ISO 27001: 2022 Annex A Explained (Pt.1): Organizational Controls
    Back to Knowledge Hub

    ISO 27001: 2022 Annex A Explained (Pt.1): Organizational Controls

    Phuong Linh, Smartly author portrait

    Phuong Linh

    July 21, 2025 • 6 min read

    So, you've dived into the world of ISO 27001, and you keep hearing about "Annex A" and its long, long list of controls. It feels a bit like being handed a 1000-page assembly manual for a single bookshelf, right?

    We get that it's easy to feel overwhelmed. But we've got good news for you and everyone else trying to navigate ISO 27001:

    You don't need to tackle 93 controls overnight.

    Annex A is not a mandatory to-do list designed to crush your soul. It's actually a super helpful resource, once you understand how to use it.

    If you're struggling with what Annex A controls in ISO 27001 actually are, you're in the right place. Let's break it down together.

    What's the Difference Between the Clauses and Annex A?

    • Clauses 4–10 of ISO 27001 explain how to set up and manage your Information Security Management System (ISMS). These clauses guide you on how to plan your security work, get the right resources, check if you're making progress, and improve over time. They provide a step-by-step process for running a security program, and they are mandatory: any organization seeking ISO 27001 compliance must address each of these clauses.
    • Annex A is a list of security controls (best practices) that you can apply to manage security risks. It gives you options to choose from, but you don't have to use all of them. You pick the ones that make sense for your business and the risks you face.

    The 93 Controls: A Quick Tour

    So, what's in this catalog of security parts?

    If you've been googling around, you might have seen older articles mentioning 114 controls. That is because the previous version, ISO 27001:2013, had 114 controls spread across 14 categories. The new version, ISO 27001:2022, streamlined this down to the current 93 controls. This wasn't just about deleting things; many controls were merged and updated, and 11 brand new controls were added to tackle modern security challenges. These new additions cover crucial topics for startups like threat intelligence, security for cloud services, and secure coding.

    So, what's in this catalog? It contains 93 security controls, across 4 categories. Think of them as four different sections of the garage.

    • Organizational (37 controls): This is the brains of the operation. It's about setting the rules of the road for your company's security. It's the high-level strategy and paperwork that guides everything else.
    • People (8 controls): Your team! This is all about making sure your employees are a core part of your security defense, covering everything from background checks and training to what happens when someone leaves the company.
    • Physical (14 controls): This is about locking the doors. It covers the security of your physical spaces, like offices and server rooms, to prevent unauthorized access, theft, or damage.
    • Technological (34 controls): This is the "cybersecurity" stuff most people think of. It's about using technology to protect your information, covering things like encryption, network security, backups, and secure coding.
    Smartly capybara mascot holding a checklist

    Ready to Implement ISO 27001?

    Enter your email to receive a free ISO 27001 checklist and start your compliance journey today.

    A Look at Organizational Controls

    To make this feel more real, let's peek inside the first category. Organizational controls (named 5.1 to 5.37) focus on the policies, procedures, and responsibilities that form the foundation of your security program. This includes things like:

    • Information security policies: Creating your main "rulebook" for security.
    • Defined responsibilities: Making it crystal clear who is in charge of what (e.g., who owns the ISMS).
    • Contact with authorities: Knowing who to call (like data protection authorities) if something goes wrong.
    • Threat intelligence: Actively looking for and learning about new security threats.
    • Classifying and labelling information: Figuring out what data is super sensitive ("Confidential") versus what's not ("Public").
    • Identity and access control: The master plan for who gets access to what information and why.
    • Asset management: Simply knowing what hardware, software, and data you have!

    As you can see, these aren't just technical tasks; they are business-level decisions about how you want to run your company securely.

    Your Magic Document: The Statement of Applicability (SoA)

    Now for the most important part. How do you tell an auditor which of the 93 controls you've chosen? You use a document called the Statement of Applicability (SoA).

    This document is your best friend during an audit. It's basically a big checklist where you go through every single one of the 93 controls and state one of three things:

    • "Yes, we're doing this." You then briefly explain how you've implemented the control.
    • "No, this doesn't apply to us." Here, you must provide a clear reason why. This is your justification for excluding a control.
    • You can also state your intention to implement a control in the future.

    For example, if you are a fully remote startup with no physical office, you can absolutely exclude controls related to "securing physical offices." Your justification in the SoA would be: "This control is not applicable as the organization operates on a fully remote basis with no physical office premises."

    Boom. Simple, logical, and perfectly acceptable to an auditor.

    Why Do Annex A Controls Matter So Much?

    Going through this process isn't just about ticking boxes for a certificate. It has real, tangible benefits for your startup.

    • Build trust with clients and investors: When you can show a potential enterprise client your SoA, you're speaking their language. You're demonstrating that you take security seriously and have a professional, well-thought-out approach.
    • Ensure you've covered all your risks: Annex A is like a checklist built by thousands of security experts. By reviewing it, you make sure you haven't forgotten about a major area of risk. It's a fantastic safety net.
    • Pass vendor & regulatory checks: More and more, getting through vendor security questionnaires or complying with regulations requires having these kinds of documented controls in place. ISO 27001 gives you a golden ticket.
    • Scale without reinventing the wheel: As you grow, you'll have a solid security foundation to build on. You won't have to make up security rules as you go; you'll already have a blueprint for success.

    Conclusion

    Annex A looks intimidating from a distance, but up close, it's just a helpful catalog of best practices. The key is to use your risk assessment to make smart, informed decisions about which controls make sense for your company.

    Start with the basics, document your decisions in your SoA, and build from there.

    Ready to build a smart ISO 27001 roadmap that's perfect for your startup's size and stage? Smartly is here to help you navigate the journey and save time for building your product.

    });