What are the controls in ISO 27001 Annex A?

When working with ISO 27001 certification, you will quickly encounter “Annex A” and its 93 controls. But what exactly are these controls, and why are they so important for your information security?

What are the controls?

The controls in ISO 27001 Annex A are concrete security measures designed to protect your organization’s information. Think of them as security rules—just as you have fire alarms to protect your building, you have these controls to protect your information.

Each control describes a specific security measure that your organization can implement. For example:

• Control 5.1 is about having clear information security policies
• Control 8.2 is about managing privileged user access rights
• Control 8.16 is about network security

What the controls are NOT

It’s important to understand what the controls are not:

Not all 93 are mandatory. You choose which ones are relevant for your organization (although most organizations need almost all of them).

They are not detailed instructions. The controls state WHAT you should do, not exactly HOW to do it. It’s up to you to decide how to implement them.

They are not just a checklist to tick off. Each control requires reflection on how it fits your specific business.

They are not static. The controls evolve over time—the latest version from 2022 contains updated controls that reflect today’s security threats.

Why do the controls exist?

There are several reasons for having the controls:

Standardization: They provide all organizations with a common language for information security. When you say you follow ISO 27001, everyone knows what that means.

Proven security: The controls are based on decades of security experience from organizations worldwide. You don’t have to reinvent the wheel.

Risk management: Each control addresses specific security risks. Together, they cover most of the security threats organizations face.

Foundation for certification: The controls are the basis for ISO 27001 certification. Without them, there is no standard to certify against.

How are the controls used?

The controls are used in several steps:

1. Relevance analysis

You review all 93 controls and assess which are relevant for your organization. Nearly all controls are relevant to most organizations.

2. Gap analysis

For each relevant control, you assess whether your organization already meets it or not. This shows where you need to improve.

3. Implementation

For controls you do not meet, you create a plan for how to implement them. This may involve new policies, technical solutions, or training.

4. Documentation

You document how you meet each control. This is done at two levels:

• SoA document: Overall description for external auditors
• Internal documentation: Detailed instructions for your staff

5. Follow-up

You regularly follow up to ensure the controls are working as intended and update them as needed.

Who works with the controls?

Several roles are involved in working with the controls:

Management makes decisions on which controls to implement and allocates resources.

Security Officer or CISO leads the work and ensures the controls are implemented correctly.

IT Department implements technical controls such as firewalls, security updates, and access management.

HR Department handles personnel-related controls such as background checks and security training.

All employees are affected by the controls through policies, procedures, and security awareness.

External consultants can assist with implementation and certification preparations.

When are the controls used?

The controls are used at various stages:

Before certification

• Analysis of which controls are needed
• Implementation of missing controls
• Documentation of how controls are fulfilled

During the certification process

• Auditors review how you meet the controls
• The SoA document shows your application of the controls
• Evidence of implementation is presented

After certification

• Regular follow-up on the effectiveness of the controls
• Updates when the business changes
• Preparation for surveillance audits

Ongoing operations

• The controls become part of daily security work
• Incident management based on the guidelines of the controls
• Continuous improvement of the security level

Practical examples

Control 5.1 – Information Security Policies

• What: You must have documented security policies
• Who: Management approves, Security Officer writes, everyone follows
• When: Before certification, updated annually

Control 8.8 – Management of Security Weaknesses

• What: You must have procedures for handling security issues
• Who: IT Department implements, everyone reports problems
• When: Activated during security incidents, tested regularly

Control 6.1 – Screening

• What: You must check new employees’ backgrounds
• Who: HR conducts, management approves the process
• When: For all new hires, updated as needed

Summary

The controls in ISO 27001 Annex A are your tools for building robust information security. They provide you with a proven framework for security work, but it is up to you to adapt them to your organization.

Success with the controls requires:

• Understanding what each control entails
• Commitment from management
• Involvement of the right people
• Systematic implementation
• Continuous follow-up

When working with the controls, remember that the goal is not just to meet a standard—it is to protect your organization and build trust with your customers and partners.

Next step: Use our implementation guide to get started with the work in AmpliFlow. There you’ll get concrete help to move from theory to practice.