Annex A of ISO/IEC 27001:2022 is a catalogue of 93 information security controls that serves as a reference list. They cover the organizational, people, physical, and technological aspects of information security. The key point: you do not have to implement all 93 controls. You implement exactly the controls that your risk assessment shows to be necessary. Which ones those are is documented and justified in the Statement of Applicability (SoA).
The four themes of Annex A (2022 version)
The 2022 revision reorganized the previous structure of 114 controls across 14 domains into 93 controls grouped under 4 themes:
| Theme |
Number of controls |
Examples |
| Organizational controls |
37 |
Policies, supplier management, incident management, access control |
| People controls |
8 |
Awareness, training, employee responsibilities |
| Physical controls |
14 |
Entry control, secure areas, disposal of storage media |
| Technological controls |
34 |
Encryption, logging, protection against malware, backups |
The 2022 version also introduced 11 new controls, including threat intelligence, information security for cloud use, data masking, and secure coding.
How many controls do I need to implement?
There is no prescribed minimum number. What matters is your risk profile, not the list itself. The process is:
- Carry out a risk assessment: identify the risks to your assets and evaluate them.
- Select controls: choose the Annex A controls that treat the identified risks. Additional controls of your own are also permitted.
- Justify exclusions: controls that are not applicable may be excluded, provided you record a clear justification in the SoA.
- Produce the SoA: the Statement of Applicability lists all 93 controls and notes, for each one, whether it is applicable, how it is implemented, or why it was excluded.
In practice, most organizations exclude only a few controls. Annex A is not a simple checklist but a reference that ensures no relevant category of control is overlooked.
How Kertos simplifies control selection and implementation
Kertos turns the abstract control catalogue into a guided, traceable process. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:
- Risk-based control selection: the platform links your risk assessment directly to the relevant Annex A controls.
- Automatically generated SoA: the Statement of Applicability is produced from your decisions and stays current as things change.
- Templates and evidence collection: for each selected control, policies are prepared and evidence is continuously mapped.
- Expert review of exclusions: Kertos experts check your justifications so they hold up in the audit.
This approach is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, and customers like AskUI reaching ISO 27001 certification in just 2.5 months. Instead of interpreting 93 controls manually, you implement precisely what your risk profile requires.
