ISO 27001:2022 defines how organisations manage information security through a structured Information Security Management System (ISMS). While the standard sets out what organisations must achieve, Annex A controls define how information security risks can be managed in practice.
ISO 27002 supports this by providing additional guidance on how controls can be implemented, helping organisations move from highlevel requirements to practical, auditable processes.
Annex A provides a structured catalogue of information security controls that organisations can use to address risks identified during their risk assessment. These controls form a practical framework for protecting confidentiality, integrity and availability of information.
They are designed to:
Annex A is not a checklist. Controls are selected, justified and implemented based on the organisation’s specific risks and requirements.
The 2022 revision of ISO 27001 simplified the control structure into four key areas:
This structure ensures information security is managed across the organisation, not just within IT or technical teams.
Organisations are required to review all Annex A controls and determine which are appropriate based on their scope, risks and obligations.
This process is documented in the Statement of Applicability (SoA), which:
The SoA is a key document during certification audits, forming the foundation of how auditors assess the system.
A common challenge is translating control requirements into daytoday processes.
Organisations often face:
Controls are most effective when they are aligned to real risks, clearly owned and supported by consistent, auditable evidence.
This is where structured approaches to implementation and ongoing compliance become critical.
Information security does not operate in isolation. Annex A controls can be integrated with other standards such as ISO 9001, ISO 14001 and ISO 42001 to form a single, coherent management system.
A structured approach to integration allows organisations to:
This is typically supported through integrated delivery and centralised systems such as management system platforms.
Certification bodies assess whether controls are:
They also expect to see ongoing review and improvement.
Controls that are embedded into operations are easier to maintain and more reliable during audits, reducing lastminute preparation and audit disruption.
ISO 27001 controls are most effective when they are embedded into how the organisation operates.
By aligning controls to governance, risk and operational processes, organisations can:
Understanding ISO 27001 controls is the first step. Implementing and maintaining them effectively requires structure, clarity and ongoing oversight.
Explore the control categories below to view detailed guidance on each control and how it can be applied within your organisation.
ISO 27002:2022 is a guideline for information security controls, supporting ISO 27001:2022 Annex A by providing further detail and clarification. There are now four domains (Organisational, People, Physical and Technological) instead of the previous 14. At AvISO, we have put together a page on all 93 controls with an explained purpose and implementation guidance.
As part of ISO 27001:2022, Annex A lays out a set of security controls that organisations can use to demonstrate compliance internationally and best practices. In ISO 27001:2022, a Statement of Applicability (SoA) is a document that lists the Annex A controls an organisation will implement to meet the requirements of the standard.This will include a list of the controls that are necessary for your organisation, a statement outlining why the chosen controls have been included and excluded and the confirmation of implementation.
Get in touch to discuss how we can support your management system implementation, integration or improvement
Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk
