2. Annex A:2022
• Annexe A is a list of 93 security controls
• Control : Measure that modifies risk
• Control Objective : Statement stating what is to be achieved as a
result of implementing a control
• 4 Control categories
3. What is ISO 27001:2022 Annex A?
Reorganized and
refined
Better represent
current risks
Focus on
1. Organizational:
Governance, risk,
policy, structure.
2. People: Training,
awareness,
reporting, culture.
3. Physical:
Access,
environment,
surveillance,
protection.
4. Technological:
Encryption,
authentication,
detection, defense.
4. 5. Organizational Controls
37 controls
Structured approach to managing risks
Align policies with business objectives
Address legal, regulatory requirements
Emphasize human factors in security
Manage physical and digital assets
Monitor and review supplier services
5. Organizational Controls (5.1-5.5)
5.1 Policies for Information Security : Define, approve, publish,
communicate policies to all.
5.2 Information Security Roles and Responsibilities : Define and allocate
the responsibilities for information security.
5.3 Segregation of Duties : Duties and areas of responsibility should be
segregated to avoid conflicts.
5.4 Management Responsibilities : Ensure management knows their role in
infosec and promotes awareness.
5.5 Contact with Authorities : Encourage proactive security and facilitate
timely sharing of critical information.
6. Organizational Controls (5.6-5.10)
5.6 Contact with Special Interest Groups : Maintain contacts with special
interest groups to stay updated regarding information security
5.7 Threat Intelligence : Gathering and analysing information about current
and future cyber attacks
5.8 Information Security in Project Management : Addresses information
security in project management
5.9 Inventory of Information and Other Associated Assets : Identify
Information assets and owners to preserve their security
5.10 Acceptable Use of Information and Other Associated Assets :Define
and Document the rules of acceptable use of assets
7. Organizational Controls (5.11-5.15)
5.11 Return of Assets : Protect assets when changing or terminating
employment
5.12 Classification of Information : Identification of protection needs of
information in accordance with its importance
5.13 Labeling of Information : To facilitate the communication of information
classification
5.14 Information Transfer : Protect information in transfer from
interception, copying, modification, mis-routing and destruction
5.15 Access Control : To secure authorized access and prevent
unauthorized
access to information and assets.
8. Organizational Controls (5.16-5.20)
5.16 Identity Management : Uniquely identify individuals and systems
accessing
an organization's information assets and assign appropriate access rights.
5.17 Authentication Information : To ensure proper entity authentication and
prevent failures of authentication processes.
5.18 Access Rights : Define and authorise access according to business
requirements
5.19 Information Security in Supplier Relationships : Mitigate the risks on
information assets accessible by suppliers.
5.20 Addressing Security Within Supplier Agreements : Establish and
agree al
relevant information security requirements.
9. Organizational Controls (5.21-5.25)
5.21 Managing Information Security in the ICT Supply Chain: Address
risks of
the provided information and communication technology services
5.22 Monitoring, Review & Change Management of Supplier Services:
Regularly monitor, review and audit supplier service delivery.
5.23 Information Security for Use of Cloud Services : To specify and
manage
information security for the use of cloud services.
5.24 Information Security Incident Management Planning and
Preparation:
Ensure effective response to security incidents.
5.25 Assessment and Decision on Information Security Events: Assess
events,
categorize as security incidents.
10. Organizational Controls (5.26-5.30)
5.26 Response to Information Security Incidents: To ensure efficient and
effective response to information security incidents
5.27 Learning from Information Security Incidents: Reduce the likelihood
or consequences of future incidents
5.28 Collection of Evidence: Ensure effective evidence management for
legal
purposes
5.29 Information Security During Disruption: Protect information and other
associated assets during disruption
5.30 ICT Readiness for Business Continuity: Ensure availability of
information during disruption
11. Organizational Controls (5.31-5.35)
5.31 Statutory, Regulatory and Contractual Requirements: Comply with
legal, regulatory, and contract requirements.
5.32 Intellectual Property Rights: Comply with legal requirements for
intellectual property rights and proprietary products
5.33 Protection of records: Ensure compliance with legal, regulatory, and
contractual requirements
5.34 Privacy and Protection of PII: Compliance with legal requirements for
PII protection
5.35 Independent Review of Information Security: Ensure ongoing
effective
information security management
12. Organizational Controls (5.36-5.37)
5.36 Compliance with Policies, Rules and Standards for Information
Security: To ensure information security compliance with policy.
5.37 Documented operating procedures: Ensure secure and correct
operation of information facilities.
13. 6. People Controls
8 Controls Remote work
Ensure
confidentiality
Non-
disclosure
agreements
Screen
employees
14. People Control (6.1-6.4)
6.1 Screening: Ensure personnel eligibility and suitability during employment
6.2 Terms and Conditions of Employment: Ensure personnel understand
their security responsibilities
6.3 Information Security Awareness, Education and training: Ensure
awareness of information security responsibilities.
6.4 Disciplinary Process: Ensure consequences understood, deter and deal
with violators
15. People Control (6.5-6.8)
6.5 Responsibilities After Termination or Change of Employment: Protect
org during employment or contract changes/terminations
6.6 Confidentiality or Non-disclosure Agreements: To maintain information
confidentiality by all stakeholders
6.7 Remote working: To secure remote work information
6.8 Information Security Event Reporting: To support reporting of security
events by personnel.
