ISO 27001 Annex A Controls: Complete List and Implementation Guide
Bottom Line Up Front
ISO 27001 Annex A contains 93 security controls organized into four domains that form the foundation of your information security management system (ISMS). You’re reading this because a customer, partner, or regulation requires ISO 27001 certification, or your leadership wants internationally recognized security standards to protect the business and demonstrate maturity to stakeholders.
What ISO 27001 Annex A Actually Requires
ISO 27001 Annex A controls serve as the security control library for your ISMS implementation. Unlike the main ISO 27001 standard which defines your management system requirements, Annex A provides the actual technical and organizational controls you’ll implement to protect information assets.
The current version organizes controls into four domains:
- Organizational Controls (37 controls): Policies, procedures, human resources, supplier relationships
- People Controls (8 controls): Background checks, terms of employment, awareness training, disciplinary processes
- Physical Controls (14 controls): Secure areas, equipment protection, clear desk policy, secure disposal
- Technological Controls (34 controls): Access management, cryptography, system security, network controls
Who Must Comply
Organizations pursuing ISO 27001 certification must implement a subset of Annex A controls based on their Statement of Applicability (SoA). You don’t implement all 93 controls — you perform a risk assessment, select applicable controls, and justify exclusions. This risk-based approach means a SaaS startup might implement 60 controls while a defense contractor implements 85.
Certification vs. Actual Security
Your ISO 27001 certificate demonstrates you have a mature, audited ISMS. However, certification doesn’t guarantee perfect security — it proves you have systematic processes for identifying risks, implementing controls, and continuously improving your security posture. Think of it as security program maturity, not security perfection.
Key Requirements by Domain
Organizational Controls cover your security foundation: information security policies, risk management procedures, supplier security, incident response plans, and business continuity. Your auditor will verify these policies exist, are approved by leadership, communicated to staff, and regularly reviewed.
People Controls address the human element: background verification for sensitive roles, confidentiality agreements, security awareness training, and disciplinary procedures for security violations. Documentation and training records are critical evidence here.
Physical Controls protect your physical environments: secure areas, access controls, equipment protection, and secure disposal of media. Even cloud-first organizations need physical controls for offices and data centers.
Technological Controls encompass access management, cryptography, system hardening, network security, and application security. These require both policy documentation and technical evidence of implementation.
What’s Out of Scope
Annex A controls don’t prescribe specific technologies or vendors — they’re technology-agnostic requirements. You won’t find requirements for specific firewall brands, SIEM platforms, or cloud providers. The controls also don’t address operational safety, financial controls, or business process requirements outside information security.
Scoping Your Compliance Effort
Defining Your ISMS Scope
Your ISMS scope defines which business processes, locations, and information systems fall under ISO 27001. A narrow scope reduces audit complexity and ongoing compliance burden, but must still cover the business functions and information assets that matter to your stakeholders.
Start with your core business processes: customer data processing, product development, financial systems, and core infrastructure. Include any systems that, if compromised, would significantly impact business operations or customer trust.
Scope Reduction Strategies
Exclude non-critical systems: Development environments, marketing websites, and internal tools that don’t process sensitive data can often remain outside scope. Document these exclusions clearly in your scope statement.
Leverage cloud provider certifications: If your AWS, Azure, or GCP environment already has ISO 27001 certification, you can inherit many infrastructure controls rather than implementing them independently. Map your cloud provider’s controls to Annex A requirements.
Separate business units: If you operate multiple distinct business lines, scope your ISMS around the unit requiring certification rather than the entire organization. A fintech company might scope only their payment processing platform, excluding their marketing operations.
Common Scoping Mistakes
Scope creep during implementation: Organizations often expand scope mid-project when they realize interconnected systems. Define clear system boundaries upfront and resist scope expansion unless absolutely necessary.
Excluding shared services: HR systems, IT infrastructure, and facilities that support your in-scope systems must be included. You can’t exclude Active Directory if it authenticates users to your in-scope applications.
