Annex A of ISO 27001:2022 contains 93 reference security controls organised into four themes: organisational, people, physical and technological. These controls provide a comprehensive catalogue from which organisations select applicable measures based on their risk assessment and Statement of Applicability (SoA).
The 2022 revision restructured controls from 14 domains into four themes and introduced 11 new controls addressing topics such as threat intelligence, cloud security and data masking. Organisations use Annex A as a checklist to ensure no critical security area is overlooked and to demonstrate due diligence to auditors and certification bodies.