ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information, encompassing people, processes, and technology. The 2022 revision restructured its Annex A controls significantly, consolidating 114 controls into 93 and organizing them into four thematic categories instead of the previous fourteen. For organizations pursuing certification or maintaining an existing ISMS, understanding these controls and how they relate to other regulatory requirements is essential.

The ISO 27001:2022 Control Structure

The 2022 revision reorganized Annex A into four categories, each addressing a distinct dimension of information security.

Organizational Controls (37 controls)

This is the largest category and covers governance, policy, and process-level requirements. These controls establish the management framework that supports all other security activities. Key areas include:

  • Policies and roles (A.5.1 — A.5.6): Information security policies, assignment of responsibilities, segregation of duties, and management accountability. Every ISMS starts here. Without clear policies and ownership, technical controls lack direction.
  • Threat intelligence and asset management (A.5.7 — A.5.14): Threat intelligence collection, asset inventories, acceptable use policies, classification schemes, and information transfer procedures. These controls ensure organizations know what they are protecting and stay informed about relevant threats.
  • Identity and access management (A.5.15 — A.5.18): Access control policies, identity management, authentication requirements, and privileged access controls. These organizational-level controls define the rules that technical access controls enforce.
  • Supplier and cloud management (A.5.19 — A.5.23): Supplier assessment, contractual security requirements, monitoring of supplier services, and specific provisions for cloud service usage. A.5.23 (information security for cloud services) is new in the 2022 revision, reflecting the reality that most organizations now depend on cloud infrastructure.
  • Incident management and business continuity (A.5.24 — A.5.30): Incident response planning, reporting, evidence handling, lessons learned, business continuity planning, and ICT readiness.
  • Compliance and assurance (A.5.31 — A.5.37): Legal and regulatory requirements, intellectual property, privacy, independent reviews, and compliance monitoring.

People Controls (8 controls)

People controls address the human element of information security across the employment lifecycle:

  • Pre-employment (A.6.1 — A.6.2): Background screening and employment terms and conditions that include security responsibilities.
  • During employment (A.6.3 — A.6.5): Security awareness training, disciplinary processes, and responsibilities after employment changes or termination.
  • Remote working and reporting (A.6.6 — A.6.8): Confidentiality agreements, remote working security requirements, and event reporting procedures. Remote working (A.6.7) was elevated to its own control in 2022, acknowledging the shift toward distributed workforces.

Physical Controls (14 controls)

Physical controls protect facilities, equipment, and physical media:

  • Perimeter and facility security (A.7.1 — A.7.6): Physical security perimeters, office security, monitoring, and protection against physical and environmental threats.
  • Equipment and media (A.7.7 — A.7.14): Secure desks, equipment siting, off-premises asset security, storage media management, utility protection, and cabling security. These controls prevent data loss through physical theft, environmental damage, or improper disposal.

Technological Controls (34 controls)

Technological controls address the technical implementation of security measures:

  • Endpoint and access (A.8.1 — A.8.5): User endpoint devices, privileged access rights, information access restriction, and source code security.
  • Malware and vulnerability management (A.8.6 — A.8.8): Capacity management, malware protection, and technical vulnerability management.
  • Configuration and change management (A.8.9 — A.8.10): Configuration management and information deletion. Configuration management (A.8.9) is new in 2022 and addresses the need for consistent, secure baseline configurations.
  • Data protection (A.8.11 — A.8.12): Data masking and data leakage prevention. Both are new controls in the 2022 revision, reflecting the growing importance of data-centric security strategies.
  • Monitoring and logging (A.8.13 — A.8.16): Backup, redundancy, logging, and monitoring activities.
  • Network and application security (A.8.20 — A.8.29): Network security controls, web filtering, secure coding practices, and separation of development environments.
  • Cryptography and secure development (A.8.24 — A.8.34): Cryptographic use, secure development lifecycle, security testing, and change management in development.

Complete ISO 27001:2022 Annex A Controls Reference

CategoryControl RangeCountKey Areas
Organizational (A.5)A.5.1 – A.5.3737Policies, asset management, access control, supplier relations, continuity, legal compliance
People (A.6)A.6.1 – A.6.88Screening, terms of employment, awareness training, remote working, reporting
Physical (A.7)A.7.1 – A.7.1414Secure areas, equipment, storage media, utilities, cabling, maintenance
Technological (A.8)A.8.1 – A.8.3434Endpoint devices, privileged access, authentication, malware, backups, logging, encryption, coding

Total: 93 controls across four categories, reduced from the 114 controls in the previous 2013 version.

New Controls in ISO 27001:2022

The 2022 revision introduced 11 entirely new controls that reflect current security challenges:

  1. A.5.7 Threat intelligence — Gathering and analyzing threat information relevant to the organization.
  2. A.5.23 Information security for cloud services — Managing security across cloud service adoption, use, and exit.
  3. A.5.30 ICT readiness for business continuity — Ensuring technology infrastructure can support business continuity requirements.
  4. A.7.4 Physical security monitoring — Continuous surveillance of premises for unauthorized access.
  5. A.8.9 Configuration management — Establishing and maintaining secure configurations.
  6. A.8.10 Information deletion — Systematic deletion of information when no longer required.
  7. A.8.11 Data masking — Protecting sensitive data through obfuscation techniques.
  8. A.8.12 Data leakage prevention — Technical measures to prevent unauthorized data exfiltration.
  9. A.8.16 Monitoring activities — Network, system, and application monitoring for anomalous behavior.
  10. A.8.23 Web filtering — Controlling access to external websites to reduce exposure to malicious content.
  11. A.8.28 Secure coding — Applying secure coding principles throughout software development.

