When working with ISO 27001 certification, you will quickly encounter “Annex A” and its 93 controls. But what exactly are these controls, and why are they so important for your information security?
The controls in ISO 27001 Annex A are concrete security measures designed to protect your organization’s information. Think of them as security rules—just as you have fire alarms to protect your building, you have these controls to protect your information.
Each control describes a specific security measure that your organization can implement. For example:
It’s important to understand what the controls are not:
Not all 93 are mandatory. You choose which ones are relevant for your organization (although most organizations need almost all of them).
They are not detailed instructions. The controls state WHAT you should do, not exactly HOW to do it. It’s up to you to decide how to implement them.
They are not just a checklist to tick off. Each control requires reflection on how it fits your specific business.
They are not static. The controls evolve over time—the latest version from 2022 contains updated controls that reflect today’s security threats.
There are several reasons for having the controls:
Standardization: They provide all organizations with a common language for information security. When you say you follow ISO 27001, everyone knows what that means.
Proven security: The controls are based on decades of security experience from organizations worldwide. You don’t have to reinvent the wheel.
Risk management: Each control addresses specific security risks. Together, they cover most of the security threats organizations face.
Foundation for certification: The controls are the basis for ISO 27001 certification. Without them, there is no standard to certify against.
The controls are used in several steps:
You review all 93 controls and assess which are relevant for your organization. Nearly all controls are relevant to most organizations.
For each relevant control, you assess whether your organization already meets it or not. This shows where you need to improve.
For controls you do not meet, you create a plan for how to implement them. This may involve new policies, technical solutions, or training.
You document how you meet each control. This is done at two levels:
You regularly follow up to ensure the controls are working as intended and update them as needed.
Several roles are involved in working with the controls:
Management makes decisions on which controls to implement and allocates resources.
Security Officer or CISO leads the work and ensures the controls are implemented correctly.
IT Department implements technical controls such as firewalls, security updates, and access management.
HR Department handles personnel-related controls such as background checks and security training.
All employees are affected by the controls through policies, procedures, and security awareness.
External consultants can assist with implementation and certification preparations.
The controls are used at various stages:
Control 5.1 – Information Security Policies
Control 8.8 – Management of Security Weaknesses
Control 6.1 – Screening
The controls in ISO 27001 Annex A are your tools for building robust information security. They provide you with a proven framework for security work, but it is up to you to adapt them to your organization.
Success with the controls requires:
When working with the controls, remember that the goal is not just to meet a standard—it is to protect your organization and build trust with your customers and partners.
Next step: Use our implementation guide to get started with the work in AmpliFlow. There you’ll get concrete help to move from theory to practice.