What are the controls in ISO 27001 Annex A?

Written By
Patrik Björklund
Patrik Björklund
Published
July 3, 2025
Topic
ISO 27001

When working with ISO 27001 certification, you will quickly encounter “Annex A” and its 93 controls. But what exactly are these controls, and why are they so important for your information security?

What are the controls?

The controls in ISO 27001 Annex A are concrete security measures designed to protect your organization’s information. Think of them as security rules—just as you have fire alarms to protect your building, you have these controls to protect your information.

Each control describes a specific security measure that your organization can implement. For example:

  • Control 5.1 is about having clear information security policies
  • Control 8.2 is about managing privileged user access rights
  • Control 8.16 is about network security

What the controls are NOT

It’s important to understand what the controls are not:

Not all 93 are mandatory. You choose which ones are relevant for your organization (although most organizations need almost all of them).

They are not detailed instructions. The controls state WHAT you should do, not exactly HOW to do it. It’s up to you to decide how to implement them.

They are not just a checklist to tick off. Each control requires reflection on how it fits your specific business.

They are not static. The controls evolve over time—the latest version from 2022 contains updated controls that reflect today’s security threats.

Why do the controls exist?

There are several reasons for having the controls:

Standardization: They provide all organizations with a common language for information security. When you say you follow ISO 27001, everyone knows what that means.

Proven security: The controls are based on decades of security experience from organizations worldwide. You don’t have to reinvent the wheel.

Risk management: Each control addresses specific security risks. Together, they cover most of the security threats organizations face.

Foundation for certification: The controls are the basis for ISO 27001 certification. Without them, there is no standard to certify against.

How are the controls used?

The controls are used in several steps:

1. Relevance analysis

You review all 93 controls and assess which are relevant for your organization. Nearly all controls are relevant to most organizations.

2. Gap analysis

For each relevant control, you assess whether your organization already meets it or not. This shows where you need to improve.

3. Implementation

For controls you do not meet, you create a plan for how to implement them. This may involve new policies, technical solutions, or training.

4. Documentation

You document how you meet each control. This is done at two levels:

  • SoA document: Overall description for external auditors
  • Internal documentation: Detailed instructions for your staff

5. Follow-up

You regularly follow up to ensure the controls are working as intended and update them as needed.

Who works with the controls?

Several roles are involved in working with the controls:

Management makes decisions on which controls to implement and allocates resources.

Security Officer or CISO leads the work and ensures the controls are implemented correctly.

IT Department implements technical controls such as firewalls, security updates, and access management.

HR Department handles personnel-related controls such as background checks and security training.

All employees are affected by the controls through policies, procedures, and security awareness.

External consultants can assist with implementation and certification preparations.

When are the controls used?

The controls are used at various stages:

Before certification

  • Analysis of which controls are needed
  • Implementation of missing controls
  • Documentation of how controls are fulfilled

During the certification process

  • Auditors review how you meet the controls
  • The SoA document shows your application of the controls
  • Evidence of implementation is presented

After certification

  • Regular follow-up on the effectiveness of the controls
  • Updates when the business changes
  • Preparation for surveillance audits

Ongoing operations

  • The controls become part of daily security work
  • Incident management based on the guidelines of the controls
  • Continuous improvement of the security level

Practical examples

Control 5.1 – Information Security Policies

  • What: You must have documented security policies
  • Who: Management approves, Security Officer writes, everyone follows
  • When: Before certification, updated annually

Control 8.8 – Management of Security Weaknesses

  • What: You must have procedures for handling security issues
  • Who: IT Department implements, everyone reports problems
  • When: Activated during security incidents, tested regularly

Control 6.1 – Screening

  • What: You must check new employees’ backgrounds
  • Who: HR conducts, management approves the process
  • When: For all new hires, updated as needed

Summary

The controls in ISO 27001 Annex A are your tools for building robust information security. They provide you with a proven framework for security work, but it is up to you to adapt them to your organization.

Success with the controls requires:

  • Understanding what each control entails
  • Commitment from management
  • Involvement of the right people
  • Systematic implementation
  • Continuous follow-up

When working with the controls, remember that the goal is not just to meet a standard—it is to protect your organization and build trust with your customers and partners.

Next step: Use our implementation guide to get started with the work in AmpliFlow. There you’ll get concrete help to move from theory to practice.

Gratis e-bok
Allt från vad standarder kräver till hur du genomför ett projekt för att etablera ett certifierbart ledningssystem.
Tack! Nu får du snart ett e-post från oss!
Oj! 

NĂĄgot gick fel.

Hör av dig till support@ampliflow.com.
Free e-book
Everything from what standards require to how you implement a project to establishing a certifiable management system.
Tack! Nu får du snart ett e-post från oss!
Oj! 

NĂĄgot gick fel.

Hör av dig till support@ampliflow.com.
Do you need help getting ready for ISO certification?
AmpliFlow can help you with everything you need to achieve certification. From smart IT systems to project management, training, internal auditing and much more. Book an appointment today to find out more!
Thank you! We will hear from you soon!
Oops!

Something went wrong.

Get in touch with support@ampliflow.com.
Articles

More articles

Tools, information and other resources you need.
ISO Standards

ISO 9001 and ISO 14001: Key tools for competitiveness in a recession

In a world of constant change and economic uncertainty, it is more important than ever for companies to remain competitive and adaptable. ISO 9001 and ISO 14001 are international standards that can help companies achieve these goals, especially in times of recession.
Patrik Björklund
May 22, 2023
Management team work

The Management Team - The Key to Successful Business Management

The main task of the management team is to steer the business towards its goals and vision by focusing on strategy, finance, organization, communication and sustainability. An effective management system supports the management team and ensures that the organization achieves its goals and creates value.
Joakim Stenström
May 14, 2023
Deviation management

Deviation management: the key to continuous improvement and increased customer satisfaction

A well thought out and adapted deviation management process is crucial to ensure quality, efficiency and customer satisfaction in the long run. Read our guide to get started.
Patrik Björklund
April 23, 2024

Do like other happy customers - get AmpliFlow

Schedule a meeting today to discuss how we can help you with systems and/or support.
Small or publicly traded. Recruitment or concrete manufacturing. AmpliFlow is for everyone.