ISO 27001:2022 Annex A—What Changed and How to Implement

ISO 27001 remains the global standard for information security management. However, the 2022 revision changed how Annex A operates in practice. Many organizations that handle used electronics, IT assets, or resale data now face a shorter controls list, new control groupings, and controls that better reflect real-world security risks. Learn what changed in Annex A, why it matters, and how to confidently implement the updated controls.

What Is Annex A in ISO 27001?

Annex A is the reference set of information security controls that support your Information Security Management System (ISMS). It provides a menu of safeguards you can select from based on your risk assessment, business context, and regulatory obligations.

In the 2013 version, Annex A served as a checklist to copy line by line. In the updated 2022 version, Annex A now supports a risk-based approach, in which each control must be justified, implemented, and maintained in line with your organization’s operating practices.

Changes in ISO 27001:2022 Annex A

The ISO 27001 2022 changes simplified the structure of Annex A while modernizing the controls themselves. The most visible change is the reduction in controls. Several older controls were merged, rewritten, or retired, so Annex A now includes 93 controls, down from 114.

Eleven new controls were also added to address modern security risks. These include:

1. Threat intelligence: Organizations are expected to remain aware of security threats and use that knowledge to protect their systems and data.
2. Information security for cloud services: Controls now explicitly address shared responsibility models and the use of cloud services.
3. ICT readiness for business continuity: Technology systems must support continuity planning, not just operational uptime.
4. Physical security monitoring: Facilities and critical areas must be actively monitored, not just restricted.
5. Configuration management: Systems must be securely configured and managed throughout their lifecycle.
6. Information deletion: Data must be securely deleted when no longer needed.
7. Data masking: Sensitive data should remain hidden when full visibility is not necessary.
8. Data leakage prevention: Measures must be in place to stop unauthorized data from being removed or transmitted.
9. Monitoring activities: Organizations must monitor systems and network activity for security issues.
10. Web filtering: Controls are required to limit access to malicious or inappropriate web content.
11. Secure coding: Software development must follow secure coding practices.

The controls have also been reorganized into four categories rather than 14. These categories focus on how controls function in practice:

1. 5 Organizational controls address governance, internal policies, supplier oversight, and the assignment of risk ownership.
2. 6 People control focus on training, security awareness, and defined roles and responsibilities.
3. 7 Physical control covers facilities, equipment, and the secure handling and protection of physical assets.
4. 8 Technological controls apply to systems, networks, monitoring activities, and access management.

Why the “2022 Annex A” Updates Matter to Your Business

The updated ISO 27001 Annex A controls (2022) affect how auditors evaluate your system and how much effort your team must put into maintaining compliance. The revisions emphasize leadership involvement, supplier oversight, and documented decision-making to push organizations like yours beyond an IT-only view of security.

The revised structure also makes it easier to justify your control selection. With a Statement of Applicability (SoA) clearly tied to real risks, audits run more smoothly and unnecessary remediation is less likely.

Another important shift is that the updated structure clearly separates ISO 27001 organizational, technological, people, and physical controls. This helps your business assign responsibility more realistically rather than pushing everything onto IT.

How to Implement ISO 27001 Annex A 2022 Controls

A practical ISO 27001 implementation guide for Annex A starts with understanding that implementation is iterative. For the best results, follow these steps:

1. Conduct a gap analysis against the 2022 controls. This identifies where existing policies, procedures, and technical safeguards already meet requirements and where updates are necessary.
2. Update your risk assessment methodology. Risks should clearly link to selected Annex A controls, especially new or revised ones. Auditors now expect to see that linkage documented and reviewed.
3. Revise policies and procedures to reflect the new control language. Avoid copying control text directly. Procedures should describe how your organization operates, not how the standard is written.
4. Train staff to understand their role in information security, particularly around asset handling, access control, and incident reporting.
5. Test and monitor. Internal audits, corrective actions, and management reviews ensure the system works before an external auditor evaluates it.

Comparing Before & After

The ISO 27001 controls list, explained in a before-and-after view, shows why the 2022 update is easier to manage when implemented correctly. Previously, organizations had to map controls across 14 categories, often leading to overlap and confusion. The new four-category model is much easier to follow.

In addition, older controls that referenced outdated technologies have been modernized. New controls account for cloud platforms, remote work, and modern data handling practices. The result is an Annex A that is shorter, clearer, and more defensible during audits.

Get Audit-Ready with Our Help

The 2022 Annex A update is a chance for your organization to strengthen security while simplifying compliance. Glacier Consulting helps businesses move through this transition with confidence. We guide clients through every step and build systems that hold up during annual audits and across the full certification cycle. If you’re looking to implement ISO 27001 the right way, please contact us today to ask questions or request a quote.

FAQs

How long does it take to transition to ISO 27001:2022?

Most organizations complete the transition in several months, depending on the maturity of their existing system and available resources.

Do we need to implement every Annex A control?

No. Controls are selected based on risk and documented in the Statement of Applicability.

Can Annex A controls be integrated with R2 requirements?

Yes. Many information security controls align naturally with R2 data security and asset handling requirements.

Will auditors expect full technical upgrades for new controls?

Auditors focus on risk-based justification and controls that work in practice. They’re not looking for costly or unnecessary technology upgrades.

Can you support internal audits after certification?

Yes. Internal audits and system maintenance help keep your system audit ready year after year. We provide hands-on support to manage both effectively.