ISO 27001 Annex A Controls: The Complete 2026 List Explained

When people refer to the “ISO 27001 controls” they are making reference to the Annex A catalogue of technical and organisational measures organisations map into an Information Security Management System (ISMS) for cyber security certification or audit readiness.

In the UK, the British Standards Institution (BSI) references Annex A as the baseline and the Information Commissioner’s Office (ICO) highlights recurring failures in access control and data handling in its 2024-25 annual report (ICO, 2024-25). Under ISO/IEC 27001:2022, Annex A contains 93 controls grouped into four themes: Organisational, People, Physical and Technological, which organisations map into their Statement of Applicability when preparing for audits.

• What: The 2026 list of ISO 27001 controls, mapped to Annex A themes with audit-focused notes and implementation guidance.
• Why it matters: The Information Commissioner’s Office (ICO) 2024-25 report flags access control and data-handling weaknesses in UK audits (ICO, 2024-25).
• Who it is for: CISOs, CTOs and compliance leads in the UK preparing an ISMS, ISO/IEC 27001 certification or regulator response.
• Quick wins: Prioritise asset inventory, access control, patching and supplier clauses; these ISO 27001 controls commonly feature in guidance from the National Cyber Security Centre (ENISA, 2024) and incident trends reported in the Verizon Data Breach Investigations Report, 2025.
• Use this to: Build a Statement of Applicability, cross-reference UK GDPR obligations and prepare ISO/IEC 27001:2022 audit evidence.

🧭 Who this is for and how we mapped the ISO 27001 controls

The list targets CISOs, CTOs and compliance leads in the UK who must map ISO 27001 Annex A into an Information Security Management System (ISMS) for certification or audit readiness. We selected ISO 27001 controls by mapping Annex A to common audit findings, NCSC guidance and ISO/IEC requirements, prioritising controls that repeatedly fail in real audits.

We used three sources to pick items: ISO/IEC 27001 Annex A itself, National Cyber Security Centre (NCSC) guidance on management systems and recent audit trend reporting from the Information Commissioner’s Office (ICO). The ISO/IEC 27001 standard defines the Annex A controls and the British Standards Institution (BSI) recognises Annex A as the baseline catalogue of ISO 27001 control objectives for certification. The NCSC’s guidance helps translate those ISO 27001 controls into practical technical and organisational measures, while the ICO’s annual reporting highlights recurring control failures around data handling and access management. For ISO/IEC authoritative reference see ISO.

Selection method

We mapped each Annex A control to three practical criteria: Its likelihood to be tested in an audit, frequency of failure in UK incidents and ease of measurable implementation. The mapping used the NCSC’s published advice and cross-references from NIST where useful. The National Institute of Standards and Technology (NIST) crosswalks were consulted to ensure technical ISO 27001 controls had measurable mappings to NIST Cybersecurity Framework outcomes, see NIST.

What we excluded

We excluded sector-specific controls that sit outside Annex A, such as PCI DSS payment card requirements and operational technology rules for essential national infrastructure. We also excluded detailed implementation patterns for every ISO 27001 control; instead we point to where Annex A expects risk assessment and risk treatment decisions. For UK regulatory context on recurring failures and data protection risk, see the ICO’s 2024-25 annual report ICO.

The remainder of this guide lists Annex A ISO 27001 controls grouped in 14 domains, with practical notes on common gaps, audit evidence and estimated effort to implement within an ISMS. We focus on what auditors test and what UK regulators notice in investigations.

🔢 Summary table: Annex A control groups and best fit

The Annex A controls in ISO/IEC 27001 map to 14 ISO 27001 control clauses that organisations use to structure an Information Security Management System (ISMS). Record which ISO 27001 controls you apply, partially apply or exclude in the Statement of Applicability (SoA), and link each control to a risk, an owner and evidence so auditors and the Information Commissioner’s Office (ICO) and certification bodies can follow the trace from risk to control to test result.

ENISA advises treating Annex A as a set of risk-led references rather than a simple checklist, and to align ISO 27001 controls with operational processes and identified risks (ENISA, 2024). The Information Commissioner’s Office Annual Report 202425 highlights persistent regulator focus on personal data handling, supplier oversight and incident readiness, so mark controls that directly support UK GDPR obligations in your SoA for rapid evidence packaging (ICO, 202425).

