ISO 27001 Requirements: Understanding the 93 Annex A Controls

Ever wondered why some companies stay calm during cyberattacks while others fall apart overnight? The difference often comes down to ISO 27001 requirements—rules that help organizations manage security, identify risks, and protect data. They provide a structured way to stay prepared, reduce threats, and keep business operations running smoothly.

ISO 27001 is a global standard for building an Information Security Management System (ISMS), published by ISO and IEC and used in over 150 countries. It provides a clear framework to manage information security in a consistent and organized way across teams and systems.

At its core, it’s practical. It helps you stay prepared, reduce surprises, strengthen customer trust, and build a security foundation that holds up when it matters most.

What Are ISO 27001 Requirements and Why They Matter?

ISO 27001 requirements are the rules organizations follow to build, implement, and maintain an Information Security Management System (ISMS). They help you identify risks, apply the right controls, and continuously improve how you protect sensitive information.

These requirements are split into two parts. First, the clauses (1–10) define how your ISMS should run—covering scope, leadership, risk assessment, documentation, and continuous improvement. They ensure your security program is structured, repeatable, and not dependent on guesswork.

Second, Annex A includes 93 controls across organizational, people, physical, and technological areas. You don’t implement all of them. You select controls based on your risks and document them in your Statement of Applicability.

Why does this matter? Because it turns security into a system—reducing risk, building trust, and supporting long-term business growth.

ISO 27001 Clause 6 Risk Assessment and Planning Framework

This is where ISO 27001 stops being theory and starts working. Clause 6 turns risk into action—forcing you to assess threats, plan responses, and define measurable goals that actually reduce exposure.

Understanding ISO 27001 Clause 6 Risk Assessment

ISO 27001 Clause 6 risk assessment is the process used to identify, analyze, and evaluate information security risks within your ISMS. It ensures risks are handled through a structured, repeatable method rather than guesswork. Clause 6.1.2 requires you to define risk criteria, assess likelihood and impact, and determine what level of risk is acceptable.

Start with an asset register covering hardware, software, data, people, and locations. Assign a single owner to each asset. Then evaluate risks by assigning likelihood and impact values, calculate risk scores, and compare them against your acceptance criteria to decide next steps.

Creating a Risk Treatment Plan

Once risks are identified, you have four options: terminate, treat, transfer, or tolerate. The choice depends on your risk appetite and business priorities, but every decision must be justified and documented clearly.

Your risk treatment plan connects risks to controls. It outlines what action you’ll take, why you chose it, who’s responsible, timelines, resources, and how success will be measured. This is where strategy turns into execution.

Auditors rely heavily on this document because it shows your methodology isn’t just theoretical—it’s applied consistently across real risks and controls.

Setting Measurable Security Objectives

Clause 6.2 requires organizations to define security objectives that align with their ISMS policy and risk landscape. These objectives must be measurable where possible, monitored regularly, and clearly communicated across teams.

Use the SMART framework to make them effective. Avoid vague goals like “improve security.” Instead, define targets such as “patch critical vulnerabilities within 48 hours” or “maintain 99.9% uptime.”

Each objective should include actions, ownership, timelines, and metrics. Clear objectives keep teams focused and prove your ISMS is delivering measurable results.

ISO 27001 Mandatory Documents and ISMS Policy Requirements

Documentation is where ISO 27001 gets real. Auditors don’t trust claims—they want proof. Every decision, control, and process must be backed by clear, consistent records that show your ISMS actually works.

ISO 27001 ISMS Policy Requirements

Clause 5.2 requires an information security policy tailored to your organization—not a generic template. It must define or reference security objectives, commit to meeting requirements, and ensure continual improvement of the ISMS. Management must approve it, document it, and communicate it internally while making it available to relevant stakeholders.

Beyond this, you need supporting policies for areas like access control, supplier security, acceptable use, and data classification. Each policy requires approval, periodic review, and evidence of communication. Without this, your ISMS lacks structure and accountability.

ISO 27001 Statement of Applicability

The Statement of Applicability (SoA) connects your risk assessment to the controls you implement. Auditors rely on it to understand your decisions. For each of the 93 Annex A controls, you must define status, inclusion or exclusion, justification, and link it to supporting evidence.

Skipping controls or providing weak justification leads to nonconformities. The SoA should clearly explain how controls address risks and why some are excluded. It acts as your security blueprint and must reflect real business decisions, not assumptions.

Risk Assessment and Treatment Reports

Risk assessment reports capture your methodology, identified risks, likelihood and impact scores, and final risk levels. They provide a structured view of how risks are identified and evaluated across the organization.

Treatment reports go further by showing how controls address those risks. They connect Annex A controls to business processes, explain exclusions, assign ownership, and provide evidence. Together, these documents prove your decisions are consistent and defensible.

Internal Audit and Management Review Records

Clause 9.2 requires internal audits at planned intervals to verify your ISMS is working. You must define scope, criteria, and maintain records showing audits were conducted, findings reported, and actions tracked.

