ISO 27001 Annex A Control Finder (2022)

This page does not reproduce ISO/IEC 27001:2022 control titles or normative requirements. For the official titles and the normative text of each control, refer to ISO/IEC 27001:2022 from your national standards body. This tool provides original plain-English summaries to help orient practitioners; it is not a substitute for the standard.

• A.5.1Organizational (A.5)Foundational

  Maintain a management-approved set of information security policies, communicate them to staff, and review them on a schedule and after major change.

  Typical evidence

  • Approved policy set with version history
  • Review and sign-off records
• A.5.2Organizational (A.5)Foundational

  Allocate and document who is responsible and accountable for each information security activity across the organization.

  Typical evidence

  • Roles and responsibilities matrix
  • Job descriptions referencing security duties
• A.5.3Organizational (A.5)Intermediate

  Separate conflicting duties so no single person can both perform and conceal misuse of a process.

  Typical evidence

  • Segregation-of-duties analysis
  • Approval workflows requiring a second party
• A.5.4Organizational (A.5)Foundational

  Have leadership actively require and support all staff to apply information security in line with policy.

  Typical evidence

  • Management directives on security
  • Leadership communications to staff
• A.5.5Organizational (A.5)Intermediate

  Keep working channels to reach regulators, law enforcement and supervisory bodies before they are urgently needed.

  Typical evidence

  • Authority contact list with owners
  • Records of notifications made
• A.5.6Organizational (A.5)Advanced

  Take part in security forums and professional groups to stay current on threats and good practice.

  Typical evidence

  • Membership records
  • Notes shared internally from group participation
• A.5.7Organizational (A.5)Advanced

  Use selected threat sources to turn relevant warning signs into practical security actions.

  Typical evidence

  • Threat intelligence sources and feeds
  • Analysis briefings informing controls
• A.5.8Organizational (A.5)Intermediate

  Build security requirements and risk assessment into projects from initiation onward.

  Typical evidence

  • Project security checklists
  • Risk assessments at project gates
• A.5.9Organizational (A.5)Foundational

  Maintain a current list of important information resources, supporting systems and responsible owners.

  Typical evidence

  • Asset inventory with owners
  • Periodic inventory reconciliation
• A.5.10Organizational (A.5)Foundational

  Set practical do-and-don't rules for how people use, handle and retire information resources.

  Typical evidence

  • Acceptable use policy
  • User acknowledgements
• A.5.11Organizational (A.5)Foundational

  Recover organizational assets when people leave or change role.

  Typical evidence

  • Offboarding asset-return checklist
  • Signed return records
• A.5.12Organizational (A.5)Foundational

  Grade information by sensitivity so the level of protection matches its value and legal needs.

  Typical evidence

  • Classification scheme
  • Sample classified documents
• A.5.13Organizational (A.5)Intermediate

  Mark information consistently with its classification so handling rules are unambiguous.

  Typical evidence

  • Labelling standard
  • Examples of applied labels
• A.5.14Organizational (A.5)Foundational

  Protect information moved between people, systems or organizations under agreed transfer rules.

  Typical evidence

  • Transfer agreements
  • Secure transfer mechanisms in use
• A.5.15Organizational (A.5)Foundational

  Base access decisions on documented need, risk and approved business purpose.

  Typical evidence

  • Access control policy
  • Access request and approval records
• A.5.16Organizational (A.5)Foundational

  Manage the full lifecycle of digital identities for people and services.

  Typical evidence

  • Identity lifecycle process
  • Joiner/mover/leaver records
• A.5.17Organizational (A.5)Foundational

  Issue, protect and manage passwords, tokens and other secrets used to authenticate.

  Typical evidence

  • Credential management procedure
  • Secret storage controls
• A.5.18Organizational (A.5)Foundational

  Keep user permissions current: give only what is needed, check it periodically, and remove it promptly when no longer justified.

  Typical evidence

  • Access review records
  • Timely revocation evidence
• A.5.19Organizational (A.5)Intermediate

  Address the information security risk that arises from using suppliers' products and services.

  Typical evidence

  • Supplier risk assessments
  • Supplier security policy
• A.5.20Organizational (A.5)Intermediate

  Put security expectations for suppliers into contracts or equivalent written commitments.

  Typical evidence

  • Contract security clauses
  • Signed supplier agreements
• A.5.21Organizational (A.5)Advanced

  Extend security requirements through layered ICT product and service supply chains.

  Typical evidence

  • ICT supply-chain requirements
  • Sub-supplier flow-down clauses
• A.5.22Organizational (A.5)Intermediate

  Periodically check supplier-delivered services and manage security-impacting changes.

  Typical evidence

  • Supplier service reviews
  • Change records for supplier services
• A.5.23Organizational (A.5)Intermediate

  Decide how cloud services are approved, operated and exited before using them.

  Typical evidence

  • Cloud usage policy
  • Cloud exit/portability plan
• A.5.24Organizational (A.5)Foundational

  Prepare incident roles, playbooks and tools before a real incident occurs.

  Typical evidence

  • Incident response plan
  • Defined incident roles
• A.5.25Organizational (A.5)Intermediate

  Triage detected security events to decide which qualify as incidents.

  Typical evidence

  • Event triage criteria
  • Event-to-incident decision log
• A.5.26Organizational (A.5)Foundational

  Contain, eradicate and recover from confirmed incidents following the response plan.

  Typical evidence

  • Incident response records
  • Post-containment recovery notes
• A.5.27Organizational (A.5)Intermediate

  Use lessons from incidents to strengthen controls and reduce recurrence.

  Typical evidence

  • Post-incident reviews
  • Tracked improvement actions
• A.5.28Organizational (A.5)Advanced

  Handle incident evidence in a way that preserves reliability and traceability.

  Typical evidence

  • Evidence handling procedure
  • Chain-of-custody records
• A.5.29Organizational (A.5)Intermediate

  Keep essential security protections operating during business disruption.

  Typical evidence

  • Continuity-aligned security plans
  • Disruption exercise results
• A.5.30Organizational (A.5)Intermediate

  Make sure ICT can recover within the timeframes business continuity requires.

  Typical evidence

  • ICT continuity requirements (RTO/RPO)
  • Recovery test results
• A.5.31Organizational (A.5)Foundational

  Maintain a register of outside obligations that affect security and assign owners for satisfying them.

  Typical evidence

  • Legal/regulatory requirements register
  • Compliance owner assignments
• A.5.32Organizational (A.5)Intermediate

  Manage software, content and licences so the organization respects others' IP and protects its own.

  Typical evidence

  • Software licence register
  • IP compliance checks
• A.5.33Organizational (A.5)Intermediate

  Keep required records reliable, available only to appropriate people, and retained for the required period.

  Typical evidence

  • Records retention schedule
  • Protected records storage
• A.5.34Organizational (A.5)Foundational

  Meet privacy obligations for the personal data the organization handles.

  Typical evidence

  • Privacy/PII handling procedures
  • Records of processing
• A.5.35Organizational (A.5)Intermediate

  Arrange periodic outside or impartial checks of how the security programme is working.

  Typical evidence

  • Independent review reports
  • Action plans from findings
• A.5.36Organizational (A.5)Intermediate

  Check that operations actually comply with the organization's own security policies and standards.

  Typical evidence

  • Compliance check results
  • Remediation tracking
• A.5.37Organizational (A.5)Foundational

  Write down recurring operational tasks where consistency matters for security.

  Typical evidence

  • Documented operating procedures
  • Procedure review records
• A.6.1People (A.6)Foundational

  Verify candidates' backgrounds proportionately to the role's risk, within legal limits.

  Typical evidence

  • Screening policy
  • Completed screening records
• A.6.2People (A.6)Foundational

  Include security duties in worker contracts, onboarding documents or equivalent terms.

  Typical evidence

  • Employment contract security clauses
  • Signed acknowledgements
• A.6.3People (A.6)Foundational

  Keep people current through recurring security briefings, training and role-specific learning.

  Typical evidence

  • Training plan and content
  • Completion and quiz records
• A.6.4People (A.6)Intermediate

  Operate a defined, fair process for handling violations of security policy.

  Typical evidence

  • Disciplinary process documentation
  • Anonymized case handling records
• A.6.5People (A.6)Foundational

  Define security duties that remain in force after a person leaves or changes role.

  Typical evidence

  • Post-employment obligation clauses
  • Offboarding checklist
• A.6.6People (A.6)Foundational

  Put enforceable confidentiality commitments in place for handling protected information.

  Typical evidence

  • Signed NDAs/confidentiality agreements
  • NDA register
• A.6.7People (A.6)Intermediate

  Protect information when people work away from organizational premises.

  Typical evidence

  • Remote working policy
  • Secure remote access controls
• A.6.8People (A.6)Foundational

  Give people an easy, well-known way to report observed security events promptly.

