackles growing concerns about sensitive data protection. Organizations must mask data based on:

  • Business requirements

  • Access control policies

  • Applicable legislation

  • Data sensitivity classifications

Data masking uses format-preserving encryption, tokenization, and synthetic data generation to maintain utility while protecting sensitive information.

Other new controls include Information Security for Cloud Services (A.5.23), Data Leakage Prevention (A.8.12), and Secure Coding (A.8.28). These additions show how ISO 27001 tackles modern cybersecurity challenges that didn’t exist or weren’t as critical in 2013.

The shift from ISO 27001:2013 to ISO 27001:2022 represents progress rather than revolution. Organizations certified under the 2013 standard can transition to the new version by October 31, 2025. This gives them enough time to adapt their information security management systems to the updated control framework.

Organizational Controls (Annex A.5)

The ISO 27001:2022 framework’s organizational controls make up its biggest category. It contains 37 specific measures that help organizations set up governance structures to manage information security. These controls are the foundations of your information security management system. They define your policies, procedures, and organizational structures.

A.5.1 to A.5.37: Governance, Risk, and Policy Controls

Organizational controls cover information security governance of all types, from creating policies to managing risks. These controls, numbered A.5.1 through A.5.37, address several significant security areas:

  • Information security policies and roles (A.5.1-A.5.6)

  • Asset management and classification (A.5.9-A.5.13)

  • Access control and identity management (A.5.15-A.5.18)

  • Supplier relationship management (A.5.19-A.5.23)

  • Incident response and business continuity (A.5.24-A.5.30)

  • Compliance with legal and regulatory requirements (A.5.31-A.5.37)

Organizations can use these controls as a framework to handle information assets. The framework helps categorize information assets based on context, assess security risks, assign responsibilities, and create guidelines for project management and supplier relationships.

Examples: Threat Intelligence (A.5.7), Cloud Security (A.5.23)

Threat Intelligence (A.5.7) appears as a new control in the 2022 edition. Organizations must now collect and analyze security threat information to produce applicable information. Threat intelligence works on three levels:

  1. Strategic – High-level information about the threat landscape for senior management and board members

  2. Tactical – Intelligence on attack tools, techniques, and methodologies for IT managers and security teams

  3. Operational – Specific technical details about attacks and indicators of compromise for immediate defensive action

Organizations need technology to gather threat data, processes to use this intelligence, and trained staff to make this control work.

Cloud Security (A.5.23) represents another new control that addresses cloud services’ growing adoption. Organizations must establish processes to:

  • Buy cloud services based on security requirements

  • Manage cloud resources securely

  • Plan exit strategies when ending cloud services

Cloud service agreements don’t change easily, so organizations should assess risks thoroughly before signing them. The control focuses on confidentiality, data integrity, service availability, and proper information handling in cloud environments.

How These Controls Support Business Continuity and Compliance

These controls improve business continuity through specific measures like:

  • Information security during disruption (A.5.29)

  • ICT readiness for business continuity (A.5.30)

  • Incident management planning (A.5.24-A.5.28)

The controls also strengthen compliance through measures that address legal requirements (A.5.31), intellectual property rights (A.5.32), and privacy protection (A.5.34).

Organizations that implement these controls end up with a resilient framework. This framework helps maintain operations during disruptions while meeting regulatory requirements and standards. The controls function as one system – threat intelligence guides risk assessments while cloud security protects critical digital assets.

ISO 27001 certification shows stakeholders that an organization uses a systematic approach to identify and address information security risks. This builds trust with customers and partners through strong governance structures.

People Controls (Annex A.6)

People are at the heart of information security. That’s why ISO 27001:2022 has a dedicated section for people-centric security measures. The updated standard’s Annex A.6 brings together all people-related controls into one domain. This reflects their vital role in your information security management system.

A.6.1 to A.6.8: Managing Human Risk

The 2022 revision groups people controls into eight specific measures (A.6.1 to A.6.8). These measures cover the entire employee lifecycle – from original background checks to final system access removal. Here are the controls:

  1. Screening (A.6.1) – Verification of candidates before they access systems and information

  2. Terms and Conditions of Employment (A.6.2) – Security responsibilities in employment contracts

  3. Information Security Awareness, Education, and Training (A.6.3) – Ongoing security education

  4. Disciplinary Process (A.6.4) – Addressing security breaches by personnel

  5. Responsibilities After Termination (A.6.5) – Post-employment security obligations

  6. Confidentiality or Non-Disclosure Agreements (A.6.6) – Legal protection of information

  7. Remote Working (A.6.7) – Security for employees working outside the organization’s premises

  8. Information Security Event Reporting (A.6.8) – Mechanisms for reporting security incidents

This change has elevated human risk from a secondary concern to a top-tier, auditable security domain. Leadership now bears direct responsibility for it.

