ISO 27001 Controls List: 10 Key Domains

Achieving ISO 27001 certification often feels like trying to solve a complex puzzle, with Annex A standing as its centerpiece. This annex provides a detailed catalog of information security controls that serve as the practical foundation for any effective Information Security Management System (ISMS). However, treating it as a simple compliance checklist is a common mistake. Instead, it should be viewed as a strategic framework for building genuine, long-term security resilience within an organization.

Many compliance managers and GRC teams find themselves overwhelmed by the sheer volume of requirements in the ISO 27001 controls list. They struggle to accurately interpret each control’s purpose, gather the right evidence, and map these security measures to their existing business operations. This often leads to inefficient implementation and potential gaps in their security posture.

This guide is designed to provide clarity and direction. We will systematically break down the complete ISO 27001 controls list, transforming it from a daunting obstacle into a clear roadmap for robust security. You'll get more than just definitions; we will provide actionable insights for each control domain.

Inside this comprehensive roundup, you will find:

• A detailed explanation of each control group.

• Key differences between the 2013 and 2022 revisions of Annex A.

• Practical implementation tips and real-world examples.

• Guidance on how to streamline gap assessments and evidence collection.

By the end, you will understand not only what each control requires but also how to implement it effectively to build a truly secure and compliant ISMS.

1. Information Security Policies (A.5)

The Information Security Policies domain (A.5 in ISO 27001:2013, consolidated into a single control 5.1 in the 2022 revision) establishes the governance bedrock for an organization's Information Security Management System (ISMS). This foundational control requires management to define, approve, publish, and communicate a clear set of policies. These documents provide direction and formal support for information security, ensuring that all security activities align with broader business requirements and relevant laws.

Without a formal, management-endorsed policy framework, security efforts become disjointed, inconsistent, and difficult to enforce. This control ensures that the entire organization, from top-level executives to new hires, understands their security responsibilities. A well-defined policy set is the first piece of evidence an auditor will request, as it demonstrates management's commitment and sets the tone for the entire ISMS.

Implementation Tips & Examples

Success Stories:

• Healthcare: A hospital integrates HIPAA's patient data protection rules directly into its core information security policy, making compliance a mandatory part of its security posture.

• Finance: A fintech firm aligns its information security policies with both ISO 27001 and PCI-DSS, creating a unified framework that addresses multiple regulatory demands efficiently.

Actionable Advice:

• Start with a Gap Analysis: Before writing new policies, map your existing documentation against the standard. An automated platform can quickly highlight where your current documents fall short of the comprehensive ISO 27001 requirements.

• Make Policies Accessible: Avoid a single, monolithic policy document. Create a main policy and support it with topic-specific policies (e.g., Access Control, Cryptography). Develop concise, role-based summaries for employees.

• Maintain Rigorous Control: Implement a document management system with version control. Each policy must have an owner, a review date, and a change log.

• Schedule Regular Reviews: Policies are not static. Tie their review cycle to your internal audit schedule, ensuring they are formally reviewed and updated at least annually or when significant organizational changes occur.

2. Organization of Information Security (A.6)

The Organization of Information Security domain establishes the internal framework for managing and governing information security. In the 2013 version, A.6 covers the internal organization and mobile devices, while the 2022 revision integrates these concepts into controls 5.2 (Information security roles and responsibilities) and 5.3 (Segregation of duties). This area ensures that security is not an isolated IT function but a structured, organization-wide responsibility with clear lines of authority and communication. It mandates defining roles, assigning responsibilities, and establishing a governance structure to oversee the ISMS.

Without a defined organizational structure for security, accountability becomes ambiguous, and critical tasks can be overlooked. This control provides the "who" and "how" of security management, ensuring that specific individuals or groups are responsible for protecting information assets. An auditor will look for evidence of this structure, such as a formal security committee charter or documented roles, to confirm that security governance is actively managed and not just a paper exercise. This part of the ISO 27001 controls list is vital for operationalizing security.

Implementation Tips & Examples

Success Stories:

• Manufacturing: A large manufacturing firm integrates cybersecurity responsibilities into its supplier management program, creating clear security evaluation criteria for all third-party vendors who access its network.