Clause 9.3 requires management reviews covering performance, risks, incidents, and improvement opportunities. These reviews must show real decisions, ownership, and timelines. Without substance, your documentation fails to demonstrate control.

Breaking Down the ISO 27001 Annex A Controls List

ISO 27001 Annex A controls are a structured list of 93 security measures used to manage information risks. These controls are grouped into four domains—organizational, people, physical, and technological—so you can map risks to the right safeguards. You don’t implement all controls blindly. You select what applies to your risks and justify it in your Statement of Applicability.

Domain	Controls	What It Covers
Organizational (A.5)	37	Policies, governance, supplier security, incident response
People (A.6)	8	Hiring, training, behavior, offboarding
Physical (A.7)	14	Facilities, equipment, environmental protection
Technological (A.8)	34	Systems, networks, encryption, monitoring

Organizational Controls (37 Controls)

This is your governance layer—where structure, policies, and accountability come together.

• Policies (A.5.1): Define how information security is managed
• Threat Intelligence (A.5.7): Identify emerging risks
• Asset Inventory (A.5.9): Track critical assets
• Access Control Framework (A.5.15): Define access rules
• Supplier Security (A.5.19–A.5.23): Manage third-party risks
• Incident Response (A.5.24–A.5.28): Handle security events
• Cloud Services Security (A.5.23): Secure cloud usage
• ICT Readiness (A.5.30): Support business continuity

Without strong governance, controls become inconsistent and ineffective.

People Controls (8 Controls)

These controls address risks caused by human actions and behavior.

• Screening (A.6.1): Verify trust before granting access
• Roles and Responsibilities (A.6.2): Define accountability
• Security Awareness (A.6.3): Train employees regularly
• Disciplinary Process (A.6.4): Handle violations
• Termination Responsibilities (A.6.5): Remove access promptly
• Remote Working (A.6.7): Secure distributed teams

People remain one of the most unpredictable risk factors in security.

Physical Controls (14 Controls)

These controls protect facilities and physical assets from threats.

• Security Perimeter (A.7.1): Define secure boundaries
• Entry Controls (A.7.2): Restrict access
• Physical Monitoring (A.7.4): Detect suspicious activity
• Environmental Protection (A.7.5): Prevent damage
• Clear Desk/Clear Screen (A.7.7): Reduce exposure
• Secure Disposal (A.7.14): Destroy data safely

Physical weaknesses can bypass even the strongest digital defenses.

Technological Controls (34 Controls)

These controls secure systems, networks, and data.

• User Devices (A.8.1): Secure endpoints
• Privileged Access (A.8.2): Limit admin rights
• Malware Protection (A.8.7): Prevent threats
• Configuration Management (A.8.9): Maintain secure setups
• Logging (A.8.15): Track activity
• Network Security (A.8.20): Protect communications
• Web Filtering (A.8.23): Block harmful sites
• Cryptography (A.8.24): Protect sensitive data
• Data Masking (A.8.11): Limit exposure
• Data Leakage Prevention (A.8.12): Prevent data loss

Your security is only as strong as your weakest control.

Critical Annex A Controls: Access Control and Asset Management

Access control and asset management are where most ISO 27001 failures happen. Weaknesses here lead to audit issues, unauthorized access, and security incidents that are difficult and expensive to fix.

ISO 27001 Access Control Requirements

ISO 27001 access control is built on four core principles: Need to Know, Least Privilege, Segregation of Duties, and Role-Based Access Control. These ensure users only access what they need and nothing beyond their role.

Annex A.5.15 defines your policy, while A.5.16 and A.5.18 manage the full lifecycle—granting, reviewing, and removing access. Strong access control prevents misuse and reduces exposure to internal and external threats.

User Access Provisioning and Deprovisioning

The Joiner-Mover-Leaver lifecycle ensures access stays aligned with roles as employees join, change positions, or leave. Timely provisioning and immediate removal of access are critical to maintaining security.

Regular access reviews help identify permission creep, where users accumulate unnecessary access over time. Automation tools can streamline updates, but consistent monitoring ensures access remains accurate and controlled.

ISO 27001 Asset Management Framework

Asset management ensures you know exactly what you own and what needs protection. Control A.5.9 requires maintaining an inventory of assets, including hardware, software, and data.

Each asset must have a single owner responsible for its lifecycle. This accountability ensures assets are tracked, protected, and properly managed from creation to disposal.

Information Classification and Handling

Information classification defines how data is handled based on its sensitivity and business impact. Control A.5.12 requires classification frameworks that guide how information is stored, shared, and protected.

Control A.5.13 requires clear labeling so users understand handling requirements. Proper classification reduces the risk of accidental exposure and ensures consistent data protection practices.

Advanced Security Controls: Cryptography and Supplier Security

Your external security perimeter depends on two things: strong encryption and secure suppliers. Weak controls here expose sensitive data and create backdoors that bypass even the strongest internal defenses.