Annex A groups mapped to ISMS functions

Annex A control group	Core ISMS function	Best fit, UK use case
A.5 Information security policies	Governance and policy	Board-level policy setting, annual review to show governance evidence to auditors and the ICO
A.8 Asset management	Data classification and inventory	Data mapping to support UK GDPR records of processing and DPIA scoping
A.12 Operations security	Operational controls and monitoring	Logging, patch management and handoffs to SOC for incident detection and response
A.15 Supplier relationships	Third-party risk and contracts	Due diligence, contract clauses and audit rights for high-risk suppliers
A.17 Business continuity	Resilience and recovery	Recovery time objectives, disaster recovery testing for customer-facing systems

When you populate the SoA, include the risk register reference, the ISO 27001 control owner, the implementation status and links to evidence such as test outputs, runbooks or vendor attestations. For ISO 27001 controls that support UK GDPR obligations, flag them so you can produce regulator-focused evidence quickly during ICO queries or certification audits (ICO, 202425).

Practical tip: Map Annex A controls to a small number of operational processes, not to teams. That makes evidence collection repeatable when you run vulnerability scans, patch windows or disaster recovery tests that feed the same SoA links. For help mapping Annex A into your ISMS and drafting a defensible SoA, see our ISO 27001 service page (ISO 27001) and our IT Disaster Recovery Plan service for resilience controls (IT Disaster Recovery Plan).

Key action: Map each Annex A control to a specific risk, name an owner and attach test evidence in the SoA so auditors, the ICO and your board can see the link from risk to ISO 27001 control to results without extra requests.

🔐 1. Information Security Policies

Information Security Policies require a documented set of rules, responsibilities and procedures governing how an organisation protects information assets.

Annex A maps multiple ISO 27001 controls to policy-level requirements, including leadership commitment, roles and responsibilities, and acceptable use. ISO (International Organization for Standardization) 27001 Annex A expects a policy framework that is clear, approved by senior management and reviewed regularly. The policy set forms the basis of your Statement of Applicability (SoA) and is the first thing auditors check when testing controls linked to UK GDPR and supply‑chain obligations.

What the ISO 27001 control requires under Annex A

The Annex A requirements include an information security policy, a review schedule, documented responsibilities for information security, and related supporting policies (access control, acceptable use, asset management). ISO (International Organization for Standardization) 27001 includes these as organisational-level controls that justify ISO 27001 control selections in the SoA. ENISA and the National Cyber Security Centre (NCSC) emphasise that documented leadership support and review evidence reduce regulatory friction during investigations; see the NCSC Annual Review 2025 and the GOV.UK Cyber Security Longitudinal Survey.

Why formal policies matter for audits and UK GDPR mapping

Formal policies show how you meet UK GDPR obligations for accountability, data minimisation and security by design. Auditors from UK certification bodies will request the policy, the review log, evidence of senior approval and records of communication to staff. Organisations without an auditable policy trail face repeated nonconformities, longer certification timelines and higher consultancy cost to remediate.

When to use this ISO 27001 control, ownership and effort

Assign the Information Security Policy to the CISO or an Associate Director of IT with documented senior management approval. For SMBs, a single policy plus three supporting policies (access control, asset management, incident reporting) is often sufficient. Typical effort: 2 to 6 weeks of drafting and evidence collection for organisations under 500 staff; larger organisations will require stakeholder workshops and policy harmonisation across business units.

📦 2. Asset Management

Annex A requires an accurate, owned inventory of information assets, hardware, software and services, with classification and ownership recorded.

What Annex A requires for inventory, ownership and classification, is a set of ISO 27001 controls mapped to asset lifecycle: Identification, labelling, acceptable use and disposal, plus assignment of owners and custodians.

What the ISO 27001 controls look like

The Annex A ISO 27001 controls most relevant here are in the asset management domain, specifically identification of assets, inventory maintenance and acceptable use. ISO/IEC 27001 Annex A references these ISO 27001 controls to ensure organisations know what they must protect and who is responsible.

In practice, an asset record should name the asset, the owner, classification (for example, public, internal, restricted), location, and supporting evidence such as configuration baselines or licences. Good inventories link to an organisation’s data flows and third party dependencies so auditors can trace how personal data moves under UK GDPR (UK General Data Protection Regulation).

Why accurate inventories reduce exposure

Accurate asset inventories let teams remove unmanaged devices, close admin accounts and apply configuration baselines that reduce exploitability. ENISA’s 2024 report shows member states with stronger asset hygiene report fewer widespread configuration incidents, and Verizon’s 2025 Data Breach Investigations Report shows system intrusions often exploit unmanaged or unpatched assets (Verizon, 2025). For UK-specific regulatory expectations, the Information Commissioner’s Office emphasises inventory and data-mapping when investigating breaches (ICO guidance).