Organizations transitioning from the 2013 version should pay particular attention to these additions, as they represent areas where existing controls may need to be expanded or newly implemented.

Mapping ISO 27001 to Other Frameworks Through SCF

One of the most significant challenges organizations face is managing ISO 27001 alongside other compliance obligations. A company pursuing ISO 27001 certification may simultaneously need to demonstrate SOC 2 compliance for customers, meet GDPR requirements for European data subjects, and align with NIST CSF for risk management maturity.

The Secure Controls Framework (SCF) addresses this by providing a unified control taxonomy that maps to over 200 frameworks, including ISO 27001:2022. Each SCF control is linked to corresponding requirements across multiple standards, so implementing a single SCF control can satisfy obligations in ISO 27001, SOC 2, NIST 800-53, GDPR, and other frameworks simultaneously.

For example, SCF’s access control domain maps to ISO 27001 controls A.5.15 through A.5.18 and A.8.2 through A.8.5, while also covering equivalent requirements in SOC 2’s CC6 criteria, NIST 800-53’s AC family, and GDPR’s Article 32 technical measures. Instead of implementing and documenting these separately, organizations work with one set of controls and maintain one body of evidence.

This cross-framework mapping is especially valuable during audits. Evidence collected for one framework can be reused for another, reducing the documentation burden and ensuring consistency across compliance programs.

Defense contractors managing both ISO 27001 and CMMC 2.0 requirements benefit from SCF’s unified mapping, which eliminates redundant control implementations across these overlapping standards. Healthcare organizations can also map HIPAA Security Rule requirements through the same SCF foundation.

Practical Implementation Guidance

Start with a Gap Assessment

Before implementing controls, assess your current state against the full Annex A control set. Identify which controls are already in place, partially implemented, or entirely absent. Prioritize based on risk — not every control carries the same weight for every organization. Your Statement of Applicability (SoA) will document which controls apply and the justification for any exclusions.

Build on What You Have

Most organizations are not starting from zero. Existing policies, technical controls, and processes likely satisfy portions of multiple Annex A requirements. The goal is to identify gaps and formalize what already exists, not to rebuild from scratch.

Align Documentation to the Standard

Auditors evaluate your ISMS based on documented policies, procedures, and evidence of implementation. Structure your documentation to map clearly to Annex A control references. This makes audits faster and reduces the likelihood of findings based on documentation gaps rather than actual security deficiencies.

Use Continuous Monitoring

ISO 27001 requires ongoing monitoring and review of the ISMS. Annual assessments are a minimum, but organizations that monitor control effectiveness continuously are better positioned to identify and address issues before they become audit findings.

How SCF Connect Helps Manage ISO 27001

SCF Connect provides purpose-built tools for managing ISO 27001 compliance within a broader control framework:

  • Pre-built ISO 27001:2022 mappings: Every Annex A control is mapped to corresponding SCF controls, so you can manage ISO 27001 alongside SOC 2, NIST CSF, GDPR, and other frameworks from a single platform.
  • Statement of Applicability generation: SCF Connect helps you build and maintain your SoA with clear justifications for included and excluded controls.
  • Assessment workflows: Guided assessment processes with maturity scoring, evidence attachment, and gap analysis ensure consistent evaluations across assessment periods.
  • Cross-framework efficiency: Implement a control once and satisfy requirements across all mapped frameworks, reducing duplicated effort and inconsistent documentation.

Managing ISO 27001 compliance effectively requires visibility into your control environment, clear mapping to requirements, and the ability to demonstrate ongoing improvement. SCF Connect provides the infrastructure to make that manageable at scale.

Start your free trial to see how SCF Connect maps your existing controls to ISO 27001:2022 and every other framework that applies to your organization.

Frequently Asked Questions

How many controls are in ISO 27001:2022?

ISO 27001:2022 contains 93 controls in Annex A, organized into four categories: Organizational (37), People (8), Physical (14), and Technological (34). This is a reduction from 114 controls in the previous 2013 version, achieved by merging and consolidating related controls.

What changed from ISO 27001:2013 to 2022?

The 2022 revision reorganized controls from 14 domains into four thematic categories, added 11 new controls (including threat intelligence, cloud security, and data masking), and introduced control attributes for easier filtering and prioritization.

Do I need to recertify for ISO 27001:2022?

Organizations certified under ISO 27001:2013 had until October 31, 2025 to transition to the 2022 version. New certifications are issued against ISO 27001:2022. The transition primarily affects the Annex A controls and Statement of Applicability, not the core ISMS clauses.

How does ISO 27001 relate to SOC 2?

Both frameworks address information security but serve different purposes. ISO 27001 is a certifiable management system standard, while SOC 2 is an attestation report based on Trust Services Criteria. Many controls overlap — SCF Connect maps both frameworks to a common control set, allowing organizations to satisfy requirements for both simultaneously.

Related resources: