We may not have the course you’re looking for. If you enquire or give us a call on 0800 446148 and speak to our training experts, we may still be able to help with your training requirements.
We ensure quality, budget-alignment, and timely delivery by our expert instructors.

Your organisation's data is one of its most valuable assets. Protecting it from cyber threats, data breaches, and unauthorised access is essential for maintaining trust, ensuring compliance, and supporting business continuity. That's where ISO 27001 Controls come in. They provide a structured framework of smart, adaptable security measures designed to protect sensitive information and strengthen your organisation's overall information security posture.
Think of ISO 27001 Controls as a practical toolkit for safeguarding critical information while demonstrating your commitment to security. By implementing the right controls, organisations can reduce risks, strengthen customer confidence, and improve operational resilience. In this blog, you'll explore the ISO 27001 Annex A themes, their importance, how to implement these controls, and more.
Table of Contents
1) What are ISO 27001 Controls?
2) Why ISO 27001 Controls Matter?
3) The 4 Themes of ISO 27001 Controls
4) What New Controls Does ISO 27001:2022 Introduce?
5) Implementing ISO 27001 Controls
6) Is it Necessary to Adopt ISO 27001 in an Organisation?
7) What is the Statement of Applicability in ISO 27001?
8) Conclusion
What are ISO 27001 Controls?
ISO 27001 Controls are a set of security measures within Annex A of the ISO/IEC 27001 standard. They support the implementation of an Information Security Management System (ISMS) by providing safeguards to prevent, detect, and reduce threats. These controls include organisational, people, physical, and technological measures.
These controls are risk-based and flexible, allowing organisations of any size or industry to implement those relevant to their business needs. They support continual improvement by helping organisations prevent incidents, respond effectively to threats, recover from security events, and maintain the confidentiality, integrity, and availability of information.
Why ISO 27001 Controls Matter?
ISO 27001 Controls help organisations strengthen information security by providing a clear, consistent, and measurable approach to managing risks. They improve transparency and accountability, enabling leadership to monitor security performance, track progress, and demonstrate compliance with regulatory requirements.
These controls can reveal operational inefficiencies like duplicated processes, unclear responsibilities, or underused resources. Additionally, they provide a common framework for auditors, regulators, customers, and business partners, making assessments straightforward while building confidence that sensitive information is managed securely.
The 4 Themes of ISO 27001 Controls
ISO 27001 groups its controls into four clear categories or themes, each addressing a different aspect of the Information Security Management System. Let’s explore them in detail:

1) Annex A.5: Organisational Controls (37 Controls)
Organisational controls include 37 measures that guide how information security is managed across the business. They cover policies, roles, access control, supplier relationships and information security, incident management, legal requirements, business continuity, and documented procedures. These controls help build clear governance and accountability.
Key Focus Areas:
a) Information security policies and governance
b) Asset management and data classification
c) Supplier and third-party security
d) Incident management and business continuity
e) Legal, regulatory, and contractual compliance
2) Annex A.6: People Controls (8 Controls)
People controls include 8 measures focused on employees, contractors, and other users. They cover screening, terms of employment, security awareness training, confidentiality agreements, remote working, and incident reporting. These controls reduce human-related security risks.
Key Focus Areas:
a) Employee screening and onboarding
b) Security awareness and training
c) Roles and responsibilities
d) Confidentiality agreements
e) Remote working and incident reporting
3) Annex A.7: Physical Controls (14 Controls)
Physical controls include 14 measures that protect offices, equipment, facilities, and physical assets. They cover secure entry, security perimeters, clear desk rules, storage media, equipment maintenance, cabling security, and safe disposal or reuse of equipment.
Key Focus Areas:
a) Secure offices and facilities
b) Physical entry controls
c) Equipment and asset protection
d) Clear desk and clear screen policy
e) Secure disposal and reuse of devices
4) Annex A.8: Technological Controls (34 Controls)
Technological controls include 34 measures that protect systems, networks, applications, and digital information. They cover endpoint security, privileged access, malware protection, backups, logging, monitoring, cryptography, secure coding, network security, and vulnerability management.
Key Focus Areas:
a) Identity and access management
b) Cryptography and encryption
c) Malware protection and vulnerability management
d) Logging, monitoring, and backups
e) Network security and secure Software Development
Gain insights into effective auditing techniques and practices with the ISO 27001 Internal Auditor Training – Register now!
What New Controls Does ISO 27001:2022 Introduce?
The ISO 27001:2022 update introduces 11 new controls, distributed across organisational, physical, and technological domains, to strengthen information security:
a) A.5.7 Threat Intelligence: It focuses on gathering and analysing threat-related information to proactively protect information assets.
b) A.5.23 Information Security for the Use of Cloud Services: It requires organisations to define, implement and monitor security controls for cloud-based environments.
c) A.5.30 ICT Readiness for Business Continuity: It ensures that ICT continuity planning supports organisational resilience during disruptions.
d) A.7.4 Physical Security Monitoring: It emphasises the use of monitoring mechanisms to detect and deter unauthorised physical access.
e) A.8.9 Configuration Management: It introduces structured control over documenting, implementing and auditing system configurations.
f) A.8.10 Information Deletion: It addresses secure data deletion in line with legal, regulatory, and business requirements.
g) A.8.11 Data Masking: It promotes masking techniques to protect personally identifiable information and support compliance.
h) A.8.12 Data Leakage Prevention: It focuses on technical controls to identify and prevent unauthorised data disclosure or extraction.
i) A.8.16 Monitoring Activities: It strengthens continuous monitoring to detect abnormal behaviour and respond to incidents.
j) A.8.23 Web Filtering: It requires controls to restrict access to potentially harmful external websites.
k) A.8.28 Secure Coding: It promotes secure development practices to reduce vulnerabilities arising from poor coding methods.
Understand the process for conducting internal audits and managing corrective actions. Join the ISO 27001 Lead Implementer Training now!
Implementing ISO 27001 Controls
Implementing ISO 27001 Controls requires a structured, risk-based approach that aligns security with business objectives. By following a clear implementation process, organisations can strengthen their Information Security Management System (ISMS). The following steps outline an effective implementation process:

1) Planning and Deployment
Start by identifying your organisation's information assets, assessing potential threats and vulnerabilities, and evaluating existing safeguards. The results help determine which Annex A controls are applicable and should be documented in the Statement of Applicability (SoA).
2) Integration and Execution
Implement security controls in a way that supports day-to-day operations rather than disrupting them. Align controls with business objectives, automate repetitive security tasks where possible, and embed security into existing workflows to improve efficiency and reduce manual effort.
3) Documentation and Ownership
Each control should have a clearly defined owner responsible for implementation, ongoing maintenance, and evidence collection. Keep policies, procedures, and records up to date, as well-maintained documentation supports audits, demonstrates compliance, and enables continual improvement of the ISMS.
4) Building Cross-functional Collaboration
Successful implementation requires collaboration across departments such as IT, HR, legal, and operations. Strong leadership, regular communication, employee awareness, and shared responsibility help ensure controls are consistently applied and supported throughout the organisation.
Build a strong foundation in Information Security by signing up for the ISO 27001 Foundation Course today!
Is it Necessary to Adopt ISO 27001 in an Organisation?
While not mandatory, ISO 27001 significantly strengthens information security. It helps protect information in physical, digital, and cloud environments, improves resilience against cyber threats, and supports regulatory compliance.

What is the Statement of Applicability in ISO 27001?
The Statement of Applicability (SoA) is a crucial ISO 27001 document that lists all Annex A controls, showing which are implemented or excluded based on risk assessment and business needs. It also details each control’s status, providing a clear overview of the organisation’s security measures. The SoA is vital for compliance audits and managing the ISMS effectively.
Conclusion
Protecting information is essential for every organisation. By understanding and implementing ISO 27001 Controls, businesses can reduce security risks, strengthen compliance, and build lasting trust with customers and partners. A well-managed Information Security Management System (ISMS) not only safeguards valuable data but also supports long-term resilience and business success.
Become an expert in ISO 27001 audits with the ISO 27001 Lead Auditor Course - Register today!
Frequently Asked Questions
How Many ISO 27001 Controls are There?
There are a total of 93 controls. Previously, ISO 27001:2013 had 114 controls, but after ISO 27001:2022, it has been reduced to 93 controls, grouped into four categories: Organisational, People, Physical and Technological.
What is the ISO 27001 Framework?
The ISO 27001 Framework is an internationally recognised standard that helps organisations manage information security through an Information Security Management System (ISMS). It covers risk assessment, security policies, roles, and processes to reduce information security risks.
Hailey Davis is an ISO compliance expert with over 10 years of experience in audit, quality management systems (QMS), and regulatory compliance. She has worked with various industries, including manufacturing, healthcare, and technology, ensuring organisations achieve and maintain ISO certifications. Hailey’s content provides practical, actionable insights on navigating compliance challenges and improving business processes.
View Detail
Top Rated Course