Independent cost guide. Not affiliated with any certification body or compliance platform. Estimates based on published rates and practitioner experience. Always obtain a formal quote.

ISO 27001 Annex A Controls - All 93 Controls Explained

ISO 27001:2022 includes 93 controls across 4 themes. Here is every control with implementation effort ratings and cost context to help you plan your budget.

Updated April 2026

93

Total Annex A controls

37

Organisational (A.5)

8+14

People (A.6) + Physical (A.7)

34

Technological (A.8)

Not all controls are mandatory

You must assess which controls are applicable based on your risk assessment and document justification in the Statement of Applicability. Controls not applicable must still be listed with an exclusion reason. In practice, most organisations implement 70-85 of the 93 controls.

A5

Organisational Controls

37 controlsCost: Low-Medium

Policies, procedures, roles, and governance. Documentation-heavy but low external cost. Most controls are policy-based and require internal time rather than tool investment.

5.1Policies for information security
Low
5.2Information security roles and responsibilities
Low
5.3Segregation of duties
Medium
5.4Management responsibilities
Low
5.5Contact with authorities
Low
5.6Contact with special interest groups
Low
5.7Threat intelligence
Medium
5.8Information security in project management
Medium
5.9Inventory of information and associated assets
Medium
5.10Acceptable use of information and assets
Low
5.11Return of assets
Low
5.12Classification of information
Medium
5.13Labelling of information
Medium
5.14Information transfer
Medium
5.15Access control
High
5.16Identity management
High
5.17Authentication information
Medium
5.18Access rights
High
5.19Information security in supplier relationships
High
5.20Addressing security in supplier agreements
Medium
5.21Managing security in the ICT supply chain
High
5.22Monitoring and review of supplier services
Medium
5.23Information security for cloud services
High
5.24Incident management planning and preparation
Medium
5.25Assessment and decision on security events
Medium
5.26Response to information security incidents
Medium
5.27Learning from information security incidents
Low
5.28Collection of evidence
Medium
5.29Information security during disruption
High
5.30ICT readiness for business continuity
High
5.31Legal, statutory, regulatory requirements
Medium
5.32Intellectual property rights
Low
5.33Protection of records
Medium
5.34Privacy and protection of PII
High
5.35Independent review of information security
Medium
5.36Compliance with policies and standards
Medium
5.37Documented operating procedures
Medium
A6

People Controls

8 controlsCost: Low

HR-related controls from screening to off-boarding. Primarily require policy changes and training investment. Low external cost but require HR department engagement.

6.1Screening
Medium
6.2Terms and conditions of employment
Low
6.3Security awareness, education and training
Medium
6.4Disciplinary process
Low
6.5Responsibilities after termination
Low
6.6Confidentiality or non-disclosure agreements
Low
6.7Remote working
Medium
6.8Information security event reporting
Medium
A7

Physical Controls

14 controlsCost: Variable

Physical security for premises, equipment, and media. Cost is highly variable: cloud-native remote companies may exclude most of these. Organisations with offices and data centres need significant investment.

7.1Physical security perimeters
High
7.2Physical entry
High
7.3Securing offices, rooms and facilities
Medium
7.4Physical security monitoring
High
7.5Protecting against physical and environmental threats
Medium
7.6Working in secure areas
Low
7.7Clear desk and clear screen
Low
7.8Equipment siting and protection
Medium
7.9Security of assets off-premises
Medium
7.10Storage media
Medium
7.11Supporting utilities
Medium
7.12Cabling security
Low
7.13Equipment maintenance
Low
7.14Secure disposal or re-use of equipment
Medium
A8

Technological Controls

34 controlsCost: High

Technical controls covering endpoints, access management, encryption, vulnerability management, logging, and secure development. Most expensive theme due to potential tool purchases (SIEM, MDM, DLP, endpoint protection).

8.1User endpoint devices
High
8.2Privileged access rights
High
8.3Information access restriction
High
8.4Access to source code
Medium
8.5Secure authentication
High
8.6Capacity management
Low
8.7Protection against malware
High
8.8Management of technical vulnerabilities
High
8.9Configuration management
High
8.10Information deletion
Medium
8.11Data masking
Medium
8.12Data leakage prevention
High
8.13Information backup
Medium
8.14Redundancy of information processing facilities
High
8.15Logging
High
8.16Monitoring activities
High
8.17Clock synchronisation
Low
8.18Use of privileged utility programs
Medium
8.19Installation of software on operational systems
Medium
8.20Networks security
High
8.21Security of network services
Medium
8.22Segregation of networks
High
8.23Web filtering
Medium
8.24Use of cryptography
High
8.25Secure development lifecycle
High
8.26Application security requirements
Medium
8.27Secure system architecture and engineering
High
8.28Secure coding
High
8.29Security testing in development
High
8.30Outsourced development
Medium
8.31Separation of dev, test and production
Medium
8.32Change management
Medium
8.33Test information
Low
8.34Protection during audit testing
Low

Cross-Framework Control Mapping

ISO 27001 Annex A controls overlap significantly with other frameworks:

SOC 2 Trust Services Criteria

80-90% overlap. See ISO 27001 vs SOC 2.

PCI DSS

60-70% overlap. Technical controls align closely. See pcicompliancecost.com.

GDPR Article 32

Strong alignment on data protection controls. See gdprfine.com.

Zero Trust Architecture

Controls 8.1-8.5 align with zero trust principles. See zerotrustcost.com.

Implementation Cost

Phase-by-phase cost of implementing controls

Timeline

How long controls implementation takes

Cost Calculator

Estimate your total certification cost

Frequently Asked Questions

Are all 93 Annex A controls mandatory?
No. ISO 27001 does not require every control to be implemented. You must assess which controls are applicable based on your risk assessment and document your justification in the Statement of Applicability (SoA). Controls that are not applicable must still be listed in the SoA with a justification for exclusion. In practice, most organisations implement 70-85 of the 93 controls.
What changed in ISO 27001:2022?
ISO 27001:2022 reduced Annex A from 114 controls (in 14 clauses) to 93 controls in 4 themes. 11 new controls were added including threat intelligence, cloud security, data masking, data leakage prevention, and secure coding. The transition deadline from 2013 to 2022 was October 2025. All new certifications must use the 2022 version.
Which controls are most expensive to implement?
Technological controls (A.8) are typically the most expensive because they may require purchasing new tools: SIEM, endpoint protection, MDM, DLP, and backup solutions. Organisational controls (A.5) are documentation-heavy but low cost. People controls (A.6) require training investment. Physical controls (A.7) vary significantly based on whether you have physical premises in scope.
Which controls can I exclude from scope?
Common exclusions include: physical controls (A.7) for fully remote companies, secure coding (A.8.28) for non-development companies, data masking (A.8.11) where no sensitive data is processed, and certain supplier controls (A.5.21-5.22) for companies with minimal third-party dependencies. Every exclusion must be justified in the Statement of Applicability.

Updated 2026-04-27