• Healthcare: A hospital network forms a cross-departmental security committee that includes IT, compliance, legal, and clinical staff to ensure security decisions account for patient care and regulatory needs.

• Finance: A major bank establishes a Chief Information Security Officer (CISO) role that reports directly to executive leadership, giving security a strategic voice in all business decisions.

Actionable Advice:

• Document with RACI: Use a RACI (Responsible, Accountable, Consulted, Informed) matrix to clearly define and document information security roles and responsibilities. This eliminates confusion over who owns specific security tasks.

• Establish a Security Forum: Create a formal information security committee or forum with a defined charter, members from various business units, and a regular meeting schedule with set agendas and minutes.

• Map Your Current Structure: Before creating new roles, map your existing organizational chart against the control requirements to identify where responsibilities are undefined or need to be formalized.

• Automate Evidence Collection: An automated tool can analyze existing documents like HR job descriptions, committee charters, and project plans to extract and map evidence of defined roles, fulfilling audit requirements faster.

3. Human Resource Security (A.7)

Human Resource Security (A.7 in ISO 27001:2013, now addressed in controls 5.2, 5.3, 6.3, 6.4, 6.5, and 6.8 in the 2022 revision) focuses on the "human element" of information security. This domain establishes controls for managing security responsibilities for individuals throughout their entire employment lifecycle, from pre-employment screening to their departure from the organization. It recognizes that people are a primary asset but also a significant vulnerability, making controls around them crucial for preventing both accidental and intentional security incidents.

A well-implemented HR security program ensures that employees, contractors, and third-party users understand and fulfill their security responsibilities. Without these controls, an organization is highly susceptible to insider threats, social engineering, and simple human error. Auditors scrutinize HR security to verify that appropriate background checks are conducted, security awareness training is effective, and a formal disciplinary process exists, demonstrating that security is embedded in the organizational culture.

Implementation Tips & Examples

Success Stories:

• Defense: A contractor requires extensive background clearances and nationality verification for all personnel with access to sensitive project data, directly meeting contractual and regulatory security requirements.

• Healthcare: A hospital system conducts mandatory criminal background checks for all staff handling patient health information (PHI) to comply with HIPAA, alongside annual security and privacy training.

• Finance: A major bank establishes clear disciplinary procedures, including clawback clauses for bonuses, in cases where employee negligence or misconduct leads to a significant data breach.

Actionable Advice:

• Tier Your Training: Develop role-specific security awareness training. General staff might receive baseline training, while developers get specialized secure coding instruction and finance teams learn about specific financial fraud schemes.

• Embed Security in Job Descriptions: Clearly state security responsibilities and behavioral expectations in job descriptions. This sets the tone from the very beginning of the recruitment process.

• Document Everything: Maintain meticulous records of background verification checks, signed confidentiality agreements, and training completion. These documents are critical audit evidence.

• Formalize the Exit Process: Implement a comprehensive termination checklist to ensure all physical and logical access is immediately revoked upon an employee's departure, including disabling system accounts, collecting assets, and revoking building access.

4. Asset Management (A.8)

The Asset Management domain (A.8 in ISO 27001:2013, consolidated into control 5.9 and related controls in the 2022 revision) establishes the processes needed to identify, classify, and protect information assets throughout their lifecycle. This control requires an organization to maintain an inventory of all valuable assets, from hardware and software to sensitive data. Asset management is foundational to the entire ISO 27001 controls list; an organization cannot protect what it does not know it has.

Without a comprehensive asset inventory and clear classification scheme, applying other controls like access control or encryption becomes an exercise in guesswork. This domain ensures that security measures are applied proportionately to an asset's value and sensitivity. For an auditor, a well-maintained asset register is direct evidence that the organization has visibility and control over its information environment, which is a prerequisite for a mature ISMS.

Implementation Tips & Examples

Success Stories:

• Manufacturing: A firm tracks its intellectual property, including proprietary designs and trade secrets, as high-value assets. This allows it to apply stringent access controls and monitoring to the specific systems where this data resides.

• University: A research university manages vast datasets with differential protection levels. By classifying research data based on funding requirements and privacy concerns, it ensures compliance while fostering academic collaboration.

