4
themes in Annex A: Organizational, People, Physical, Technological
ISO/IEC 27001:2022
93
total controls across the four themes
ISO/IEC 27001:2022, Annex A
5
optional control attributes for filtering and analysis
ISO/IEC 27002:2022, not a certification requirement
When ISO/IEC 27001 was revised in October 2022, the most significant structural change was to Annex A, the normative list of information security controls. The 14 domains and 114 controls of the 2013 edition gave way to four themes and 93 controls. The reorganization was not merely cosmetic: it reflects how information security work is actually organized in practice, separating governance-level controls from operational and technical ones in a way the 14-domain structure never quite achieved.
This article explains what each theme covers, how to read the optional five-attribute system in ISO/IEC 27002:2022, and how to navigate Annex A whether you are a practitioner building a Statement of Applicability or a candidate preparing for an ISTO Test of Understanding.
The four themes
The four themes divide Annex A along a logical dimension: who or what the control primarily operates on: organizational structures, people, physical environments, or technology.
Organizational controls — 37 controls (A.5.x)
The largest theme covers the governance layer of information security: policies, roles, responsibilities, supplier management, asset management, and how the organization responds to and learns from incidents. A.5.x controls are mostly written, decided, or reviewed at a management level. They shape the environment in which the People, Physical, and Technological controls operate.
Key controls in this theme include:
- A.5.1 — Information security policy (the foundation document)
- A.5.7 — Threat intelligence (new in 2022), gathering and acting on threat information
- A.5.19–A.5.22 — Supplier and supply chain security, defining, monitoring, and managing third-party information security obligations
- A.5.23 — Information security for cloud services (new in 2022), governing acquisition, use, and exit from cloud providers
- A.5.30 — ICT readiness for business continuity (new in 2022), ensuring technology can sustain operations through disruption
The cluster of new controls in A.5 reflects how governance obligations have grown since 2013. Cloud procurement, threat intelligence programmes, and supply-chain risk are now standard management concerns rather than specialist edge cases.
People controls — 8 controls (A.6.x)
The smallest theme addresses the human dimension: what happens at the employment lifecycle (before hiring, during employment, and on exit), what awareness and training employees need, and how confidentiality and disciplinary obligations are handled. Eight controls is a concise set because most people-related security obligations flow from organizational controls (policy, roles, responsibilities) rather than requiring separate operational procedures. The People theme focuses on where those obligations directly bind individual employees.
Physical controls — 14 controls (A.7.x)
Physical security covers secure areas, equipment protection, a clear-desk and clear-screen policy, and, in a 2022 addition, A.7.4 physical security monitoring: the continuous monitoring of premises for unauthorized physical access. The addition reflects that physical intrusion is a persistent and often underrated vector; surveillance and detection capabilities are now explicitly required alongside physical barriers.
Controls in this theme tend to be the most straightforward to implement but are sometimes under-resourced in organizations that focus security investment on technology. Auditors look for evidence that physical controls are not just documented but genuinely in place and maintained.
Technological controls — 34 controls (A.8.x)
The Technological theme is where most of the operational day-to-day security work sits: access control, cryptography, logging, vulnerability management, network security, and secure development. It is also where the majority of the 2022 edition's new controls land, reflecting the technological change since 2013:
- A.8.9 — Configuration management (new), documented, monitored security configurations
- A.8.10 — Information deletion (new), secure disposal when data is no longer needed
- A.8.11 — Data masking (new), protecting sensitive data in non-production environments
- A.8.12 — Data leakage prevention (new), detecting and blocking unauthorized exfiltration
- A.8.16 — Monitoring activities (new), anomaly detection across networks, systems, and apps
- A.8.23 — Web filtering (new), managing external web access to reduce malicious-content risk
- A.8.28 — Secure coding (new), applying security principles throughout software development
The concentration of new controls in A.8 makes sense: the attack surface that has grown most dramatically since 2013 is technological, cloud infrastructure, containerized workloads, software supply chains, and the explosion of data being stored and processed at scale.
Annex A at a glance
| Theme | Prefix | Controls | Includes new controls? |
|---|---|---|---|
| Organizational | A.5 | 37 | Yes — A.5.7, A.5.23, A.5.30 |
| People | A.6 | 8 | — |
| Physical | A.7 | 14 | Yes — A.7.4 |
| Technological | A.8 | 34 | Yes — A.8.9, A.8.10, A.8.11, A.8.12, A.8.16, A.8.23, A.8.28 |
| Total | 93 | 11 new controls |
The five control attributes — optional, not mandatory
ISO/IEC 27002:2022, the companion guidance document to ISO/IEC 27001, introduces a five-attribute tagging system that can be applied to any control. The attributes are a planning and analysis tool, not a certification requirement. Organizations are free to use them, adapt them, or ignore them without affecting conformance.
The five attributes are:
-
Control type — Preventive, detective, or corrective. Useful for checking that the control portfolio is balanced and does not over-index on prevention at the expense of detection and response.
-
Information security properties — Which of the CIA triad the control primarily supports: Confidentiality, Integrity, or Availability. Some controls address multiple properties.
-
Cybersecurity concepts — Alignment with the five NIST Cybersecurity Framework phases: Identify, Protect, Detect, Respond, Recover. This attribute is particularly useful for organizations that report against NIST CSF or want to cross-reference the two frameworks.
-
Operational capabilities — Which operational domain the control serves: for example, asset management, application security, identity and access management, or supplier relationships.
-
Security domains — Broad groupings such as governance and ecosystem, protection, defence, and resilience. Useful for executive-level reporting and portfolio views.
Navigating Annex A in practice
The most common practical application of Annex A is building or updating the Statement of Applicability (SoA), the mandatory document that lists every Annex A control, records whether it is applicable, and justifies any exclusion. For ISO/IEC 27001:2022, the SoA must reference the four-theme, 93-control structure.
A common misconception is that the SoA is primarily a document to satisfy auditors. In practice, a well-constructed SoA is a risk-treatment planning tool: it forces the organization to assess each control area against its risk register and document deliberate decisions rather than default inclusions. Auditors look for that deliberateness, evidence that the applicable controls were selected and implemented because of a real risk-treatment decision, not because they were already listed.
For candidates sitting an ISTO Test of Understanding, a sound approach is to be fluent in the four themes and their control counts, know the 11 new controls by ID and the risk each addresses, and understand that the five attributes are optional, a point that appears frequently in exam questions because it is commonly misunderstood.
The companion article What's new in ISO/IEC 27001:2022 covers the full 2013-to-2022 comparison, the transition timeline, and what the changes mean for organizations moving from the superseded edition.