Annex A Controls and Domains

Annex A controls have been both reduced and restructured to reflect the updated
ISO/IEC 27001:2022 changes; the number of controls decreased from 114 to 93 and
are now categorized from 14 domains into four overarching groups—organizational,
people, physical, and technological.
The good news is, these changes make the standard easier to digest and simpler to
implement. Here’s more information of each domain, where to find them, and a non-
exhaustive list of the type of controls they contain.
Section 5, Organizational (37 controls)
 Organizational information policies
 Cloud service use
 Asset use
Section 6, People (8 controls)
 Remote work
 Confidentiality
 Non-disclosures
 Screening
Section 7, Physical (14 controls)
 Security monitoring
 Storage media
 Maintenance
 Facilities security
Section 8, Technological (34 controls)
 Authentication
 Encryption
 Data leak prevention

Newly Added Annex A Controls

While several of the Annex A controls have been renamed and merged to reduce the
total number of controls, the requirements within those controls are almost all the
same. The biggest change has been the addition of 11 new controls, added to reflect
new and evolving security areas.
Specifically, the control categories are as follows:
 Threat intelligence
 Information security for the use of cloud services
 Information and communications technology for business continuity
 Physical security monitoring
 Configuration management
 Information deletion
 Data masking
 Data leakage prevention
 Monitoring activities
 Web filtering
 Secure coding