Actionable Advice:

• Automate Discovery: Manually tracking assets is inefficient and prone to error. Use automated discovery tools to scan your network and cloud environments to build and maintain a current inventory of hardware and software assets.

• Simplify Classification: Create a simple, clear data classification scheme with documented criteria. A four-tier model like Public, Internal, Confidential, and Restricted is a common and effective starting point.

• Assign Ownership: Every asset must have an assigned owner who is responsible for its protection and proper handling throughout its lifecycle. This creates clear accountability for asset security.

• Document Disposal Securely: Establish formal procedures for the secure disposal of media and hardware. Maintain records, such as certificates of destruction, to provide auditors with verifiable evidence of compliance.

5. Access Control (A.9)

Access Control is a critical domain governing how users and systems access information and resources. In the 2013 version of the standard, this was covered in Annex A.9; the 2022 revision refines and distributes these controls across sections 5.15, 5.16, 5.17, 5.18, and 8.1-8.5. This area is fundamental to preventing unauthorized access, protecting against data breaches, and maintaining the principle of least privilege by ensuring users only have access to the information necessary for their roles.

Properly implemented access controls are the primary technical defense against many common attack vectors. This domain encompasses everything from user registration and authentication to privilege management and access reviews. For an auditor, weak access controls are a significant red flag, as they indicate a high risk of data compromise. A robust access control framework demonstrates that an organization is serious about protecting its sensitive assets from both external and internal threats.

Implementation Tips & Examples

Success Stories:

• Banking: A major bank implements mandatory multi-factor authentication (MFA) for all employee and administrative access, drastically reducing the risk of credential-based attacks.

• Healthcare: A hospital system enforces strict role-based access control (RBAC), limiting access to patient electronic health records (EHR) based on a clinician's specific job function and department.

• Technology: A SaaS company adopts a zero-trust architecture, where every access request is continuously verified, regardless of whether it originates from inside or outside the network.

Actionable Advice:

• Prioritize MFA: Immediately implement multi-factor authentication for all remote access, privileged accounts, and access to critical systems. This is often considered a baseline security measure.

• Document Segregation of Duties: Clearly define and document segregation of duties requirements for key roles and systems to prevent conflicts of interest and reduce opportunities for fraud.

• Conduct Regular Access Reviews: Schedule and perform quarterly access reviews for all critical systems. Maintain documented evidence of these reviews, including approvals and any access modifications.

• Centralize Identity Management: Whenever possible, use a centralized Identity and Access Management (IAM) solution. This simplifies user provisioning, de-provisioning, and overall access administration. You can learn more by understanding the role of different tests of controls that auditors will perform.

6. Cryptography (A.10)

The Cryptography domain (A.10 in ISO 27001:2013, refined as control 8.24 in the 2022 revision) mandates the use of cryptographic controls to protect the confidentiality, integrity, and authenticity of information. It addresses the entire lifecycle of cryptographic measures, from policy and standards development to key management. Effective cryptography renders data unusable to unauthorized parties, acting as a critical technical safeguard for sensitive information both at rest and in transit.

Without a formal cryptographic strategy, an organization’s most valuable data assets remain exposed, even if other security layers like firewalls are breached. This set of controls is fundamental for meeting regulatory requirements (like GDPR and PCI-DSS) and protecting intellectual property. An auditor will scrutinize not just the use of encryption but also the robustness of the key management processes that support it, making it a high-priority area in any ISO 27001 controls list.

Implementation Tips & Examples

Success Stories:

• E-commerce: A payment processor adheres to PCI-DSS by using AES-256 to encrypt all stored cardholder data, preventing data theft even if database servers are compromised.

• Healthcare: A hospital system encrypts all electronic protected health information (ePHI) during transmission between facilities using TLS 1.2+, meeting HIPAA’s technical safeguard requirements.

• Cloud Services: A SaaS provider uses transparent data encryption offered by its cloud vendor (e.g., AWS KMS) to secure all customer data at rest, providing a baseline of protection without impacting application performance.

