Guide to ISO 27001 Controls for Certification

What Are ISO 27001 Controls?

ISO/IEC 27001:2022 Annex A contains 93 security controls organised into four themes: Organisational (37), People (8), Physical (14), and Technological (34). These controls represent the security measures an organisation can implement to protect information assets — from access control policies through to secure coding practices.

Controls are not a checklist to be ticked off. ISO 27001 is risk-based: your organisation conducts a risk assessment, identifies threats and vulnerabilities, and then selects the Annex A controls that address those risks. The controls you select (and exclude) are documented in the Statement of Applicability (SoA) — the single most important document in your ISMS.

ISO 27002:2022 is the companion standard that provides detailed implementation guidance for each control. While you certify against ISO 27001, auditors expect your controls to be implemented in line with ISO 27002 guidance. Understanding both standards is essential for anyone building or auditing an ISMS.

ISO 27001:2022 vs ISO 27001:2013 — What Changed?

The 2022 revision was the most significant update to ISO 27001 since the standard was first published. Understanding the changes is important for organisations transitioning from the 2013 version and for professionals studying for PECB certification exams.

Under the 2013 version, Annex A contained 114 controls organised into 14 domains (A.5–A.18) covering areas like access control, cryptography, operations security, and supplier relationships. The 2022 version restructured these into 93 controls across just 4 themes:

• Organisational controls (A.5) — 37 controls covering governance, policies, roles, supplier management, incident response, and compliance.
• People controls (A.6) — 8 controls covering screening, employment terms, awareness training, and remote working.
• Physical controls (A.7) — 14 controls covering physical security perimeters, entry controls, equipment protection, and environmental threats.
• Technological controls (A.8) — 34 controls covering endpoint devices, access management, cryptography, network security, and secure development.

The restructure added 11 entirely new controls reflecting modern threats (cloud security, threat intelligence, data leakage prevention, secure coding), merged 24 overlapping controls, and introduced an attribute tagging system for easier cross-referencing. The transition deadline was 31 October 2025 — all certified organisations should now be operating under the 2022 version.

The 4 Control Categories Explained

Organisational Controls (A.5) — 37 Controls

Organisational controls form the governance backbone of your ISMS. They cover the policies, roles, processes, and relationships that define how your organisation manages information security at an institutional level. This is the largest category and the one auditors typically examine first.

Key areas include information security policies (A.5.1), segregation of duties (A.5.3), threat intelligence (A.5.7), asset management (A.5.9–A.5.13), access control (A.5.15–A.5.18), supplier security (A.5.19–A.5.23), incident management (A.5.24–A.5.28), business continuity (A.5.29–A.5.30), and legal compliance (A.5.31–A.5.36).

Auditors pay particular attention to: whether policies are current and communicated (A.5.1), whether risk-based access control decisions are documented (A.5.15), whether supplier agreements include security requirements (A.5.20), and whether incident response plans have been tested (A.5.24).

People Controls (A.6) — 8 Controls

People controls address the human element of information security — from hiring through to termination. Despite being the smallest category, these controls are critical because human error and insider threats remain leading causes of security incidents.

The eight controls cover pre-employment screening (A.6.1), employment terms and conditions (A.6.2), security awareness and training (A.6.3), disciplinary processes (A.6.4), post-employment responsibilities (A.6.5), confidentiality agreements (A.6.6), remote working security (A.6.7), and security event reporting (A.6.8).

Auditors focus on evidence that awareness training is conducted regularly (A.6.3), that remote working arrangements include security measures (A.6.7), and that staff know how to report security events (A.6.8).

Physical Controls (A.7) — 14 Controls

Physical controls protect the tangible assets — premises, equipment, cabling, and storage media — that underpin your information systems. While often overlooked in favour of technical controls, physical security failures can bypass even the strongest digital protections.

Controls cover security perimeters (A.7.1), physical entry controls (A.7.2), office and facility security (A.7.3), physical security monitoring (A.7.4), environmental threats (A.7.5), secure area working rules (A.7.6), clear desk and screen policies (A.7.7), equipment placement and protection (A.7.8–A.7.9), storage media management (A.7.10), supporting utilities (A.7.11), cabling security (A.7.12), equipment maintenance (A.7.13), and secure disposal (A.7.14).

Physical security monitoring (A.7.4) is one of the 11 new controls added in 2022, reflecting the increasing importance of CCTV, environmental sensors, and access logging in modern security operations.

Technological Controls (A.8) — 34 Controls

Technological controls are the technical security measures that protect information systems, networks, and data. This category contains the most new controls introduced in 2022 — seven of the eleven additions are technological, reflecting the evolving threat landscape.

Key areas include endpoint security (A.8.1), privileged access management (A.8.2), secure authentication (A.8.5), malware protection (A.8.7), vulnerability management (A.8.8), configuration management (A.8.9), data protection (A.8.10–A.8.12), backup and redundancy (A.8.13–A.8.14), logging and monitoring (A.8.15–A.8.16), network security (A.8.20–A.8.22), cryptography (A.8.24), and secure development (A.8.25–A.8.28).