Forgetting third-party integrations: APIs, data feeds, and SaaS tools that integrate with your core systems often fall within scope. Map these dependencies early to avoid surprises during audit.
The System Boundary Question
Your system boundary separates your ISMS scope from external systems and services. For cloud-hosted applications, the boundary typically sits between your application layer and the underlying infrastructure. Document this boundary clearly — your auditor will verify controls on your side of the boundary and review evidence that your cloud provider handles their responsibilities.
Implementation Roadmap
Phase 1: Gap Assessment and Risk Analysis (6-8 weeks)
Start with a comprehensive gap assessment comparing your current security posture against Annex A controls. Document existing controls, identify gaps, and prioritize remediation based on risk.
Conduct a formal risk assessment following ISO 31000 principles. Identify information assets, threats, vulnerabilities, and potential impacts. This risk assessment drives your control selection and justifies exclusions in your Statement of Applicability.
Involve key stakeholders: security team, IT operations, legal, HR, and business unit leaders. Their input ensures your risk assessment reflects actual business operations and priorities.
Phase 2: Policy and Procedure Development (8-12 weeks)
Develop your policy framework starting with an overarching Information Security Policy approved by senior management. Create supporting policies for access control, incident response, business continuity, and other domains relevant to your selected controls.
Write procedures that translate high-level policies into specific implementation steps. Your “Access Control Policy” needs corresponding procedures for user provisioning, access reviews, and deprovisioning. These procedures become your implementation roadmap and audit evidence.
Align policies with your organizational culture and existing processes. A 50-person startup needs different policy language than a multinational corporation. Make policies practical and achievable for your team.
Phase 3: Technical Control Implementation (12-16 weeks)
Implement technical controls based on your risk assessment and control selection. Priority areas typically include:
Access Management: Deploy MFA, implement RBAC, establish privileged access management (PAM), and create access review processes.
Network Security: Configure firewalls, implement network segmentation, deploy monitoring tools, and establish secure remote access.
System Hardening: Apply security baselines, implement patch management, configure logging, and deploy endpoint protection.
Cryptography: Implement encryption at rest and in transit, establish key management procedures, and configure certificate management.
Track implementation progress and document configuration decisions. Your auditor will verify that technical controls align with your documented procedures and risk treatment plans.
Phase 4: Evidence Collection and Audit Readiness (4-6 weeks)
Establish evidence collection processes for ongoing compliance demonstration. Most controls require evidence of consistent implementation over time — screenshots from last week won’t demonstrate a mature control environment.
Key evidence types include:
- Policy acknowledgments and training records
- Access review logs and provisioning tickets
- Vulnerability scan reports and remediation tracking
- Incident response records and lessons learned
- Change management approvals and implementation records
Deploy a GRC platform or document management system to centralize evidence collection. Manual evidence gathering becomes unmanageable as your control environment matures.
Realistic Timeline by Organization Size
Startup (50-200 employees): 6-9 months from gap assessment to certification audit. Smaller scope and fewer legacy systems accelerate implementation, but limited resources can slow progress.
Mid-market (200-1000 employees): 9-12 months with more complex integration requirements and change management challenges. Multiple business units and legacy systems increase implementation complexity.
Enterprise (1000+ employees): 12-18+ months due to scope complexity, change management overhead, and integration with existing compliance programs. Consider phased implementation by business unit or geography.
Who to Involve
Executive Sponsor: Provides budget, removes roadblocks, and demonstrates leadership commitment. ISO 27001 requires top management involvement — this isn’t a security team side project.
ISMS Manager: Leads day-to-day implementation, coordinates across teams, and serves as primary auditor contact. Often the CISO, security manager, or compliance officer.
Security and IT Teams: Implement technical controls, document configurations, and establish monitoring processes.
HR and Legal: Develop people controls, review contracts, and ensure policy alignment with employment law and regulations.
