Glossary · Compliance concepts
What is Annex A Controls?
Also known as: ISO 27001 Annex A, Annex A control catalog
Annex A controls are the catalog of security or AI controls listed in the annex of an ISO management-system standard. ISO 27001:2022 defines 93 controls across 4 themes, while ISO 42001 defines 38 controls across 9 objectives. Organizations select from this catalog based on their risk assessment and record their choices in the Statement of Applicability.
Key takeaways
- Annex A is the menu of controls a standard offers, not a mandatory checklist to implement in full.
- ISO 27001:2022 lists 93 controls grouped into 4 themes: organizational, people, physical, and technological.
- ISO 42001 lists 38 AI-specific controls across 9 objectives.
- Which controls apply is driven by the risk assessment and recorded in the Statement of Applicability.
- Controls are reference points; the organization implements and evidences the ones it selects.
What Annex A controls are
Annex A is the appendix in an ISO management-system standard that lists the reference controls an organization can apply to treat its risks. In ISO 27001, these are information security controls; in ISO 42001, they are AI governance controls.
Crucially, Annex A is a catalog, not a mandate. An organization is not required to implement every control. Instead it selects the controls relevant to the risks it identified, and documents which it included and which it excluded, with justification.
This risk-driven selection is what keeps a management system proportionate: a low-risk environment applies fewer controls than a high-risk one, and both can be compliant.
How the controls are organized
The 2022 revision of ISO 27001 restructured its controls into 93 controls grouped under four themes:
- Organizational controls
- People controls
- Physical controls
- Technological controls
ISO 42001 takes a different shape, with 38 AI-specific controls organized across 9 objectives covering areas like AI policy, lifecycle management, and data for AI systems. In both standards, the selected controls are recorded in the Statement of Applicability.
How controls are selected and evidenced
Control selection flows from the risk assessment: each identified risk is treated, and the controls that treat it are marked applicable. The risk treatment process decides which controls to apply, and where a control cannot be implemented directly, a compensating control may be used instead.
Once selected, a control must be implemented and evidenced. During audit, the certification body samples applicable controls and asks for proof they operate. A control listed as applicable with no supporting evidence is a finding.
Gathering that evidence continuously rather than at audit time is the purpose of continuous control monitoring.
Frequently asked questions
- Do I have to implement all 93 ISO 27001 controls?
- No. Annex A is a catalog you select from based on your risk assessment. You implement the controls relevant to your risks and justify any you exclude in the Statement of Applicability.
- Why did ISO 27001 change from 114 to 93 controls?
- The 2022 revision consolidated and modernized the catalog, merging overlapping controls and adding new ones, and reorganized them from the older domain structure into four themes.
- How many controls does ISO 42001 have?
- ISO 42001 defines 38 AI-specific Annex A controls organized across 9 objectives, a smaller and more focused set than ISO 27001's because it targets AI governance specifically.
- What if a control does not fully apply to my environment?
- You can exclude it with justification, or apply a compensating control that achieves the same objective by different means, recording the rationale in your Statement of Applicability.