Actionable Advice:

• Establish a Cryptographic Policy: Your policy must define approved algorithms (e.g., AES-256 for data at rest), key lengths, and protocols (e.g., TLS 1.2+ for data in transit). Prohibit the use of weak or deprecated standards.

• Master Key Management: Implement a secure key management lifecycle, including generation, storage, distribution, rotation, and destruction. Use Hardware Security Modules (HSMs) for high-assurance applications.

• Automate Key Rotation: Manual key rotation is prone to error and neglect. Automate the process wherever possible to reduce the window of opportunity for attackers to compromise a key.

• Maintain a Crypto Inventory: Document where cryptography is used, what data it protects, the algorithms in use, and the location of corresponding keys. An automated platform can accelerate this by scanning documentation and configurations to identify systems and data flows that require encryption.

7. Physical and Environmental Security (A.11)

The Physical and Environmental Security domain (A.11 in ISO 27001:2013, restructured into controls 7.1 to 7.4 in the 2022 revision) addresses the protection of an organization’s premises, equipment, and information from physical threats. This includes unauthorized access, theft, damage from fire or flood, and environmental failures. These controls ensure that information assets are housed in secure locations with appropriate environmental conditions and physical access restrictions.

Effective physical security is a foundational layer of any ISMS. Without it, even the most advanced logical and technical controls can be easily bypassed. If an unauthorized individual can simply walk into a server room and remove a hard drive, sophisticated firewalls and encryption become irrelevant. This control demonstrates that an organization has considered and mitigated risks to the tangible infrastructure that supports its information assets, a critical component of any comprehensive ISO 27001 controls list.

Implementation Tips & Examples

Success Stories:

• Data Centers: A colocation provider implements mantrap doors, biometric scanners, and 24/7 video surveillance, providing clients with auditable proof of physical security that meets stringent compliance requirements.

• Financial Services: A trading firm enforces a strict clear desk and clear screen policy, with secure shredding bins and locking cabinets, preventing sensitive market data from being exposed in a high-traffic environment.

• Healthcare: A hospital restricts server room access to authorized IT staff using keycard readers that log every entry and exit, ensuring a clear audit trail for HIPAA compliance.

Actionable Advice:

• Conduct a Physical Security Risk Assessment: Regularly walk through your facilities to identify vulnerabilities like unsecured entry points, propped-open doors, or poorly placed servers. Document and prioritize these findings.

• Implement Layered Access Controls: Use multiple layers of security, such as perimeter fencing, reception desks, locked doors, and finally, cabinet-level locks for critical assets.

• Establish and Enforce Visitor Procedures: Maintain a formal process for visitor registration, require them to be escorted in secure areas, and ensure badges are returned upon departure.

• Monitor Environmental Conditions: Use sensors to monitor temperature and humidity in server rooms and data closets. Set up alerts to notify personnel of conditions that could damage equipment.

• Secure Cabling and Power: Protect power and network cables from unauthorized interception or damage. Ensure uninterruptible power supplies (UPS) and backup generators are tested regularly.

8. Operations Security (A.12)

The Operations Security domain, A.12 in the 2013 standard, establishes the procedural backbone for protecting information systems during daily use. Its controls, which are now distributed across clauses 5, 7, and 8 in the 2022 revision, ensure that IT infrastructure is managed securely throughout its operational lifecycle. This includes critical processes like change management, capacity planning, malware protection, logging and monitoring, system hardening, and data backup.

Effective operations security prevents unauthorized changes, detects malicious activity, and ensures system availability and resilience. Without these controls, an organization is vulnerable to service disruptions, data breaches from misconfigurations, and prolonged downtime after an incident. This domain provides auditors with clear evidence that security is integrated into day-to-day IT management, not just treated as a theoretical policy.

Implementation Tips & Examples

Success Stories:

• Financial Services: A major bank implements a strict change management process requiring Change Advisory Board (CAB) approval for all production system modifications, preventing outages during peak trading hours.

• Healthcare: A hospital system maintains fully segregated development, testing, and production environments to ensure that untested code never compromises live patient data systems.

• Technology: A SaaS provider uses Endpoint Detection and Response (EDR) agents across all servers and endpoints, feeding data into a central SIEM for real-time anomaly detection and threat hunting.

