Annex A controls

Annex A controls are the reference set of information security controls listed in Annex A of the ISO 27001 standard and further detailed in ISO 27002. They represent a catalog of commonly used administrative, technical, and physical controls that an organization can select from to treat information security risks identified in its risk assessment.

What Annex A controls include

Annex A controls typically cover areas such as:

• Information security policies and governance
• Organization of information security and roles
• Human resource security (onboarding, termination, awareness)
• Asset management and data classification
• Access control and identity management
• Cryptography and key management
• Physical and environmental security
• Operations security (logging, monitoring, change management, backups)
• Communications and network security
• System acquisition, development, and maintenance
• Supplier and third-party relationships
• Information security incident management
• Business continuity aspects of information security
• Compliance with internal requirements and applicable regulations

In regulated manufacturing and industrial environments, Annex A controls are applied to OT and IT systems, MES/ERP integrations, data flows between plant and enterprise networks, and handling of sensitive technical and quality data.

How Annex A controls are used

Annex A controls are not all mandatory. Organizations typically:

• Perform a risk assessment to identify information security risks.
• Select relevant Annex A controls (and possibly additional controls) to treat those risks.
• Document which Annex A controls are applied, modified, or considered not applicable and why.
• Implement and operate the selected controls in their management system and technical environment.

For example, to manage risks of data leakage from a manufacturing site, an organization might use Annex A controls on access control, logging and monitoring, secure communication, and information transfer procedures, which could be supported by tools such as Data Loss Prevention (DLP) but do not require any specific product.

Common confusion

• Annex A controls vs. ISO 27001 requirements: ISO 27001 management system requirements are in the main clauses of the standard. Annex A is a reference control set used for risk treatment, not the full set of requirements.
• Annex A controls vs. ISO 27002: Annex A lists control titles and short descriptions. ISO 27002 provides detailed guidance on implementing and managing those controls.
• Annex A controls vs. specific technologies: Annex A controls are technology-agnostic. They describe control objectives and measures, not specific tools or vendors.