ISO 27001:2022 Annex A contains 93 controls โ down from 114 in the 2013 version. These controls are the specific security measures your organisation implements to treat identified risks. They are organised into four categories and documented in your Statement of Applicability (SoA). Here is what each category covers and which controls matter most for startups.
The 93 Controls โ At a Glance
| Category | Controls | What It Covers |
|---|---|---|
| A.5 Organisational | 37 controls | Policies, roles, asset management, access control, supplier relationships, incident management, business continuity, compliance |
| A.6 People | 8 controls | Screening, employment terms, security awareness, disciplinary process, termination responsibilities |
| A.7 Physical | 14 controls | Physical security perimeters, entry controls, office security, equipment protection, clear desk, media disposal |
| A.8 Technological | 34 controls | User authentication, access rights, cryptography, malware protection, backup, logging, network security, secure development, vulnerability management |
Organisational Controls (37) โ A.5
The largest category. These controls govern how your organisation manages security at a policy and governance level:
- A.5.1 Information Security Policies: Top-level security policy approved by management, reviewed regularly
- A.5.2-5.4 Roles and Responsibilities: Defined security roles, segregation of duties, management responsibilities
- A.5.9-5.13 Asset Management: Inventory of information assets, acceptable use, classification, labelling, return of assets
- A.5.15-5.18 Access Control: Access control policy, identity management, authentication, access rights provisioning
- A.5.19-5.23 Supplier Management: Information security in supplier relationships, supply chain security, monitoring and review
- A.5.24-5.28 Incident Management: Incident response planning, assessment, response procedures, learning from incidents, evidence collection
- A.5.29-5.30 Business Continuity: ICT readiness for business continuity, business continuity planning
- A.5.31-5.37 Compliance: Legal and regulatory requirements, intellectual property, records protection, privacy, independent review
People Controls (8) โ A.6
The smallest category but critically important. Security is ultimately a people problem:
- A.6.1 Screening: Background verification checks before employment, proportional to the role and data access
- A.6.2 Terms and Conditions: Employment contracts include information security responsibilities
- A.6.3 Security Awareness Training: Regular training programme covering phishing, data handling, incident reporting, acceptable use
- A.6.4 Disciplinary Process: Documented process for security policy violations
- A.6.5 Termination Responsibilities: Security responsibilities that remain valid after employment ends
- A.6.6 Confidentiality Agreements: NDAs and confidentiality terms for employees and contractors
- A.6.7 Remote Working: Security controls for remote and mobile working
- A.6.8 Information Security Event Reporting: Process for reporting observed or suspected security events
Physical Controls (14) โ A.7
Physical security is often deprioritised by cloud-native startups, but auditors still check:
- A.7.1-7.4 Perimeter and Entry: Physical security perimeters, entry controls, securing offices and facilities
- A.7.5-7.8 Equipment: Equipment siting and protection, off-premises assets, secure disposal, unattended equipment, clear desk/screen
- A.7.9-7.14 Media and Utilities: Storage media management, utility security, cabling security, equipment maintenance
If you have no physical office (fully remote), many physical controls can be marked as not applicable in your SoA โ but you must justify why. Remote working controls (A.6.7) and endpoint security become more important in this scenario. Your cloud provider physical security (AWS, Azure, GCP) covers the data centre controls.