Actionable Advice:

• Segregate Environments: Establish and enforce strict separation between your development, testing, and production environments. Use different credentials and network segments to prevent data contamination and unauthorized changes.

• Formalize Change Management: Implement an automated change management workflow with formal approval gates. Create change freezes around critical business periods to maintain stability when it matters most.

• Centralize Logging: Deploy a centralized logging solution like a Security Information and Event Management (SIEM) platform. This allows you to correlate events across systems and effectively monitor for failed access attempts and suspicious activities.

• Automate Backups and Testing: Your backup strategy is only as good as your last successful restoration. Implement automated backup procedures and, crucially, schedule regular, automated restoration tests to verify data integrity.

• Conduct a Procedural Review: Use a structured approach to identify weaknesses in your operational processes. An expertly guided ISO 27001 gap assessment can quickly pinpoint gaps in your change management, logging, and backup procedures.

9. Communications Security (A.13)

The Communications Security domain (A.13 in ISO 27001:2013, now primarily covered in controls 5.30, 8.20-8.24 in the 2022 revision) focuses on protecting information as it travels across networks. It establishes the technical controls needed to secure data in transit, preventing unauthorized interception, modification, or disruption. This domain covers network security management, including network segmentation, access controls, boundary defense, and secure data transfer protocols.

Without robust communications security, sensitive data is vulnerable every time it moves between systems, users, or external partners. This control area ensures that the pathways for data exchange are fortified against threats. An auditor will meticulously review network architecture diagrams, firewall rule sets, and encryption configurations to verify that data is protected throughout its journey, making this a critical part of any complete ISO 27001 controls list.

Implementation Tips & Examples

Success Stories:

• Banking: A financial institution implements a zero-trust network architecture with micro-segmentation, isolating critical payment processing systems from general corporate traffic to contain potential breaches.

• Healthcare: A hospital system segregates its patient data network from the administrative and guest Wi-Fi networks, ensuring that protected health information (PHI) cannot be accessed from less secure zones.

• Tech: A SaaS company deploys Web Application Firewalls (WAF) and enforces Transport Layer Security (TLS) 1.2 or higher for all API endpoints, protecting customer data transmitted to and from its platform.

Actionable Advice:

• Segment Your Network: Divide your network into zones based on data sensitivity and system function (e.g., development, production, DMZ). This limits the lateral movement of an attacker.

• Implement Default-Deny Firewall Rules: Configure firewalls to block all traffic by default and create explicit "allow" rules only for necessary services and ports. This minimizes the attack surface.

• Secure Data Transfer: Mandate the use of strong, encrypted protocols like HTTPS, TLS, and SSH for all data communications, both internal and external.

• Strengthen Email Security: Implement robust email security controls, including DMARC, SPF, and DKIM, to prevent spoofing and phishing attacks that often serve as an initial entry point.

• Review Network Architecture: Use a platform like AI Gap Analysis to automatically cross-reference your network architecture diagrams and firewall policies against ISO 27001 requirements, identifying gaps in your defenses.

10. System Acquisition, Development and Maintenance (A.14)

The System Acquisition, Development, and Maintenance domain (A.14 in ISO 27001:2013, refined into controls like 8.25-8.34 in the 2022 revision) embeds security into the entire lifecycle of information systems. It promotes the principle of 'secure by design' and 'security by default', ensuring that security is not an afterthought but a core component from initial requirements gathering through to deployment and ongoing maintenance. This domain is critical for preventing vulnerabilities from being built into software and systems in the first place.

Without these controls, organizations expose themselves to significant risks, as security flaws introduced during development are often more complex and costly to fix later. This section of the ISO 27001 controls list mandates a structured approach, requiring secure coding standards, rigorous testing, and controlled change management. For an auditor, a well-documented secure development lifecycle is proof that an organization is proactive, rather than reactive, in managing application and system security.

Implementation Tips & Examples

Success Stories:

• Technology: A software-as-a-service (SaaS) provider adopts Microsoft's Secure Development Lifecycle (SDL), embedding security gates at each stage of development and drastically reducing critical vulnerabilities found in production.