  Typical evidence

  • Event reporting channel
  • Reported event log
• A.7.1Physical (A.7)Foundational

  Use walls, doors, barriers or equivalent boundaries to separate sensitive work areas from public or lower-trust space.

  Typical evidence

  • Site security plans
  • Perimeter inspection records
• A.7.2Physical (A.7)Foundational

  Control who may physically enter secure areas and when.

  Typical evidence

  • Access control system logs
  • Visitor management records
• A.7.3Physical (A.7)Intermediate

  Make workspaces and facilities harder to misuse, enter or damage.

  Typical evidence

  • Facility security design notes
  • Room hardening measures
• A.7.4Physical (A.7)Intermediate

  Use alarms, surveillance, patrols or logs to spot and respond to unwanted entry attempts.

  Typical evidence

  • Surveillance/monitoring configuration
  • Alarm response records
• A.7.5Physical (A.7)Intermediate

  Guard facilities against fire, flood, power loss and similar environmental hazards.

  Typical evidence

  • Environmental risk assessment
  • Protection systems test logs
• A.7.6Physical (A.7)Intermediate

  Set rules for how people behave and work inside sensitive areas.

  Typical evidence

  • Secure-area working rules
  • Acknowledged briefings
• A.7.7Physical (A.7)Foundational

  Leave no sensitive information exposed on desks or unattended screens.

  Typical evidence

  • Clear desk/screen policy
  • Walkthrough inspection results
• A.7.8Physical (A.7)Intermediate

  Place and secure equipment so location, environment and access risks are reduced.

  Typical evidence

  • Equipment placement standards
  • Protection measures records
• A.7.9Physical (A.7)Intermediate

  Protect devices and assets used or stored away from organizational sites.

  Typical evidence

  • Off-site asset policy
  • Tracking of off-site equipment
• A.7.10Physical (A.7)Foundational

  Track and protect storage media from first use through retirement.

  Typical evidence

  • Media handling procedure
  • Secure media destruction certificates
• A.7.11Physical (A.7)Intermediate

  Provide resilience for utilities that critical equipment depends on.

  Typical evidence

  • UPS/generator test logs
  • Utility resilience design
• A.7.12Physical (A.7)Advanced

  Route and shield important cables so they are harder to tap, tamper with or accidentally break.

  Typical evidence

  • Cabling protection measures
  • Cabling route documentation
• A.7.13Physical (A.7)Intermediate

  Maintain equipment so it stays available and secure.

  Typical evidence

  • Maintenance schedule
  • Maintenance records with security checks
• A.7.14Physical (A.7)Foundational

  Before redeploying or discarding equipment, wipe sensitive content and clear licensed software where required.

  Typical evidence

  • Sanitization procedure
  • Disposal/reuse certificates
• A.8.1Technological (A.8)Foundational

  Apply baseline protections to laptops, phones and other user devices that handle organizational information.

  Typical evidence

  • Endpoint hardening baseline
  • MDM/endpoint protection reports
• A.8.2Technological (A.8)Foundational

  Tightly restrict and monitor elevated administrative access.

  Typical evidence

  • Privileged access register
  • Privileged session logs/reviews
• A.8.3Technological (A.8)Foundational

  Limit access to information and functions to what each user needs.

  Typical evidence

  • Access restriction rules
  • Role-permission mappings
• A.8.4Technological (A.8)Intermediate

  Limit repository and build-system access to people and services with a justified need.

  Typical evidence

  • Repository access controls
  • Branch protection settings
• A.8.5Technological (A.8)Foundational

  Use authentication strength and techniques matched to the access risk.

  Typical evidence

  • MFA enforcement evidence
  • Authentication policy
• A.8.6Technological (A.8)Intermediate

  Monitor and tune resource use so systems stay available under load.

  Typical evidence

  • Capacity monitoring dashboards
  • Capacity planning records
• A.8.7Technological (A.8)Foundational

  Apply layered defences and user awareness against malicious code.

  Typical evidence

  • Anti-malware coverage reports
  • Awareness on malware risks
• A.8.8Technological (A.8)Foundational

  Find, assess and remediate technical vulnerabilities in good time.

  Typical evidence

  • Vulnerability scan reports
  • Patch/remediation SLAs and records
• A.8.9Technological (A.8)Foundational

  Keep system and software settings aligned to approved secure baselines.

