Your guide to the ISO 27001 Annex A controls (2022): themes, SoA, and evidence
Photo: Unsplash
Annex A of ISO/IEC 27001:2022 is the normative control catalog your ISMS uses to treat information security risk. Auditors do not expect you to implement all 93 controls blindly—you select controls based on risk and document your choices in the Statement of Applicability (SoA).
Related guides:
Key takeaways
- Annex A contains 93 controls organized into four themes (2022 edition).
- Your SoA lists each control as applicable or not, with justification.
- ISO 27002 provides implementation guidance; ISO 27001 is what you certify against.
- Evidence should show controls are implemented and operating, not only documented.
What is Annex A?
Annex A is the reference set of security controls tied to your risk assessment. Clauses 4–10 describe how you run the ISMS; Annex A describes what safeguards you apply.
The 2013 edition used 114 controls in 14 domains. The 2022 edition consolidated to 93 controls in four themes to align with ISO/IEC 27002:2022.
The four control themes (2022)
| Theme | Focus | Examples |
|---|---|---|
| Organizational (37) | Governance, suppliers, legal, continuity | Policies, supplier security, incident management |
| People (8) | HR security, awareness | Screening, training, remote work rules |
| Physical (14) | Facilities, equipment | Secure areas, equipment handling |
| Technological (34) | Technical safeguards | Access control, logging, secure development, encryption |
Use your risk assessment to decide which controls apply. Document exclusions with clear rationale in the SoA.
Statement of Applicability (SoA)
The SoA is a mandatory artifact that typically includes:
- Control ID and name
- Applicable (yes/no)
- Justification for inclusion or exclusion
- Implementation status
- Reference to policies or procedures
A strong SoA aligns with your risk treatment plan so auditors see a single story from risk → control → evidence.
Evidence auditors expect
For each applicable control, prepare evidence such as:
- Policy approvals and review dates
- Access review exports and MFA configuration
- Ticket samples for change management and incidents
- Training completion reports
- Backup and monitoring screenshots or API-backed tests
Automating evidence collection reduces last-minute audit scrambles. See benefits of compliance automation for ISO 27001.
Manage Annex A in SecureSlate
SecureSlate maps Annex A controls to tests, owners, and integrations—so you can maintain your SoA and evidence continuously.
FAQ
Must we implement all 93 controls?
No. Implement controls proportionate to risk and scope, and document the rest as excluded in the SoA.
How does Annex A relate to SOC 2?
Many controls overlap with SOC 2 trust criteria. See mapping common criteria.
Disclaimer (legal note)
General information only—not audit or legal advice. Control interpretation may vary by certification body and industry.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · ISO 27001
5 benefits of ISO 27001 certification for your business (and when it pays off)
SecureSlate Team
Jun 1, 2026 · ISO 27001
Automated ISO 27001 vs. manual ISO 27001: How to select the right approach for you
SecureSlate Team
Jun 1, 2026 · ISO 27001
What are the benefits of compliance automation for ISO 27001? (2026 guide)
SecureSlate Team