When to prioritise asset work and typical tooling

Prioritise asset work when you process personal data, use cloud services, or outsource core functions; those are the areas UK auditors inspect most. Typical tooling includes IT asset management (ITAM) systems, endpoint detection and response (EDR) feeds, and data discovery tools. Evidence auditors expect includes an authoritative inventory export, change logs, owner contact details and a recent reconciliation between discovery tools and the inventory.

At CyPro, we map Annex A asset requirements to pragmatic evidence templates and help teams run reconciliations that pass UK auditors without excessive overhead.

🔐 3. Access Control and Identity Management

Access control and identity management require restricting who can access which systems, verifying identities and managing privileged accounts, typically through RBAC, SSO and strong multi factor authentication. This section explains what Annex A requires, how ISO 27001 controls map to UK GDPR and NCSC guidance, and common misconfigurations.

What Annex A requires

Annex A of ISO 27001 lists controls for user access management, user responsibilities, privileged access and authentication.

The ISO 27001 controls include formal user registration, unique IDs, password rules, review of access rights and secure management of privileged accounts, mapped across Annex A clauses A.9 and A.11 for physical and logical access where relevant.

How this maps to UK law and guidance

Under UK GDPR, controllers must implement appropriate technical measures to protect personal data; well configured access controls are a central part of that defence. The National Cyber Security Centre (NCSC) publishes practical guidance on authentication and privileged access, recommending multi factor authentication and single sign on where feasible (GOV.UK, 2024). ENISA’s EU Cybersecurity Index also highlights identity controls as core to reducing successful account takeover attempts (ENISA, 2025).

Practical choices: RBAC, SSO and PAM

Role based access control (RBAC) is the usual first step for medium and large organisations, because it groups permissions by job function and simplifies reviews. Single sign on (SSO) reduces password fatigue and centralises authentication logs. Privileged access management (PAM) adds session control and just in time elevation for administrators.

Together these ISO 27001 controls support several ISO 27001 Annex A requirements and evidence collection for audits.

When to adopt each ISO 27001 control and likely costs

Small organisations should start with unique accounts, enforced multi factor authentication and periodic access reviews, effort typically a few days to a few weeks. Mid-market firms usually add SSO and RBAC, projects taking 4 to 8 weeks and licensing from a few thousand pounds.

Large enterprises generally need enterprise SSO, PAM and workflow integrations, projects often measured in months and higher licence and integration costs. For certification against ISO 27001, evidence of policy, change control and periodic review is more important than specific vendor choices.

Common misconfigurations that cause audit findings

Poor practices that trigger auditor comments include shared service accounts without ownership, missing or infrequent access reviews, weak or absent multi factor authentication for high privilege users, and over‑permissive default roles. Regular attestation, logging of privileged sessions and demonstrable removal of leavers are key evidence points for Annex A compliance. At CyPro, we often see misaligned role definitions; correcting these typically reduces admin privilege counts by a clear margin and eases auditor queries.

🔒 4. Operations Security and Vulnerability Management

The answer? Operations security must formalise change control, patching, logging, backups and secure procurement so Annex A evidence is verifiable and repeatable. ISO 27001 Annex A expects documented processes, measurable activity and retained logs as auditor evidence.

Annex A ISO 27001 control families that matter here include A.12 (operations security), A.9 (access control) and A.14 (system acquisition, development and maintenance). ISO 27001 Annex A maps to practical controls such as change windows, approved patch baselines, signed-off configuration items, immutable backup verification and supplier security clauses.

What Annex A requires on patching, change control and logging

Annex A requires a controlled change process, timely patching and retained logs demonstrating detection and response capability. The ISO 27001 standard expects organisations to show change approvals, rollback plans, and evidence that high‑risk patches are applied within defined Service Level Agreements (SLAs).

In our experience, audit gaps arise where patch exceptions are undocumented or where logging lacks retention or tamper evidence.

The National Cyber Security Centre (NCSC) guidance on logging and monitoring gives practical configuration checklists that auditors accept, and organisations should cross‑reference those checklists to their Annex A evidence pack.

For broader sector trends, the GOV.UK cyber security longitudinal survey provides data on adoption rates of basic operational practices across UK firms, useful for benchmarking.

Why continuous vulnerability management matters

Continuous vulnerability management demonstrates a repeatable risk reduction process that Annex A requires. Regular discovery, prioritisation and remediation of vulnerabilities, combined with proof of risk acceptance for deferred items, is core audit evidence.