  Typical evidence

  • Hardening baselines
  • Configuration drift reports
• A.8.10Technological (A.8)Intermediate

  Delete information that is no longer needed to limit exposure and meet obligations.

  Typical evidence

  • Deletion/retention rules
  • Deletion execution evidence
• A.8.11Technological (A.8)Advanced

  Mask or limit exposure of sensitive data such as personal data.

  Typical evidence

  • Data masking rules
  • Masked non-production datasets
• A.8.12Technological (A.8)Advanced

  Detect and prevent unauthorized disclosure of sensitive data.

  Typical evidence

  • DLP policy and rules
  • DLP alert handling records
• A.8.13Technological (A.8)Foundational

  Create protected backups and prove that restoration works.

  Typical evidence

  • Backup schedule and scope
  • Successful restore test records
• A.8.14Technological (A.8)Advanced

  Add failover capacity where outages would exceed the organization's tolerance.

  Typical evidence

  • Redundancy architecture
  • Failover test results
• A.8.15Technological (A.8)Foundational

  Record activities and events so they can be reviewed and investigated.

  Typical evidence

  • Logging standard
  • Sample protected log stores
• A.8.16Technological (A.8)Intermediate

  Use technical monitoring to spot unusual activity and route alerts for investigation.

  Typical evidence

  • Monitoring use cases/alerts
  • Alert triage records
• A.8.17Technological (A.8)Intermediate

  Keep system time aligned so event timelines can be trusted.

  Typical evidence

  • Time source configuration
  • Clock drift monitoring
• A.8.18Technological (A.8)Intermediate

  Limit tools that can bypass ordinary controls to approved users and logged use.

  Typical evidence

  • Restricted utility inventory
  • Use authorization records
• A.8.19Technological (A.8)Intermediate

  Allow only approved software to be installed onto live operational systems.

  Typical evidence

  • Software installation policy
  • Approved software baseline
• A.8.20Technological (A.8)Foundational

  Secure networks and the devices that operate them.

  Typical evidence

  • Network security configuration
  • Device hardening evidence
• A.8.21Technological (A.8)Intermediate

  Set security expectations for network services and check they are followed.

  Typical evidence

  • Network service security requirements
  • Service monitoring records
• A.8.22Technological (A.8)Intermediate

  Split networks into zones to contain risk and limit lateral movement.

  Typical evidence

  • Network segmentation design
  • Inter-zone rule reviews
• A.8.23Technological (A.8)Intermediate

  Use browsing controls to steer users away from known risky or unsuitable web destinations.

  Typical evidence

  • Web filtering policy/categories
  • Filtering enforcement reports
• A.8.24Technological (A.8)Intermediate

  Apply cryptography and manage keys under a defined policy.

  Typical evidence

  • Cryptography and key management policy
  • Key lifecycle records
• A.8.25Technological (A.8)Intermediate

  Build security into software across the whole development life cycle.

  Typical evidence

  • Secure SDLC definition
  • Phase-gate security checks
• A.8.26Technological (A.8)Intermediate

  Identify and apply security requirements specific to applications.

  Typical evidence

  • Application security requirements
  • Requirement traceability
• A.8.27Technological (A.8)Advanced

  Use secure design principles when planning and reviewing systems.

  Typical evidence

  • Secure architecture principles
  • Design review records
• A.8.28Technological (A.8)Intermediate

  Use coding practices intended to prevent common security flaws.

  Typical evidence

  • Secure coding standard
  • Code review/SAST findings handling
• A.8.29Technological (A.8)Intermediate

  Check security before new or changed software is accepted.

  Typical evidence

  • Security test plans
  • Acceptance test results
• A.8.30Technological (A.8)Advanced

  Direct and verify security where development work is outsourced.

  Typical evidence

  • Outsourced dev security requirements
  • Supplier assurance reviews
• A.8.31Technological (A.8)Intermediate

  Keep non-production work from affecting live systems through separate access, data and infrastructure boundaries.

  Typical evidence

  • Environment separation design
  • Access boundaries between environments
• A.8.32Technological (A.8)Foundational

  Control changes to systems so security is preserved through change.

  Typical evidence

  • Change management procedure
  • Change approval and test records
• A.8.33Technological (A.8)Intermediate

  Select and protect data used for testing.

  Typical evidence

  • Test data selection rules
  • Protection of test datasets
• A.8.34Technological (A.8)Advanced

  Scope audit testing so live systems are not exposed or disrupted.

  Typical evidence

  • Audit test plans with safeguards
  • Scheduling/scoping agreements