Business Unit Leaders: Provide risk assessment input, approve operational procedures, and ensure business process alignment.
The Audit Process
What to Expect from the Assessment
ISO 27001 certification involves a two-stage audit process. Stage 1 reviews your ISMS documentation, policies, and procedures. The auditor verifies your management system design and identifies any documentation gaps before the formal audit.
Stage 2 conducts detailed testing of control implementation and effectiveness. Auditors interview staff, review evidence, observe processes, and test technical controls. Expect 2-5 days of on-site or virtual assessment depending on scope complexity.
How to Select an Auditor
Choose a certification body (CB) accredited by your national accreditation authority (ANAB in the US, UKAS in the UK). Verify their scope covers information security management systems and your industry sector if applicable.
Consider auditor experience with organizations similar to yours. A CB specializing in manufacturing might lack depth in cloud-native SaaS environments. Request auditor CVs and recent client references.
Evaluate audit approach and communication style. You’ll work with this auditor for annual surveillance audits and triennial recertification. Choose a partner who provides constructive feedback rather than just compliance checking.
Evidence the Auditor Will Request
Policy Documentation: Complete policy framework, procedures, and work instructions. Ensure version control and approval documentation.
Risk Management Records: Risk register, risk assessment methodology, treatment plans, and regular review records.
Training and Awareness: Training materials, completion records, competency assessments, and awareness campaign documentation.
Access Management: User listings, privilege reviews, provisioning/deprovisioning records, and access control system configurations.
Incident Management: Incident logs, investigation reports, root cause analyses, and improvement implementations.
Business Continuity: BCP/DR plans, testing records, recovery procedures, and stakeholder communication plans.
How to Handle Findings and Remediation
Auditors classify findings as nonconformities (major or minor) or observations. Major nonconformities prevent certification and require remediation before certificate issuance. Minor nonconformities allow conditional certification with required remediation within 90 days.
Develop corrective action plans that address root causes, not just symptoms. If your access review process failed, don’t just complete the missing review — analyze why the process failed and implement preventive measures.
Document remediation efforts thoroughly. Your certification body will verify corrective actions before finalizing certification. Poor remediation documentation can delay certificate issuance.
Maintaining Compliance Year-Round
Continuous Monitoring vs. Point-in-Time Assessment
ISO 27001 requires continuous ISMS operation, not annual audit preparation. Establish monitoring processes that provide ongoing visibility into control effectiveness throughout the year.
Deploy automated monitoring where possible: access review workflows, vulnerability scanning, patch management dashboards, and security awareness completion tracking. Manual processes become compliance bottlenecks as your organization grows.
Evidence Collection Automation
GRC platforms like ServiceNow, Archer, or specialized tools like Vanta and Drata can automate evidence collection for many Annex A controls. These platforms integrate with your existing tools to continuously gather evidence and maintain audit readiness.
Key automation opportunities:
- Access review workflows and approval tracking
- Policy acknowledgment and training completion
- Vulnerability management and patch tracking
- Configuration monitoring and change detection
- Incident tracking and response metrics
Policy Review Cadence and Change Management
Establish annual policy review cycles with designated owners for each policy domain. Document review dates, changes made, and approval processes. Policies without regular review quickly become outdated and ineffective.
Implement change management processes for ISMS updates. Significant scope changes, new business processes, or major technology implementations may require risk reassessment and control updates.
Annual Activities Calendar
Q1: Annual risk assessment review and management review meeting. Plan any scope changes or significant control updates.
Q2: Policy review cycle and training program updates. Refresh security awareness content and update role-specific training.
Q3: Business continuity testing and incident response tabletop exercises. Document results and implement improvements.
Q4: Surveillance audit preparation and internal audit program. Review evidence collection and address any gaps.
How to Handle Framework Updates
ISO standards undergo periodic revision, but transitional periods typically allow 1-3 years for implementation. Monitor ISO 27001 updates through professional associations and certification body communications.
