Please enable JavaScript to view the comments powered by Disqus. ISO 27001 Controls | Annex A 14 Controls & Domains 2025

 

  

 

 

 

Conquer 2025 with ISO 27001:2022 Annex A Controls

Vikas Sharma
Vikas Sharma

Last updated 21/02/2025

Conquer 2025 with ISO 27001:2022 Annex A Controls

ISO 27001 is one of the foremost international standards that focuses on information security. It's been developed to help industries of any size. It contributes to protecting the data of businesses systematically and cost-effectively with the help of the adoption of an information security management system.

The ISO framework is a combination of different standards for businesses to use. It is part of a set of standards implemented to handle information security in the ISO/IEC 27000 series. It’s a well-known extension of all the ISO norms. This is because it provides the basic tool for managing data security chances to a rundown of ISO 27001 security controls, which are used to enhance the security of data resources. To get to know different factors about this, you must visit our ISO 27001:2022 Lead Auditor Certification Training Course

Additionally, security objectives ensure that these controls align with risk management goals and compliance requirements. Companies aiming to strengthen their ISO 27001 compliance and cybersecurity position should zero in on ISO 27001 risk evaluation and smart control rollout. This guide will help you find your way through the ins and outs of ISO 27001 certification making sure you have a strong security management system. To get professional know-how in using these controls well, think about training courses from Novelvista, a top provider of security certification programs.


What is ISO 27001 Annex A?

Annex A of ISO/IEC 27001:2022 is a reference list of 93 security controls designed to help organizations manage information security risks effectively. These controls are categorized into four areas:

  • Organizational (37) – Policies, risk management, and governance
  • People (8) –Personnel security and awareness
  • Physical (14) –Asset and facility protection
  • Technological (34) –IT security and data protection

What are the ISO 27001 Annex A controls?

ISO 27001 Annex A controls are a set of security best practices designed to protect an organization's information. They are grouped into different categories to cover various aspects of information security. Here’s a simple explanation of these controls:

  • 1. Organization Security – Defining policies, roles, and risk management.
  • 2. People Security – Ensuring employees follow security practices.
  • 3. Physical Security – Protecting buildings, servers, and access points.
  • 4. Technology Security – Safeguarding data, networks, and systems.
  • 5. Operations Security –Managing IT processes, updates, and threats.
  • 6. Supplier Security – Ensuring vendors follow security standards.
  • 7. Incident Management –Preparing for and responding to security issues.
  • 8. Business Continuity – Keeping operations running during disruptions.
  • 9. Compliance – Following laws, regulations, and security policies.

How many domains does Annex A ISO 27001 have?

Annex A of ISO/IEC 27001:2022 has 4 domains (also called themes or sections). These domains contain a total of 93 security controls. The 4 domains are:

  • 1. Organizational Controls (37 controls)
  • 2. People Controls (8 controls)
  • 3. Physical Controls (14 controls)
  • 4. Technological Controls (34 controls)

This is a change from the 2013 version, which had 14 domains and 114 controls. The 2022 revision has streamlined and consolidated some controls while introducing new ones to address modern security challenges.


Focus on Annex A.12: Operations Security

Annex A.12: Operations Security stands as a super important part of ISO 27001. It makes sure companies set up tough security steps to protect their information systems. Inside this area, you'll find 14 controls tackling the big parts of IT work, system handling, keeping an eye on security, and guarding against online dangers. Keeping tabs on operations security is mega important for stopping trouble like data leaks, folks getting into systems they shouldn't have nasty software attacks, and computers crashing. Companies have got to be on their toes watching what goes on, making sure everything's set up safely, and keeping things running smoothly.

1. Secure IT Operations

Key Areas Covered in A.12 Operations Security:

Organizations must develop and implement procedures that ensure secure IT operations. This includes establishing standardized guidelines for system usage, configuration, and maintenance.

Secure operations require:

  • Clearly defined roles and responsibilities for IT staff
  • Implementation of change management procedures to track system modifications
  • Regular vulnerability assessments to detect and mitigate security risks
  • Proactive system hardening measures to reduce attack surfaces

2. Malware Protection

To safeguard against cyber threats, organizations must implement anti-malware solutions and proactive security measures.

