Annex A of ISO 27001:2022 — What Changed
The 2022 update restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes, adding 11 new controls.
The 4 Themes
Theme 1: Organizational Controls (37)
Governance, policies, roles, asset management, access control, business continuity, compliance. Key controls: A.5.1 (policies), A.5.15 (access control), A.5.23 (cloud security — new).
Theme 2: People Controls (8)
HR security from hiring to departure. A.6.7 (remote working) is new and highly relevant.
Automate Your Security Questionnaires
Compli.st answers your ISO 27001, SOC 2 and GDPR questionnaires in minutes using AI.
Try for FreeTheme 3: Physical Controls (14)
Premises, equipment, storage media security. For full-remote SaaS: document your cloud provider's certifications.
Theme 4: Technological Controls (34)
Encryption, networking, secure development, monitoring. New controls include configuration management (A.8.9), DLP (A.8.12), and secure coding (A.8.28).
The 11 New Controls in 2022
Threat intelligence, cloud security, ICT readiness, remote working, physical monitoring, configuration management, data deletion, data masking, DLP, monitoring activities, web filtering.
Statement of Applicability
You don't need all 93 controls. The SoA justifies applicability of each control for your organization.
Compli.st auto-maps your existing controls to Annex A and identifies gaps.