A Breakdown of ISO 27001:2022 Annex A Controls for Evolving Security Challenges

In 2022, ISO updated the ISO 27001 standard to reflect solutions for current security challenges. One of the most significant changes in the ISO 27001:2022 update was within Annex A, a detailed list of security controls organizations can use to improve their information security management system (ISMS). When working toward certification to ISO 27001, your organization will choose relevant Annex A controls in order to identify, assess, treat, and manage information security risks.

Let’s take a look at our breakdown of the ISO 27001:2022 Annex A controls so your organization can easily understand what to expect when going into your audit.  

Annex A Controls and Domains

Through the ISO 27001:2022 updates, ISO reduced and restructured the Annex A controls. The number of controls decreased from 114 to 93 and are now categorized from 14 individual domains into four overarching groups—organizational, people, physical, and technological. 

The good news is, these changes make the standard easier to digest and more straightforward to implement. Here’s more information about each of the four domain groups. 

Organizational (37 controls): Sets the most critical security processes and documentation, including control types such as:

• Organizational information policies
• Cloud service use
• Asset use

People (8 controls): Focuses on the secure management of human resources, including control types such as:

• Remote work
• Confidentiality
• Non-disclosures
• Screening

Physical (14 controls): Relates to secure areas and equipment protection, including control types such as:  

• Security monitoring
• Storage media
• Maintenance
• Facilities security

Technological (34 controls): Focuses on IT and communication, including control types such as: 

• Authentication
• Encryption
• Data leak prevention 

Annex A Controls Added from ISO 27001:2022

While several of the Annex A controls have been renamed and merged to reduce the total number, the requirements within those controls are nearly all the same. The most significant change in ISO 27001:2022 is the addition of 11 new controls which reflect new and evolving security challenges. 

The 11 new ISO 27001:2022 control categories and their requirements are as follows: 

1. Threat intelligence requires you to gather information about threats and analyze them with appropriate mitigation.
2. Information security for the use of cloud services requires you to set security requirements for cloud services for better protection of your information in the cloud. 
3. Information and communications technology for business continuity requires your information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. 
4. Physical security monitoring requires you to monitor sensitive areas in order to enable authorized people for access. 
5. Configuration management requires you to manage the cycle of security configuration for your technology to ensure a proper level of security. 
6. Information deletion requires you to delete data when no longer needed in order to avoid leakage of sensitive information and enable compliance with privacy and other requirements. 
7. Data masking requires you to use data masking and access controls to limit the exposure of sensitive information. 
8. Data leakage prevention requires you to apply various data leakage measures to avoid unauthorized disclosure of sensitive information and, if such incidents happen, detect them in a timely manner. 
9. Monitoring activities requires monitoring your systems to recognize unusual activities and, if needed, activate the appropriate incident response.
10. Web filtering requires you to manage which websites your users are accessing to protect your IT systems. 
11. Secure coding requires you to establish and apply secure coding principles to your software development to reduce security vulnerabilities in the software. 

What to Expect with Annex A Controls During Your Audit

ISO 27001 audits include two stages. Stage 1 involves an assessment of the documentation process for your ISMS. If your organization is successful during stage 1, your engagement team will lead you through a more thorough assessment in stage 2.

During stage 2, often defined as the certification audit, walkthroughs cover Annex A controls and any areas of concern from stage 1. Organizations are not required to implement all 93 Annex A controls, but you’ll be expected to identify and apply the most applicable controls for your environment. 

Stage 2 also includes evaluating the implementation and effectiveness of your management system and confirming if your organization adheres to its policies, objectives, and procedures. Additionally, your audit team should ensure any areas of concern have been remediated. At the end of your successful engagement, BARR Certifications will issue an internal report and public-facing certification suitable for three years with surveillance audits. 

Transitioning to ISO 27001:2022

No matter what phase your organization may be in regarding ISO 27001 certification, don’t worry—there’s time to make the necessary changes to ISO 27001:2022. 

All organizations have a three-year transition period when conforming to the newly updated ISO 27001:2022 standard. ISO 27001:2013 certificates will expire or be withdrawn no later than Oct. 31, 2025. 

A few tips for transitioning your certification to the updated ISO standard include:

• Start by reviewing the standards and updating your ISMS and statement of applicability to align with the revised requirements;
• Incorporate these changes into your risk assessment and management review so that key parties at your organization are on board with the changes; and,
• Reach out to BARR for guidance on the logistics of the transition. We’re happy to help!

Interested in learning more about BARR’s ISO 27001 certification services? Contact us today.