Annex A of ISO/IEC 27001 serves as the catalog of security controls that organizations adopt to manage information security risks within their ISMS. In the 2022 revision, Annex A underwent a major restructuring to reflect contemporary security challenges and to align controls logically and practically for easier implementation.
This restructuring reduces complexity, eliminates redundancies, and groups controls to improve clarity and applicability across diverse organizations.
Major Restructuring and Controls Reorganization
By consolidating domains and redefining controls, ISO/IEC 27001:2022 ensures greater flexibility and focus on emerging risks. The list below summarizes the key restructuring highlights.
1. Reduction in Number of Controls: The total number of controls in Annex A decreased from 114 in ISO/IEC 27001:2013 to 93 in the 2022 version. This was achieved by merging 57 controls into fewer, more comprehensive controls and introducing 11 new ones specific to emerging security needs.
2. Consolidation of Control Domains: The previous 14 control domains were reorganized into four broader, more logical categories:
Organizational Controls (37 controls)
People Controls (8 controls)
Physical Controls (14 controls)
Technological Controls (34 controls)
This shift from numerous narrow domains to four meaningful groups aids organizations in aligning controls with overall risk management and operational structures.
3. Control Attributes for Improved Clarity: Each control is now accompanied by attributes classifying its nature, security objectives (confidentiality, integrity, availability), cybersecurity functions (identify, protect, detect, respond, recover), and other characteristics.
These attributes support better control prioritization, risk assessment, and auditing processes.
Logical Groupings
To simplify understanding and application, ISO/IEC 27001:2022 organizes its controls into four practical themes. Below are the logical groupings that define how controls are structured.
1. Organizational Controls: These focus on policies, processes, management responsibilities, and organizational measures that drive information security culture and governance.
2. People Controls: Controls under this group address human factors such as roles, training, and security awareness to mitigate insider threats and promote secure behavior.
3. Physical Controls: This category includes measures related to securing physical access, protecting facilities, and ensuring the safety of equipment and sensitive assets.
4. Technological Controls: Encompassing technical security measures, this group covers access management, system monitoring, cryptography, vulnerability management, and new area controls like cloud security and secure coding.
Benefits of the Restructuring
| Benefit | Description |
| Simplifies understanding and implementation of controls | The new structure makes it easier for organizations to interpret, apply, and manage security controls effectively. |
| Enhances integration with other standards and frameworks (e.g., NIST, CIS) | Promotes compatibility and alignment with widely used cybersecurity and risk management frameworks. |
| Facilitates a more risk-based and context-driven approach to selecting controls | Encourages tailoring controls to the organization’s specific risk profile and operational context. |
| Helps organizations stay current with evolving cyber threats and technologies | Reflects modern security challenges, ensuring relevance to current digital environments. |
| Streamlines audits and compliance verification through logical categorization | Simplified structure supports clearer documentation, easier mapping, and more efficient audit processes. |
Class Sessions
Sales Campaign
We have a sales campaign on our promoted courses and products. You can purchase 1 products at a discounted price up to 15% discount.