• Finance: A financial services firm integrates static and dynamic application security testing (SAST/DAST) tools directly into its CI/CD pipeline, automating vulnerability detection and preventing insecure code from being deployed.

Actionable Advice:

• Integrate Security from Day One: Define clear security requirements in the initial project charter and design phases. Conduct threat modeling exercises to identify potential attack vectors before a single line of code is written.

• Train Your Developers: Implement a mandatory secure coding training program for all development staff. Focus on common pitfalls like the OWASP Top 10 to build a security-first mindset.

• Automate Security Testing: Embed SAST and DAST tools into your development pipeline. This provides immediate feedback to developers, making it easier and faster to fix security issues.

• Establish Remediation SLAs: Create formal Service Level Agreements (SLAs) for fixing identified vulnerabilities based on their severity. Critical flaws should be addressed immediately, while low-risk items can be scheduled for a later release.

• Document Secure Practices: Use an automated platform to track development standards and evidence of secure practices. A tool can help review your development lifecycle policies against the ISO 27001 requirements to identify gaps and ensure continuous compliance.

ISO 27001: 10-Domain Controls Comparison

From Checklist to Culture: Your Next Steps in Mastering the ISO 27001 Controls

Navigating the extensive ISO 27001 controls list can feel like an overwhelming task. We have moved through the core Annex A domains, from establishing foundational Information Security Policies (A.5) to managing the full lifecycle of system acquisition and maintenance (A.14). The key takeaway is clear: ISO 27001 is not a one-time project to be completed, but a continuous cycle of risk assessment, implementation, and improvement that must be embedded into your organization’s DNA.

The transition from the 2013 to the 2022 version of Annex A, with its reorganized structure and new controls, underscores the dynamic nature of information security. This is not about simply updating a document; it's about re-evaluating your approach to modern threats like cloud security and data privacy. Effective implementation means seeing these controls not as isolated requirements, but as interconnected components of a robust Information Security Management System (ISMS).

Shifting from Compliance Burden to Strategic Advantage

Viewing this framework as a mere checklist is a common pitfall. The real value emerges when you shift your perspective. Instead of asking, "How do we pass the audit?" you should be asking, "How do these controls make our organization more resilient, trustworthy, and competitive?"

A well-implemented ISMS, built upon the Annex A controls, becomes a powerful business enabler. It builds customer trust, opens doors to new markets, and provides a structured way to manage the ever-present risk of a security breach. It transforms security from a cost center into a strategic asset.

Your next steps should focus on operationalizing this mindset. This involves moving beyond paper policies and making security an active, conscious part of daily operations for every employee.

Actionable Steps to Solidify Your ISMS

To truly master the ISO 27001 controls list, you must translate knowledge into action. Here is a practical roadmap to guide your efforts:

1. Conduct a Formal Gap Assessment: Before you can build, you must understand your current state. Systematically review your existing practices against each applicable Annex A control. This is the foundation of your implementation plan.

2. Develop a Statement of Applicability (SoA): This is a critical document. For each of the 93 controls in the 2022 revision, you must document whether it applies to your organization, justify your decision, and describe how it is implemented (or why it is excluded).

3. Prioritize Based on Risk: Not all controls carry the same weight for your specific organization. Use your risk assessment results to prioritize implementation, focusing first on controls that mitigate your most significant information security risks.

4. Automate Evidence Collection: The single greatest challenge in an ISO 27001 audit is often providing sufficient, well-organized evidence. Manually searching through documents, emails, and system logs is inefficient and prone to error. An automated platform can connect your documentation directly to control requirements, saving hundreds of hours.

Embracing the ISO 27001 framework is a significant commitment, but the rewards are equally substantial. It provides a proven structure for protecting your most valuable asset: your information. By moving from a passive checklist approach to an active, integrated security culture, you are not just preparing for an audit; you are building a more secure and resilient future for your organization.

Ready to stop chasing documents and start building a stronger ISMS? AI Gap Analysis uses an evidence-ready AI agent to perform your ISO 27001 gap assessment in hours, not weeks, by automatically mapping your existing documentation to the controls list. Discover your compliance gaps and find the exact evidence you need with unparalleled speed at AI Gap Analysis.