Key Controls: Screening, Awareness Training, Remote Work

Three controls stand out as most important in today’s work environment:

Screening (A.6.1) needs background verification checks that match business requirements and information classification. Companies must complete these checks before employment starts and comply with privacy laws like GDPR. High-risk roles such as administrators or those handling sensitive data might need additional financial or criminal background checks.

Information Security Awareness (A.6.3) forms the foundation of an effective security strategy. Organizations must tailor awareness training to specific roles and update it regularly. They can’t just track completion rates – they need to show effectiveness through behavioral metrics like reduced phishing click rates.

Remote Work (A.6.7) is new to the 2022 standard. It recognizes remote work as a primary way of operating. Organizations need a formal remote work security policy, appropriate training, and physical security measures for home offices.

Building a Security-Aware Culture

ISO 27001 wants to create a culture where security becomes part of daily operations. Studies show that people play a role in 99% of breaches. Building the right culture is essential for real security.

Organizations can encourage this culture by:

  • Showing clear leadership commitment, as security culture starts at the top

  • Creating role-specific training programs instead of generic security education

  • Opening communication channels to report suspicious activities

  • Giving recognition for security-conscious behaviors

  • Using behavioral metrics to measure cultural maturity

A strong security culture turns employees into active defenders from potential vulnerabilities. This reduces human-related risks and improves overall compliance. The organization’s security becomes stronger when everyone understands their role in protecting information assets.

Physical and Technological Controls (Annex A.7 & A.8)

Image Source: Device42

ISO 27001 standard protects organizations through physical and technological controls. These controls work together to create a complete security shield that keeps both facilities and digital assets safe.

Physical Controls: A.7.1 to A.7.14 – Securing Facilities and Equipment

ISO 27001:2022’s physical controls consist of 14 different measures that protect tangible assets and facilities. Security perimeters created by these controls keep an organization’s resources and premises safe. They are the foundations of information security.

The physical controls include security perimeters (A.7.1), physical entry controls (A.7.2), and ways to secure offices, rooms, and facilities (A.7.3). The 2022 revision added control A.7.4 (Physical Security Monitoring). This new addition requires constant monitoring of physical premises to stop unauthorized access.

Organizations need strong security barriers, specific locations, sturdy exterior surfaces, and proper locks and alarms. Safety comes first during implementation. Entry point doors must fail open to protect people before protecting information assets.

Technological Controls: A.8.1 to A.8.34 – Cybersecurity and IT Safeguards

The technological controls make up the biggest part of physical and tech measures. These 34 distinct controls cover nearly every aspect of digital security. They focus on data authentication, encryption and protection through appropriate technology safeguards.

These controls protect user endpoint devices (A.8.1), privileged access rights (A.8.2), secure authentication (A.8.5), malware protection (A.8.7), and network security (A.8.20-A.8.22). They ended up closing technical vulnerabilities while keeping software and systems safe from evolving cyber threats.

New Tech Controls: Data Leakage Prevention, Secure Coding, Web Filtering

ISO 27001:2022 brings new technological controls to handle modern security challenges:

Data Leakage Prevention (A.8.12) needs measures to stop unauthorized information disclosure or extraction. This control protects systems, networks, and devices that process sensitive information. It uses specialized tools to track, detect, and protect based on set rules.

Secure Coding (A.8.28) creates organization-wide processes for secure coding governance. This applies to both internal and third-party software. Each programming language needs specific coding principles, structured techniques, and proper documentation to reduce security vulnerabilities.

Web Filtering (A.8.23) controls access to external websites and reduces exposure to harmful content. Organizations must choose which websites to block. They focus on illegal content, command and control servers, malicious websites, and sites that allow information uploads.

These technological safeguards combine with physical controls to build a resilient security framework. Together they protect against both old and new threats in the digital world.

Statement of Applicability and Control Selection

Image Source: High Table

The Statement of Applicability is the life-blood of any ISO 27001 implementation. Auditors will first inspect this master document during certification assessments. This document connects your risk assessment work with practical security measures.

What is a Statement of Applicability (SoA)?

The SoA works as a detailed inventory of your organization’s position regarding ISO 27001 controls. You need to include:

  • A complete list of all 93 Annex A controls

  • Clear indication of which controls apply to your ISMS

  • Implementation status of each applicable control

  • Reasons for both included and excluded controls

The Risk Assessment Report might contain thousands of individual risks, but the SoA gives you a clear, manageable overview of your security profile. Your auditor uses it as a “cheat sheet” during certification.

