Annex A of ISO 27001:2022 contains a reference set of 93 information security controls organised into four themes. The controls are not mandatory - the standard requires you to determine which ones apply through the risk assessment and risk treatment process under Clause 6.1, and to record that decision in the Statement of Applicability (SoA) under Clause 6.1.3.
This section of the Knowledge Base explains every Annex A control in plain language - what it means, when it applies, and what good practice looks like.
The 2022 edition restructured the controls from 14 categories into four themes. Each control belongs to one theme.
A.5 Organisational controls covers the 37 controls that establish the management framework - policies, roles, supplier relationships, threat intelligence, classification of information, access control rules, identity management, and similar organisational arrangements.
A.6 People controls covers the 8 controls that address the human element - screening, terms and conditions, awareness, disciplinary process, responsibilities after employment ends, confidentiality, remote working, and reporting events.
A.7 Physical controls covers the 14 controls that protect the physical environment - secure perimeters, entry controls, equipment siting, cabling, maintenance, asset disposal, working in secure areas, clear desk and clear screen.
A.8 Technological controls covers the 34 controls that address the technical layer - user endpoints, privileged access, authentication, capacity, malware protection, vulnerability management, configuration, logging, monitoring, network controls, secure development, and similar.
The Statement of Applicability is the a mandatory document required for ISO 27001 compliance. For each of the 93 controls, the SoA records whether the control is applicable to the organisation, the justification for inclusion or exclusion, and whether it is implemented. The SoA is mandatory documented information under Clause 6.1.3, and it is one of the first documents an external auditor will ask to see.
Listing a control as not applicable is fine - many organisations exclude controls that genuinely do not apply to them - but the justification has to make sense in context. The auditor will challenge any exclusion that conflicts with the risk assessment, the scope, or the kind of information the organisation actually handles.
Each control article gives you what the control actually requires, who in the organisation is typically responsible, where it overlaps with other controls, and what evidence an auditor will look for. The articles are written for organisations using the alphaZ ISO 27001 Toolkit, but the guidance applies regardless of which document set you use.
If you are new to ISO 27001, start with the main clauses 4 to 10 first - the management system requirements come before the controls. You can then decide which Annex A Controls are applicable.