These include:

  • Deployment of endpoint detection and response (EDR) tools
  • Regular software updates and patch management
  • Enforcing strict policies on unauthorized software installations
  • Conducting employee cybersecurity awareness training to minimize phishing risks

3. Logging and Monitoring

Comprehensive security monitoring is essential to detect and respond to security incidents Effectively.

This involves:

  • Security Information and Event Management (SIEM) solutions for real-time monitoring
  • Maintaining detailed system logs for security audits and forensic analysis
  • Establishing alert mechanisms for unusual activities
  • Implementing log retention policies to ensure compliance with regulatory requirements

4. Data Backup and Recovery

A robust backup strategy ensures business continuity in case of cyber incidents or system failures.

Organizations must:

  • Implement automated, regular data backups to secure storage locations
  • Use encryption techniques for protecting backup data
  • Perform regular backup integrity checks and recovery testing
  • Maintain disaster recovery (DR) plans aligned with business continuity objectives

5. Technical Vulnerability Management

Organizations must proactively identify and address vulnerabilities within their IT infrastructure.

Effective vulnerability management includes:

  • Conducting regular penetration testing and security assessments
  • Maintaining an up-to-date inventory of IT assets and software versions
  • Deploying patch management solutions to address newly discovered vulnerabilities
  • Establishing a risk prioritization framework to remediate critical threats first

6. Secure System Development and Maintenance

Developing and maintaining secure systems is crucial for ensuring long-term security resilience.

Best practices include:

  • Integrating security-by-design principles into software development
  • Conducting code reviews and security testing before deploying applications
  • Implementing least privilege access controls for system administrators
  • Adopting DevSecOps methodologies to enhance security in development lifecycles

6. Secure System Development and Maintenance

Relationship with ISO 27001 Fundamental Conditions

It is up to each association to determine which ISO 27001:2022 controls they find relevant and implement them based on their assessment of the risks they face. The rest are reported to be non-material. 

The rest are announced to be non-material, such as controls that are outsourced; improvement can be set apart as non-material if any business doesn’t redistribute the advancement of programming. The principle standard for selecting the controls is through hazard on the board, which is categorized in statements 6 and 8 of the fundamental piece of ISO 27001. 

Also, the 5 fundamental piece of ISO/IEC 27001 expect you to characterize duties regarding dealing with those controls, and condition 9 expects you to quantify if the controls have satisfied their motivation. At long last, statement 10 expects you to fix whatever isn’t right with those controls and to make sure that you gain data security targets with those controls.  

Differences between ISO 27001 and ISO 27002

  • ISO 27001 is the standard for international information security management, and ISO 27002 is the supporting standard that supports how information security controls can be developed.
  • You can certify to ISO 27001 but not to ISO 27002 because 27001 is the management standard that contains the list of compliance requirements.
  • There are no differences in the structure of ISO 27002 and ISO 27001. Nevertheless, the efficient method to accomplish it has been clarified in significant detail.

ISO 27001 is the international standard focused on information security. ISO 27001:2022 controls are recognized international standards published through the ISO and IEC. The standard specifies the requirements for developing and maintaining an effective ISMS to safeguard against information security risks.

ISO 27002 is the supplementary standard concentrating on information security controls that businesses might choose to develop. The ISO 27001 controls list includes the controls that you will see information security experts mostly refer to when discussing information security controls. Although Annex A ISO 27001 outlines each control in one or two sentences, ISO 27002 commits an average of one page per control.

As Annex A of ISO 27001 doesn’t give massive insights into each control, there isn’t typically one sustenance for each control that brings you the thought of what you have to accomplish. This is the reason ISO 27002 was distributed. Make sure to check our ISO Lead Auditor Combo Certification to learn more about this in detail.

Ease of use of Annex A 

There are some things regarding Annex A as it brings you the ideal review of which controls you can apply, so you remember some that would be significant. It paltrovides you with the adaptability to pick just the ones you discover appropriate to your business, so you don’t need to spend assets on the ones that are not relevant to you. 

What are the benefits of ISO 27001 certification?