16. 7. Physical Controls
14 Controls
Physical control
category aims to
prevent unauthorized
access
Covers a range of
controls related to
physical security
Includes prevention of
unauthorized access
to facilities
Protects equipment
and assets from
damage or theft
Includes management
of physical security
breaches
Measures can include
security guards,
access control
systems, locks,
security, cameras
Also includes secure
storage and
transportation of
information
Annex A recognizes
importance of physical
security in information
security
Helps ensure security
and integrity of
information and assets
17. Physical Controls (7.1-7.5)
7.1 Physical Security Perimeters: Prevent unauthorized physical access
and damage to assets.
7.2 Physical Entry: Authorize physical access to protect organization's
information
7.3 Securing Offices, Rooms and Facilities: Prevent unauthorized access
and damage to assets.
7.4 Physical security monitoring: Prevent and identify unauthorized
physical access
7.5 Protecting Against Physical and Environmental Threat: Prevent
damage from physical and environmental threats
18. Physical Controls (7.6-7.10)
7.6 Working in Secure Areas: Protect secure areas and assets from internal
damage and unauthorized access.
7.7 Clear Desk and Clear Screen: Minimize unauthorized access to info on
desks/screens during and outside working hours.
7.8 Equipment Siting and Protection: Minimize impact of physical,
environmental threats and unauthorized access.
7.9 Security of Assets Off-premises: Protect organization from disruptions
& unauthorized access to off-site devices.
7.10 Storage Media: Protect stored information from unauthorized access,
modification, or destruction
19. Physical Controls (7.11-7.14)
7.11 Supporting Utilities: Prevent information loss or disruption due to utility
failures
7.12 Cabling Security: Protect information, assets, and operations from
cable-related issues
7.13 Equipment maintenance: Prevent damage, theft, compromise of assets
and operational interruptions from maintenance neglect.
7.14 Secure Disposal or Reuse of Equipment: To avoid leakage of
information when disposing or reusing equipment.
20. 8 Technological Controls
34 Controls
Technological
controls are security
measures for IT
systems.
These controls are
used to prevent
unauthorized access.
Examples include
access controls and
encryption.
Monitoring and
logging are also
important controls.
These controls help
detect and prevent
security incidents.
Backup and recovery
procedures are part
of technological
controls.
Physical security
measures also fall
under technological
controls.
These controls are
implemented to
protect data
confidentiality.
They are also used
to ensure data
integrity and
availability.
Technological
controls should be
regularly reviewed
and updated.
21. Technological Controls (8.1-8.5)
8.1 User Endpoint Devices: Protect information from user endpoint device
threats
8.2 Privileged access rights: Ensure authorized privileged access rights
only granted
8.3 Information Access Restriction: To restrict access to authorized users
only
8.4 Access To Source Code: Prevent unauthorized changes & maintain
intellectual property confidentiality
8.5 Secure Authentication: Ensure secure access via authentication for
systems, apps, services
22. Technological Controls (8.6-8.10)
8.6 Capacity Management: Ensure sufficient resources for information
processing and facilities
8.7 Protection Against Malware: Protect information and assets against
malware
8.8 Management of Technical Vulnerabilities: To prevent exploitation of
technical vulnerabilities
8.9 Configuration Management: To avoid sensitive data exposure and meet
legal, regulatory, and contractual obligations
8.10 Information deletion: To ensure compliant information deletion and
avoid exposure of sensitive data.
23. Technological Controls (8.11-8.15)
8.11 Data Masking: Ensure compliance with regulations and protect sensitive
data
8.12 Data Leakage Prevention: Prevent unauthorized information
disclosure/extraction by individuals or systems
8.13 Information Backup: To enable recovery from loss of data or systems.
8.14 Redundancy of Information Processing Facilities: Ensure the
continuous operation of information processing facilities
8.15 Logging: To capture events, maintain log integrity, detect security
events, prevent unauthorized access, support investigations.
24. Technological Controls (8.16-8.20)
8.16 Monitoring Activities: To detect anomalous behaviour and information
security incidents
8.17 Clock Synchronization: Support analysis of security events and
investigations
8.18 Use of Privileged Utility Programs: Ensure safe use of utility programs
for security
8.19 Installation of Software on Operational Systems: Ensure system
integrity, prevent vulnerabilities
8.20 Networks Security: Protect network information from compromise
25. Technological Controls (8.21-8.25)
8.21 Security of Network Services: To ensure security in the use of network
services
8.22 Segregation of Networks: Segment network for controlled traffic based
on business needs.
8.23 Web Filtering: Protect systems from malware and unauthorized web
access.
8.24 Use of Cryptography: Protect information using cryptography that
meets legal requirements.
8.25 Secure Development Life Cycle: Ensure secure development life cycle
of software and systems.
26. Technological Controls (8.26-8.30)
8.26 Application Security Requirements: Address all security requirements
when developing or acquiring applications.
8.27 Secure System Architecture and Engineering Principles: Securely
design, implement, and operate information systems in development life cycle
8.28 Secure Coding: Ensure secure software to reduce vulnerabilities.
8.29 Security Testing in Development and Acceptance: Validate security
requirements during code deployment
8.30 Outsourced Development: Ensure infosec measures in outsourced
development
27. Technological Controls (8.31-8.34)
8.31 Separation of Development, Test and Production Environments:
Protect production and data from dev/test compromise
8.32 Change Management: To preserve information security when executing
changes
8.33 Test Information: Ensure relevant testing & protect operational
information used for testing
8.34 Protection of Information Systems During Audit Testing: Prevent
unauthorized access and damage to assets.