Technological Controls (34) โ A.8
The most technically detailed category. Key areas include:
- A.8.1-8.6 Access and Authentication: User endpoint devices, privileged access, information access restriction, authentication, capacity management
- A.8.7-8.12 Malware and Backup: Malware protection, vulnerability management, configuration management, data deletion, data masking, data leakage prevention
- A.8.13-8.16 Monitoring: Backup, redundancy, logging, monitoring activities
- A.8.17-8.22 Network: Clock synchronisation, privileged utilities, software installation, network security, web filtering
- A.8.23-8.28 Cryptography and Development: Cryptography use, secure development lifecycle, security requirements, secure architecture, secure coding
- A.8.29-8.34 Testing and Operations: Security testing, outsourced development, separation of environments, change management, test data, information systems audit
11 New Controls in the 2022 Update
The 2022 update introduced 11 controls that did not exist in the 2013 version:
| Control | Category | What It Addresses |
|---|---|---|
| A.5.7 Threat Intelligence | Organisational | Collecting and analysing threat intelligence relevant to your organisation |
| A.5.23 Cloud Services | Organisational | Security requirements for cloud service acquisition, use, and exit |
| A.5.30 ICT Readiness for Business Continuity | Organisational | Ensuring ICT services support business continuity requirements |
| A.7.4 Physical Security Monitoring | Physical | Monitoring physical premises for unauthorised access |
| A.8.9 Configuration Management | Technological | Managing security configurations across hardware, software, and networks |
| A.8.10 Information Deletion | Technological | Ensuring timely and secure deletion of information no longer needed |
| A.8.11 Data Masking | Technological | Masking data to limit exposure in non-production environments |
| A.8.12 Data Leakage Prevention | Technological | Controls to prevent unauthorised data exfiltration |
| A.8.16 Monitoring Activities | Technological | Monitoring networks, systems, and applications for anomalous behaviour |
| A.8.23 Web Filtering | Technological | Controlling access to external websites to reduce malware exposure |
| A.8.28 Secure Coding | Technological | Applying secure coding principles during software development |
The Statement of Applicability โ How It Works
The Statement of Applicability (SoA) is one of the most important documents in your ISMS. For each of the 93 Annex A controls, the SoA states whether the control applies to your organisation and why. If a control does not apply, the SoA must document the justification for exclusion. A typical SaaS startup applies 70-80 of the 93 controls, excluding some physical controls (if fully remote) and certain controls not relevant to their processing activities.
Startup Priority Controls โ Where to Focus First
For a SaaS startup beginning the ISO 27001 journey, these controls typically require the most work and deliver the most value:
- A.5.1 Information Security Policies โ the foundation document everything else references
- A.5.15-5.18 Access Control โ MFA, role-based access, access reviews
- A.5.24-5.28 Incident Management โ response procedures, breach notification, evidence collection
- A.6.3 Security Awareness Training โ phishing simulation, data handling, incident reporting
- A.8.7 Malware Protection โ endpoint security across all devices
- A.8.8 Vulnerability Management โ regular scanning, patching, remediation tracking
- A.8.24-8.28 Secure Development โ SDLC, code review, testing, secure coding
- A.8.13 Backup โ automated backups, tested restoration, offsite storage
For the full self-assessment on whether ISO 27001 is right for your organisation, see our ISO 27001 Self-Assessment Guide.
Frequently Asked Questions
ISO 27001:2022 Annex A contains 93 controls, organised into four categories: Organisational (37), People (8), Physical (14), and Technological (34). This is a reduction from 114 controls in 14 categories in the 2013 version.
No. Your Statement of Applicability (SoA) documents which controls apply and which do not, with justification. A typical SaaS startup applies 70-80 controls. Controls that do not apply (e.g. physical data centre controls for a fully cloud-native company) are excluded with documented reasoning.
Only Annex A controls changed โ the core management system clauses remain the same. Controls decreased from 114 to 93, reorganised from 14 categories to 4. 11 new controls were added covering threat intelligence, cloud services, data deletion, data masking, DLP, secure coding, and web filtering.
The SoA is a document listing all 93 Annex A controls with a determination of whether each applies to your organisation and why. It is one of the most important audit artefacts โ the certification body auditor will review it before and during the audit. Controls excluded without proper justification will be flagged as findings.
Focus on: access control (MFA, role-based access), incident management (response procedures, breach notification), security awareness training, vulnerability management, secure development practices, backup, and the foundational information security policy. These deliver the most security value and are the most scrutinised during audits.