Annex A

Annex A commonly refers to the control catalog included as an annex in the ISO/IEC 27001 information security management standard. It lists a structured set of information security controls that organizations can select from when designing and documenting their Information Security Management System (ISMS).

In regulated industrial and manufacturing environments, Annex A is typically used as a reference list when defining which security controls apply to OT and IT systems, data flows, and business processes. The selected controls, along with justifications for inclusion or exclusion, are documented in the organization’s Statement of Applicability (SoA).

What Annex A includes

Within ISO/IEC 27001, Annex A:

• Provides a catalog of individual security controls grouped into control domains (for example, access control, operations security, or supplier relationships).
• Covers both technical and organizational controls, such as policies, procedures, access management, logging, backup, and incident handling.
• Is intended to be used as a reference, not as a fixed checklist that must be fully implemented without risk-based justification.

Annex A does not itself describe how to implement or operate controls in detail. Those specifics are usually addressed through internal procedures or related guidance standards.

Operational use in manufacturing and regulated environments

In industrial operations, Annex A commonly appears in:

• Risk assessments, where each relevant Annex A control is evaluated against identified risks to OT systems, MES, ERP, laboratory systems, and quality systems.
• Statements of Applicability, where the organization documents which Annex A controls apply to its scope, including justification where certain controls are not implemented or are implemented differently for OT vs. IT.
• Audit preparation, where Annex A serves as a map between ISO/IEC 27001 expectations and concrete procedures, technical safeguards, and records in manufacturing operations.

Common confusion

The term “Annex A” is sometimes used loosely in training or summaries, which can lead to confusion:

• “Four categories” of Annex A controls: Some introductory materials group Annex A controls into a small number of categories for teaching purposes. This grouping is not the formal structure of ISO/IEC 27001 and does not replace the control domains defined in the current standard.
• Annex A vs. the ISO/IEC 27001 main clauses: Annex A contains control objectives and controls. The main body (clauses) of ISO/IEC 27001 describes ISMS requirements such as context, leadership, planning, and performance evaluation. Annex A is not itself the full set of ISMS requirements.
• Annex A vs. implementation guidance: Annex A lists what controls exist in the catalog. More detailed guidance on how to implement them may come from other standards or internal documentation.

Relationship to the source context

When Annex A is discussed in relation to “four categories of ISO 27001,” it typically refers to simplified teaching groupings of the controls in Annex A, not to any official four-part structure in the standard. For work in regulated manufacturing, organizations generally refer directly to the current Annex A control domains and build their Statement of Applicability from that official structure.