Auditors frequently focus on vulnerability management processes (A.8.8), whether logging is adequate and monitored (A.8.15–A.8.16), and whether secure development practices include code review and testing (A.8.25–A.8.28). The new controls — configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28) — address gaps that were implicit but not explicit in the 2013 version.

11 New Controls in ISO 27001:2022

The 2022 revision introduced 11 entirely new controls that were not present in the 2013 version. These reflect modern security challenges including cloud adoption, threat intelligence, data lifecycle management, and secure software development.

These 11 controls reflect the security landscape of the 2020s. For Australian organisations, several map directly to Essential Eight mitigation strategies — for example, A.8.8 (vulnerability management) aligns with patching, A.8.19 (software installation) aligns with application control, and A.8.12 (DLP) supports the Notifiable Data Breaches scheme under the Privacy Act.

What Is a Statement of Applicability?

The Statement of Applicability (SoA) is the document that links your risk assessment to your control selection. It lists all 93 Annex A controls and, for each one, states whether it is applicable or excluded — along with the justification for each decision.

The SoA is the first document auditors request during a certification assessment. It tells them which controls you have implemented, which you have excluded, and why. A weak or incomplete SoA is one of the most common audit findings.

A well-structured SoA includes: the control number and name, applicability status (applicable/excluded), justification for the decision, implementation status (implemented, in progress, planned), the risk or risks the control addresses, and the owner responsible for the control. Building the SoA is a core skill covered in the PECB ISO 27001 Lead Implementer course. For a step-by-step guide to the full process, see our ISO 27001 implementation checklist.

How Auditors Assess ISO 27001 Controls

During a Stage 2 certification audit, auditors assess your controls against four criteria:

1. Risk-based selection — Controls are selected based on a documented risk assessment, not simply copied from Annex A. The SoA justifies each inclusion and exclusion.
2. Implemented as documented — Controls operate as described in your policies and procedures. What you say you do matches what you actually do.
3. Operating effectively — Controls are not just documented but demonstrably working. Auditors look for evidence: logs, records, test results, training attendance, and incident reports.
4. Reviewed and improved — Controls are subject to periodic review. Monitoring results, internal audit findings, and management reviews drive continual improvement.

Common non-conformities include: controls documented but not implemented, risk assessments that do not align with control selections, missing evidence of awareness training, and lack of incident response testing. Understanding what auditors look for is a key focus of both the Lead Implementer and Lead Auditor courses.

ISO 27001 Controls and Australian Compliance

Australian organisations often need to comply with multiple frameworks simultaneously. ISO 27001 Annex A controls overlap significantly with Australian regulatory requirements, making the standard a practical foundation for multi-framework compliance.

• Essential Eight — Several Annex A controls map directly to Essential Eight mitigation strategies: A.8.19 (application control), A.8.8 (patching applications and operating systems), A.8.5 (multi-factor authentication), A.8.2 (restricting admin privileges), and A.8.13 (daily backups). Organisations aligned to the Essential Eight are already partially compliant with ISO 27001 technical controls.
• ASD Information Security Manual (ISM) — The ISM provides detailed security controls for Australian government systems. Many ISM controls map to ISO 27001 Annex A, though the ISM is more prescriptive. ControlStack provides full cross-mapping between the two frameworks.
• Privacy Act and NDB Scheme — The new data-focused controls (A.8.10 information deletion, A.8.11 data masking, A.8.12 data leakage prevention) directly support compliance with the Privacy Act 1988 and the Notifiable Data Breaches scheme by ensuring organisations manage the data lifecycle and prevent unauthorised disclosure.
• APRA CPS 234 — APRA-regulated financial institutions must maintain an information security capability commensurate with their information assets. ISO 27001 Annex A controls provide a structured way to demonstrate this capability, and many APRA-regulated entities use ISO 27001 certification to evidence CPS 234 compliance.

For detailed control-level mappings between ISO 27001, the Essential Eight, and the ASD ISM, use ControlStack — our free Australian security controls library.

Complete List of All 93 Controls

The tables below list every ISO/IEC 27001:2022 Annex A control, organised by theme. Use these as a reference when building your Statement of Applicability or preparing for certification.

Organisational Controls (A.5) — 37 Controls

People Controls (A.6) — 8 Controls

Physical Controls (A.7) — 14 Controls

Technological Controls (A.8) — 34 Controls

For interactive browsing of these controls with plain-English guidance and cross-mapping to the Essential Eight and ASD ISM, visit ControlStack.

New to the standard? The PECB ISO 27001 Foundation course ($399 AUD) covers every clause and Annex A theme.

Ready to certify? Learn about ISO 27001 certification in Australia — process, JAS-ANZ certification bodies, costs, and regulatory alignment.