ISO 27001 Cryptography Controls and Key Management

Cryptography under ISO 27001 ensures sensitive data is protected through defined encryption standards and secure key management practices. Annex A.8.24 requires clear policies on algorithms, key sizes, and how encryption is implemented.

Keys must be generated securely, stored in HSMs or cloud KMS platforms, and protected with multi-factor authentication. Avoid hardcoding keys in applications. Rotate keys regularly, and immediately after any suspected compromise.

Secure Data Transfer and Storage Encryption

Data must be protected both in transit and at rest to prevent interception or unauthorized access. Encryption ensures confidentiality across systems, networks, and storage environments.

Use HTTPS/TLS with strong configurations for data in transit, and enforce encryption across APIs and endpoints. For data at rest, apply standards like AES-256 across databases, backups, and logs. Automation helps maintain consistency and reduce errors.

ISO 27001 Supplier Relationship Security

Supplier security ensures third parties do not become weak links in your security posture. ISO 27001 includes multiple controls to manage risks across the supplier lifecycle.

Controls A.5.19 to A.5.23 cover supplier relationships, agreements, ICT supply chains, monitoring, and cloud services. Organizations must define expectations, document requirements, and ensure suppliers meet security standards consistently.

Third-Party Risk Assessment and Monitoring

Third-party risk management focuses on evaluating, monitoring, and controlling supplier risks over time. Initial assessments ensure suppliers meet security expectations before engagement.

Ongoing monitoring and audits verify continued compliance. Contracts must clearly define access controls, data handling, and security responsibilities. Without continuous oversight, suppliers can quickly become a major security risk.

ISO 27001 2022 Updates to Annex A Controls

October 2022 reshaped ISO 27001, going beyond minor updates to restructure how organizations manage security. If you're on the 2013 version, you must revisit controls, documentation, and risk treatment.

Key Changes in Control Structure

The number of Annex A controls dropped from 114 to 93, but the structure became more streamlined and easier to use. The old 14 domains were consolidated into four: Organizational, People, Physical, and Technological.

Behind the scenes, several controls were merged, updated, or renamed to remove duplication and improve clarity. The result is a more practical framework that aligns better with how modern organizations operate and manage risk.

New and Revised Controls in ISO 27001:2022

The 2022 update introduced new controls focused on areas like cloud security, monitoring, and data protection—reflecting today’s threat landscape.

• A.5.7: Threat intelligence
• A.5.23: Cloud services security
• A.5.30: ICT continuity readiness
• A.7.4: Physical security monitoring
• A.8.9: Configuration management
• A.8.10: Information deletion
• A.8.11: Data masking
• A.8.12: Data leakage prevention
• A.8.16: Monitoring activities
• A.8.23: Web filtering
• A.8.28: Secure coding

These additions target gaps that were not fully addressed in earlier versions.

Mapping Old Controls to Updated Controls

Organizations transitioning from ISO 27001:2013 must remap all controls to the updated 2022 structure, as old references no longer align. Existing mappings become outdated and unreliable.

This impacts risk registers, policies, procedures, and supporting documentation. Every control must be reviewed, updated, and correctly mapped to maintain consistency, ensure proper risk treatment, and stay fully prepared for certification and transition audits.

Implications for Risk Assessment and Treatment

The risk assessment process remains unchanged, but the updated control set directly impacts how risks are evaluated and treated within your ISMS. Organizations must reassess how controls map to identified risks.

Your Statement of Applicability must be updated to reflect the new 93 controls. Without proper alignment, outdated mappings can lead to gaps in risk treatment and potential audit nonconformities.

Preparing Your ISMS for the Updated Standard

The transition deadline was October 31, 2025, after which ISO 27001:2013 certificates are no longer valid. Organizations must act to remain compliant.

This includes conducting gap assessments against the new controls, updating the Statement of Applicability, revising risk assessments, and aligning ISMS policies with the 2022 structure. Proper preparation ensures a smooth transition and avoids certification disruptions or audit failures.

Turning ISO 27001 Into Real Security

You don’t need all 93 controls. You need the right controls for your risks. That’s the core of ISO 27001—and where most organizations either overcomplicate things or completely miss what actually matters in practice today.

We’ve covered control categories, mandatory documents, risk frameworks, and the 2022 updates. But compliance isn’t about knowing the standard. It’s about connecting risks to the right controls—and proving it with clear, consistent, auditable evidence that stands up during audits and real-world scenarios.

If you were on the 2013 version, the October 2025 deadline changed everything. Now it’s about aligning your ISMS with the updated structure—running gap assessments, updating your Statement of Applicability, and fixing documentation gaps. This isn’t just about certification. It’s about protecting your data, systems, reputation, and the trust your customers place in you every day.

Strengthen your information security and stay audit-ready with UprootSecurity — making ISO 27001 compliance simple and practical.
→ Book a demo today