Annex A Controls
Complete Reference
The 2022 update reorganized controls from 114 in 14 domains to 93 controls in 4 themes: Organizational, People, Physical, and Technological.
Organizational Controls
37 Controls
Policies for information security
Establish and communicate information security policies.
Information security roles and responsibilities
Define and allocate security responsibilities.
Segregation of duties
Separate conflicting duties to reduce risk of fraud or error.
Management responsibilities
Ensure management enforces security policies.
Contact with authorities
Maintain appropriate contact with relevant authorities.
Contact with special interest groups
Maintain contact with security forums and associations.
Threat intelligence
Collect and analyze information about security threats.
Information security in project management
Integrate security into project management.
Inventory of information and other associated assets
Identify and maintain an inventory of assets.
Acceptable use of information and other associated assets
Define rules for acceptable use of assets.
Return of assets
Ensure return of assets upon termination.
Classification of information
Classify information according to its value and sensitivity.
Labelling of information
Develop procedures for labelling information.
Information transfer
Protect information during transfer.
Access control
Establish access control policy based on business requirements.
Identity management
Manage the full lifecycle of identities.
Authentication information
Control allocation of authentication information.
Access rights
Provision and revoke access rights.
Information security in supplier relationships
Address security in supplier agreements.
Addressing information security within supplier agreements
Include security requirements in supplier contracts.
Managing information security in the ICT supply chain
Manage security risks in the supply chain.
Monitoring, review and change management of supplier services
Monitor and review supplier services.
Information security for use of cloud services
Manage security of cloud service usage.
Information security incident management planning and preparation
Plan and prepare for incident management.
Assessment and decision on information security events
Assess security events and decide on classification.
Response to information security incidents
Respond to incidents according to procedures.
Learning from information security incidents
Use incidents to improve security.
Collection of evidence
Collect and preserve evidence.
Information security during disruption
Maintain security during disruptions.
ICT readiness for business continuity
Plan for ICT continuity.
Legal, statutory, regulatory and contractual requirements
Identify applicable requirements.
Intellectual property rights
Protect intellectual property.
Protection of records
Protect records from loss and unauthorized access.
Privacy and protection of PII
Ensure privacy and PII protection.
Independent review of information security
Conduct independent security reviews.
Compliance with policies, rules and standards for information security
Ensure compliance with security policies.
Documented operating procedures
Document operating procedures.
People Controls
8 Controls
Screening
Verify backgrounds of personnel before employment.
Terms and conditions of employment
Include security responsibilities in employment contracts.
Information security awareness, education and training
Provide ongoing security training.
Disciplinary process
Establish formal disciplinary process for security violations.
Responsibilities after termination or change of employment
Define post-employment security responsibilities.
Confidentiality or non-disclosure agreements
Use NDAs to protect confidential information.
Remote working
Implement security measures for remote work.
Information security event reporting
Enable and encourage event reporting.
Physical Controls
14 Controls
Physical security perimeters
Define and secure physical perimeters.
Physical entry
Secure areas with appropriate entry controls.
Securing offices, rooms and facilities
Design and apply physical security.
Physical security monitoring
Monitor premises continuously.
Protecting against physical and environmental threats
Protect against environmental risks.
Working in secure areas
Define procedures for working in secure areas.
Clear desk and clear screen
Implement clear desk and screen policies.
Equipment siting and protection
Position equipment to reduce risks.
Security of assets off-premises
Protect assets used outside premises.
Storage media
Manage storage media throughout lifecycle.
Supporting utilities
Protect equipment from power failures.
Cabling security
Protect power and telecommunications cabling.
Equipment maintenance
Maintain equipment to ensure availability.
Secure disposal or re-use of equipment
Sanitize equipment before disposal or re-use.
Technological Controls
34 Controls
User endpoint devices
Protect information on endpoint devices.
Privileged access rights
Restrict and manage privileged access.
Information access restriction
Restrict access according to access control policy.
Access to source code
Restrict access to source code.
Secure authentication
Implement secure authentication mechanisms.
Capacity management
Monitor and manage resource capacity.
Protection against malware
Implement malware protection.
Management of technical vulnerabilities
Identify and address vulnerabilities.
Configuration management
Establish secure configurations.
Information deletion
Delete information when no longer required.
Data masking
Mask data according to access control policy.
Data leakage prevention
Apply DLP measures.
Information backup
Maintain and test backups.
Redundancy of information processing facilities
Implement redundancy for availability.
Logging
Produce, store, and protect logs.
Monitoring activities
Monitor networks and systems.
Clock synchronization
Synchronize clocks to reference time.
Use of privileged utility programs
Restrict and control utility program use.
Installation of software on operational systems
Control software installation.
Networks security
Secure and manage networks.
Security of network services
Identify security mechanisms for network services.
Segregation of networks
Segregate networks by function.
Web filtering
Manage access to external websites.
Use of cryptography
Define rules for cryptographic controls.
Secure development life cycle
Establish secure development rules.
Application security requirements
Identify security requirements.
Secure system architecture and engineering principles
Apply secure architecture principles.
Secure coding
Apply secure coding principles.
Security testing in development and acceptance
Define and implement security testing.
Outsourced development
Direct and monitor outsourced development.
Separation of development, test and production environments
Separate environments.
Change management
Control changes through change management.
Test information
Select and protect test information.
Protection of information systems during audit testing
Plan audit tests to minimize disruption.
Ready to Implement These Controls?
Get a gap assessment to understand which controls you already have in place and what needs to be implemented.
Kevin A
Principal Security & GRC Engineer
Kevin is a security engineer turned GRC specialist. He focuses on mapping cloud-native infrastructure (AWS/Azure/GCP) to modern compliance frameworks, ensuring that security controls are both robust and auditor-ready without slowing down development cycles.