Written by
Rob Veen
You are working on ISO 27001, the international standard for information security. You know the theory: you need to identify your risks, set out your policies, and keep improving. That is the "what." But then comes the "how": how do you make sure your company is truly secure? For that, you need a guide. That guide is Annex A, or Appendix A. Forget the difficult terms. In simple language, Annex A is nothing more than the ultimate, detailed checklist for information security. This article explains what you really need to do with that list and why it helps you save money.
The shopping list: from door lock to password
The ISO 27001 standard itself consists of the first 10 chapters: it states that you must have a system to protect your information (the ISMS). This is also called the high level structure of ISO 27001. But that is for another blog.
Annex A is the appendix (since the 2022 update) and contains a list of 93 controls (or controls). Think of this as an inspiration list of security solutions.
You do not need to check off all 93 measures on that list. You use your risk analysis to determine which items you need. The measures you choose must reduce the risks in your company.
The four parts
To keep the 93 measures clear, they are divided into four logical categories. This makes it easier to see where something still needs to be done in your organization:
1. People Controls
This is about your staff and agreements.
Example: Training employees (how do you recognize phishing?). Screening new employees. Making agreements about what happens when an employee resigns.
2. Physical Controls
This is about securing your building, office, and equipment.
Example: Cameras near the server room. Air conditioning systems in hot server rooms. Access badges. Securing equipment outside the office (laptops in the car).
3. Organizational Controls
This is about policy, procedures, and structure. This is the foundation.
Example: Drawing up an official Information Security Policy. Setting up an incident procedure (what to do in the event of a hack?). Making agreements with suppliers.
4. Technological Controls
This is about software, networks, and systems.
Example: Encryption of data. Use of Multi-Factor Authentication (MFA). Backup procedure. Management of network access. Secure software development. Lifecycle management.
The flexibility of Annex A
The tricky part of the Annex A 'shopping list' is that it only gives you a topic, but no details on how to implement it. It is flexible, but it does require insight.
The Carbohydrates Analogy: Suppose your shopping list says "Carbohydrates". You still have to decide whether, in your specific case, that will be potatoes, rice, pasta, or perhaps even bread. The best choice depends on your dinner, your preferences, and your budget.
The same applies to Annex A. For example, it includes the term: 'Capacity Management'. This means you need to think about the capacity of your systems. But:
In a small SME, this may mean only checking once a year whether the server still has enough disk space. Or perhaps you do not even have servers and only monitor CPU and disk space on laptops. And you may not really care much about the result either.
In a large SaaS company, this means there must be an automated monitoring system that checks CPU load and bandwidth 24/7 to prevent the website from freezing up.
Annex A tells you what you must protect, not how. The 'how' is your strategic choice, based on the risks and the size of your organization.
What should you do with Annex A?
Annex A has only one requirement: you must prepare a Statement of Applicability (SoA).
The SoA: Your Shopping Note to the Auditor
The SoA is a list in which you explain to the external auditor:
Which of the 93 measures you have chosen to address your risks (for example: we use MFA because passwords are a risk).
Which you have not chosen (and why). Not chosen means: you do not have that risk, or you address it in another way. (For example: "We do not need a physical control for archives, because everything is digital on a secured server.").
Our philosophy
Many consultants force you to write down everything. That is inefficient. We use Annex A to show that you handle your resources smartly. You only choose the measures that are really necessary and that address a real risk.
We do this with a smart and efficient approach, using practical methods. This makes the conversation with an auditor easier: you can clearly explain (based on a risk analysis) why certain choices were made.
By making a smart selection and interpreting the measures practically based on the risks and the size of your business, you can show that you are in control, without wasting unnecessary money and time. This is the down-to-earth approach that SMEs need.
What is the role of Annex A within the ISO 27001 standard?
Annex A, or Appendix A, serves as a comprehensive catalog of 93 controls to address information security risks. Where the first ten chapters of the standard explain that you must have a management system (ISMS), Annex A provides the practical guidance to put that system into practice. In essence, it is the translation from theory to practice, helping you determine how to mitigate specific risks in your organization.
Am I required to apply all 93 controls from ISO 27001 Annex A?
No, it is a misconception that you must blindly implement all 93 measures. Annex A serves as a list of ideas or a checklist from which you choose based on your specific risk assessment. You select only the measures that are necessary to reduce the real risks within your company. The goal is not to tick everything off, but to make smart and efficient choices that fit the nature and size of your organization.
How are the controls in ISO 27001 Annex A grouped?
To keep an overview of the 93 measures, they have been divided into four logical themes since the 2022 update. These are people-focused measures covering staff and training, physical measures for the security of buildings and equipment, organizational measures that focus on policies and procedures, and technological measures relating to IT systems and networks. This division helps organizations quickly identify where action is needed.
What is the Statement of Applicability (SoA), and why is it needed?
The Statement of Applicability is a required document in which you explain to the external auditor which measures from Annex A you have and have not applied. It serves as your justification, explaining why certain measures are necessary to manage risks and why other measures have been left out because they are not relevant. A well-supported Statement of Applicability shows that you are in control and helps prevent unnecessary costs for unnecessary security measures.
How do I determine the level of detail for a measure such as capacity management?
The ISO 27001 standard does specify what you must protect, but not how detailed you need to be about it. This depends entirely on your risk profile and company size. For a small SME, capacity management may simply mean checking periodically whether laptops still have enough disk space, while a large SaaS company may need automated 24/7 monitoring. The key is to design the measure so it is effective for your situation without adding unnecessary complexity.
AuditDirect guides you from start to finish toward your ISO 27001 certification
ISO Reality Check
A brief, honest conversation to determine whether ISO 27001 is truly necessary.
FREE*
In 45 minutes, we will discuss:
Why the ISO requirement is there (from your client or internally)
Whether a certification is actually necessary, or if an alternative is sufficient
What your organization is already doing well
And what options you have to handle it smarter and simpler
And we are pragmatic enough that we are also willing to have this conversation with you and your client.
*A limited number of spots available.
Schedule your ISO Reality Check
More information
ISO Baseline Assessment
In one day, we assess together how far your organization has already progressed toward ISO 27001.
€1,250
Within 24 hours you will receive:
A complete baseline assessment of your current situation
An action plan with concrete next steps
Insight into your strongest points and areas for improvement
Support within the organization, as our consultants will conduct interviews with the involved employees
Guidance only starts after the baseline assessment. This way, we know exactly what is and what is not needed, without wasting your company's time.
Schedule your ISO Baseline Assessment
More information
ISO Internal Audit
A practical Internal Audit that tells you exactly whether you are ready for the external audit.
$1,600*
Within 72 hours you will receive:
A complete independent internal audit that meets the ISO 27001 standard 9.2.
Clear and applicable findings and recommendations
Concrete overview of areas for improvement before the external audit
Clear explanation for management and teams involved
*price is based on a small organization
Schedule your ISO internal audit
More information