When updates occur, conduct gap analysis against new requirements rather than rebuilding your entire ISMS. Most updates involve evolutionary improvements rather than fundamental changes.
Common Failures and How to Avoid Them
Inadequate Risk Assessment Foundation
Why it happens: Organizations rush through risk assessment to start implementing “standard” controls, missing business-specific risks and over-implementing irrelevant controls.
Cost: Major nonconformities, scope expansion, and misaligned control investments. A healthcare company implementing manufacturing-focused controls while missing HIPAA-relevant risks.
Prevention: Invest adequate time in risk assessment with business stakeholder involvement. Your risk assessment drives everything else — shortcuts here cascade through your entire ISMS.
Documentation Without Implementation
Why it happens: Teams focus on creating audit-ready documents without ensuring operational implementation. Policies exist but staff don’t follow documented procedures.
Cost: Major nonconformities when auditors test implementation. Staff confusion about actual vs. documented processes.
Prevention: Implement procedures as you document them. Test procedures with end users and iterate based on feedback before finalizing documentation.
Scope Creep During Implementation
Why it happens: Organizations discover interconnected systems and gradually expand scope without considering compliance implications.
Cost: Implementation timeline delays, budget overruns, and increased ongoing maintenance burden.
Prevention: Define clear scope boundaries upfront and resist expansion unless business-critical. Document excluded systems and interfaces clearly.
Inadequate Change Management
Why it happens: Organizations implement ISMS controls but fail to maintain them as business processes evolve. New systems, staff changes, and process updates bypass established controls.
Cost: Surveillance audit findings, control degradation, and increased security risk over time.
Prevention: Establish change management processes that trigger ISMS impact assessment. Include security reviews in project planning and system deployment procedures.
Evidence Collection Gaps
Why it happens: Teams implement controls but fail to collect systematic evidence of ongoing operation. Manual evidence gathering becomes overwhelming during audit preparation.
Cost: Audit delays, intensive pre-audit preparation, and difficulty demonstrating control effectiveness.
Prevention: Implement evidence collection processes alongside control implementation. Automate where possible and establish regular evidence review cycles.
FAQ
How many Annex A controls do I need to implement?
You don’t implement all 93 controls — your risk assessment and Statement of Applicability determine which controls are applicable to your organization. Most organizations implement 50-75 controls depending on scope, risk profile, and business requirements. Document justifications for excluded controls clearly.
Can I use cloud provider controls to meet Annex A requirements?
Yes, you can inherit many infrastructure controls from certified cloud providers through their shared responsibility model. Map your provider’s ISO 27001 controls to Annex A requirements and document the inheritance relationship. You’re still responsible for controls in your domain, like application security and user access management.
How often do I need to review and update my controls?
Conduct formal control reviews annually as part of your management review process, but monitor control effectiveness continuously. Update controls when business processes change, new risks emerge, or surveillance audits identify improvement opportunities. Minor updates happen quarterly; major updates typically occur annually.
What’s the difference between ISO 27001 and ISO 27002?
ISO 27001 defines ISMS requirements for certification, while ISO 27002 provides detailed implementation guidance for security controls. Think of 27001 as the “what” (requirements) and 27002 as the “how” (implementation guidance). You Get certified to ISO 27001 but often reference 27002 for control implementation details.
Do I need a consultant for ISO 27001 implementation?
Not required, but most organizations benefit from consulting support, especially for their first certification. Consultants accelerate gap assessment, provide implementation expertise, and help avoid common pitfalls. Consider consulting for complex implementations, tight timelines, or when internal security expertise is limited.
How much does ISO 27001 certification cost?
Total costs vary widely based on scope and organization size. Expect $50K-$200K+ including consulting, tools, auditing, and internal resource costs. Ongoing annual costs for surveillance audits and maintenance typically run 20-30% of initial implementation costs. Factor in tool licensing, training, and staff time for evidence collection and maintenance activities.
Conclusion
Implementing **ISO 27