Our ISO 27001:2022 Lead Auditor Certification Training Course provides you with various benefits, such as follows:

  • It will protect your reputation from security threats:The most obvious reason to certify to ISO controls is that it will help you avoid security threats. It includes cybercriminals breaking into your business and data breaches caused by internal professionals making mistakes.
  • Avoiding Regulatory Fines:The ISO 27001 control list serves as a valuable tool for organizations to sidestep the costly penalties tied to non-compliance with data protection mandates like the GDPR (General Data Protection Regulation).
  • Safeguarding Your Reputation:Attaining ISO 27001 controls checklist compliance allows you to showcase your commitment to information security to stakeholders. This commitment can translate into gaining new business and strengthening your standing among current clients and customers. In fact, some organizations exclusively partner with entities that can prove their ISO 27001 certification


Conclusion

Having an in-depth understanding of ISO 27001 controls list Excel might be crucial for businesses that aim to develop a robust information security management system. Through this blog, the details of Annex A bring the in-detailed set of controls that contribute to addressing different aspects of information security. Every individual control is designed to reduce the specific risks and provide security, integrity, and availability of information assets. With the help of focusing on Annex A controls, businesses can gain insights into the essential measures that are needed to protect sensitive information. From security policies and asset management to access control, cryptography, and incident response, the control covers a wide range of areas that focus on having a robust and secure information security framework. 

Furthermore, this blog also focused on elaborating on the requirement of aligning the controls to suit the business context by considering factors such as industry, size, and risk appetite. It’s important to conduct a comprehensive risk assessment and develop controls that address risks successfully. Developing the ISO 27001 2022 controls list Excel elaborates the commitment to information security best practices. It also helps to develop trust among stakeholders, including customers, partners, and regulatory bodies. In conclusion, businesses attempting to develop a strong information security framework must have a solid grasp of ISO 27001 Annex A controls. Organizations may reduce risks, safeguard their priceless information assets, and promote an information security excellence culture by utilizing these controls effectively and tailoring them to their particular situation.

Topic Related Post
Difference Between ISO 27001 And SOC 2: Which Standard do You need for Your Business?

Difference Between ISO 27001 And SOC 2: Which Standard do You need for Your Business?

ISO Full Form and Its Role in Quality Standards

ISO Full Form and Its Role in Quality Standards

Key Benefits of ISO 27001 for Businesses

Key Benefits of ISO 27001 for Businesses

About Author

Vikas is an Accredited SIAM, ITIL 4 Master, PRINCE2 Agile, DevOps, and ITAM Trainer with more than 20 years of industry experience currently working with NovelVista as Principal Consultant.

Tags

 
 
SUBMIT ENQUIRY

* Your personal details are for internal use only and will remain confidential.

 
 
 
 
 
 
Upcoming Events
ITIL-Logo-BL ITIL

Every Weekend
AWS-Logo-BL AWS

Every Weekend
Dev-Ops-Logo-BL DevOps

Every Weekend
Prince2-Logo-BL PRINCE2

Every Weekend
Topic Related
Take Simple Quiz and Get Discount Upto 50%
Popular Posts
Why AWS certification - here are top 5 reasons?
ITIL V4 update - Why & What Is The Reason?
ITIL Change Management for Cloud Environment
ITIL v3 vs ITIL v4, Is ITIL v3 failing to do the job?
Popular Certifications
AWS Solution Architect Associates
SIAM Professional Training & Certification
ITIL® 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2® Foundation & Practitioner
ITIL® 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITIL® 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
ISO 27701 Lead Auditor Certification
Gen AI for Project Management Webinar
Certified Cloud Tester Foundation
HR Business Partner Certification
Chief Learning Officer Certification
Gen AI in Cybersecurity Webinar
Six Sigma Webinar
Gen AI Powered ITSM Webinar
PM Prince2 PMP Webinar
Certified Generative AI Expert
GCP Professional Cloud Architect
GitHub Copilot Training Program
Certified Service Desk Professional
Certified Generative AI in ITSM
Recruitment & Sourcing
ISO 42001 Lead Auditor
ISO 27001 Certification for Organization
Social Media Marketing
ITIL Webinar
     
Update cookies preferences
Disclaimer
  • ITIL®, PRINCE2®, PRINCE2® Agile & MSP are registered trade mark of AXELOS Limited, used under permission of AXELOS Limited. The Swirl logo™ is a trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.
  • DevOps is a registered trademark of DevOps Institute Limited. All rights reserved.
  • CLDP is a registered trademark of the Global Skill Development Council. All rights reserved
  • The APMG International Change Management TM and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited. All rights reserved.

Copyright ©2025 All Rights Reserved | NOVELVISTA LEARNING SOLUTIONS PRIVATE LIMITED