How to Justify Included and Excluded Controls

You need more than just risk treatment to justify control inclusion. Controls might be needed because of:

  • Legal or regulatory requirements

  • Contractual obligations with vendors or clients

  • Business operational needs

Risk-based explanations should show why specific controls don’t fit your context. Each reason should point to your risk assessment, business context, and applicable regulations.

Arranging SoA with Risk Treatment Plans (ISO 27001 6.1.3)

The SoA links directly to clause 6.1.3 of ISO 27001, which covers risk treatment. Here’s how to arrange your SoA with risk treatment:

  1. Pick suitable controls based on your risk treatment choices (reduce, avoid, transfer, accept)

  2. Check that you haven’t missed any needed controls by comparing with Annex A

  3. Write down each control’s implementation status and reasoning

Our ISO 27001 experts can help you create an SoA that meets certification requirements. Book a Readiness Call with us today.

Conclusion

ISO 27001:2022 marks a major development in information security management. The new structure reduces controls from 114 to 93 and groups them into four clear domains. This creates a more optimized yet detailed approach to security. The new structure adapts better to modern threats and maintains reliable protection of critical information assets.

The standard now includes 11 new controls that cover threat intelligence, cloud security, data masking, and secure coding. These additions show how it has grown to tackle new technology challenges. Related controls have been combined to remove overlap while keeping the protection needed in today’s complex threat landscape.

Companies with 2013 certification need to transition by October 31, 2025. The time is right to start mapping your existing controls to the new framework. The Statement of Applicability serves as the life-blood document that connects risk assessment with practical implementation and acts as the main reference during certification audits.

These changes might look daunting at first, but focusing on the four control domains will make your transition trip easier. Our ISO 27001 experts can help identify gaps and create the quickest transition plan for your organization’s needs. You can Book a Readiness Call to get started.

The standard has grown, but its core purpose stays the same – to provide a systematic framework that identifies, addresses, and manages information security risks. A well-implemented ISO 27001:2022 protects your critical information assets and shows stakeholders your steadfast dedication to security excellence. This builds trust and competitive advantage in today’s security-conscious market.

Key Takeaways

Understanding the updated ISO 27001:2022 controls is essential for organizations seeking robust information security management and certification compliance.

ISO 27001:2022 streamlined controls from 114 to 93, organizing them into four clear domains: Organizational (37), People (8), Physical (14), and Technological (34) controls for easier implementation.

Eleven new controls address modern threats including threat intelligence, cloud security, data masking, and secure coding to protect against contemporary cybersecurity challenges.

The Statement of Applicability (SoA) serves as your certification roadmap, requiring clear justification for both included and excluded controls based on risk assessment and business context.

Organizations have until October 31, 2025 to transition from the 2013 standard, making now the optimal time to begin mapping existing controls to the new framework.

People controls now form a dedicated domain, emphasizing that human risk management through screening, training, and security awareness is critical for comprehensive protection.

The restructured ISO 27001:2022 framework provides a more intuitive approach to information security while maintaining comprehensive protection. Organizations that proactively adapt to these changes will be better positioned to address evolving threats and demonstrate security excellence to stakeholders.

FAQs

Q1. What are the main changes in ISO 27001:2022 compared to the 2013 version? The 2022 version reduced the number of controls from 114 to 93, reorganized them into 4 categories (Organizational, People, Physical, and Technological), and introduced 11 new controls addressing modern security challenges like threat intelligence and cloud security.

Q2. How long do organizations have to transition to ISO 27001:2022? Organizations certified under the 2013 standard have until October 31, 2025 to transition to the new 2022 version of ISO 27001.

Q3. What is the Statement of Applicability (SoA) in ISO 27001? The Statement of Applicability is a critical document that lists all 93 Annex A controls, indicates which are applicable to the organization’s Information Security Management System (ISMS), provides implementation status, and justifies inclusions and exclusions of controls.

Q4. How does ISO 27001:2022 address human-related security risks? ISO 27001:2022 includes a dedicated “People Controls” section (Annex A.6) with 8 specific measures addressing the entire employee lifecycle, from initial screening to post-employment obligations, emphasizing the importance of human risk management in information security.

Q5. What are some of the new controls introduced in ISO 27001:2022? Some notable new controls in the 2022 version include Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), Data Masking (A.8.11), and Secure Coding (A.8.28), addressing emerging security challenges in modern IT environments.