• ENISA and Verizon reporting show that persistent vulnerabilities and unpatched systems remain frequent exploitation routes.
• Organisations should run authenticated scanning, prioritise by exposure and exploitability, and map results to configuration baselines held in the change control record.
• Where an organisation cannot remediate quickly, documented compensating controls and a recorded risk acceptance are necessary Annex A artefacts.

Cost and effort indicators: Expect initial inventory and tooling work to take 4 to 12 weeks for mid‑market UK organisations, then monthly cadence for scans, quarterly patch cycles for low‑risk systems and emergency patching for essential CVEs. Evidence commonly requested by auditors includes change tickets, patch reports, vulnerability scan exports and storage snapshots showing successful backups.

🔔 5. Incident Management, Business Continuity and Compliance

Incident management and business continuity controls in Annex A require documented incident response, logging, testing and recovery plans, plus evidence of regular exercises and post-incident review. These ISO 27001 controls map to UK GDPR breach notification duties and ICO expectations for timely reporting.

What Annex A requires

Annex A expects an organisation to maintain an incident response plan, defined roles and responsibilities, logging and monitoring, and backup and recovery procedures that are tested regularly. ISO 27001 Annex A control A.16 covers information security incident management, while A.17 covers business continuity. The ISO 27001 controls demand written procedures, incident logging, root cause analysis and measurable recovery objectives.

How this maps to UK GDPR and the ICO

Under UK GDPR, organisations must report personal data breaches to the Information Commissioner’s Office (ICO) within 72 hours when feasible, and notify affected data subjects when there is likely high risk. The ICO’s annual reporting highlights recurring failings around timely notification and poor incident evidence, so Annex A alignment helps meet those expectations. See the ICO annual report for context and common ISO 27001 control failures at Information Commissioner’s Office, 2024.

Evidence auditors and certifiers look for

Auditors look for an incident register, post-incident reports, test results from tabletop and live recovery exercises, and evidence of corrective actions. Logs, change tickets and retention policies must be demonstrable. ENISA and the UK National Cyber Security Centre emphasise the value of exercising plans; published reviews note organisations that run regular exercises recover faster and show stronger audit trails. See the ENISA state of cybersecurity report for exercise guidance at ENISA, 2024.

Practical steps and effort estimates

Start with an incident register and one tabletop exercise for high-impact scenarios. For a mid-market UK organisation expect 2 to 6 weeks to draft plans and run initial exercises, then quarterly tabletop drills and annual live recovery tests. Target Recovery Time Objective (RTO) and Recovery Point Objective (RPO) values in documentation, and retain exercise evidence for certification audits. For guidance on building a programme, our Cyber Incident Response and IT Disaster Recovery Plan services provide templates and hands-on support.

🔧 How to use this list: Mapping to your ISMS, the Statement of Applicability and next steps

The list maps each ISO 27001 control to your Information Security Management System (ISMS) and shows how to decide whether a control belongs in the Statement of Applicability (SoA): Include an ISO 27001 control if it reduces an identified risk, provide evidence of implementation, or record a justified exclusion with compensating measures.

What to map first

Start with assets, business processes and high‑value data. For ISO 27001, Annex A controls are tied to Annex A clauses and should be mapped to the risks you list in your risk register. The National Cyber Security Centre (NCSC) guidance on risk management will help align ISO 27001 control selection to threat scenarios: See Cyber security longitudinal survey for UK adoption context and to understand common capability gaps.

How to populate the Statement of Applicability

Answer three questions for every ISO 27001 control: Is it applicable? Have we implemented it? What evidence proves it? The Statement of Applicability must record the decision, the owner and the justification for exclusions. The UK Government’s market study on managed services shows organisations often miss documenting ownership when outsourcing ISO 27001 controls, so include supplier responsibilities in the SoA and your supplier contracts: MANAGED SERVICE PROVIDERS MARKET STUDY.

Practical prioritisation for UK organisations

Prioritise ISO 27001 controls that address high‑likelihood, high‑impact risks in your risk register. For mid‑market firms we recommend a prioritisation banding: Band 1 (must have) for legal, regulatory and contractual obligations; Band 2 (should have) for business continuity and detection; Band 3 (nice to have) for low‑risk technical improvements. Use the SoA to show auditors why a ISO 27001 control is Band 2 or 3 rather than Band 1, with evidence such as change tickets, test reports and supplier SLAs.

Next steps and evidence templates

At CyPro, we provide simple evidence templates that map each of the ISO 27001 controls to the SoA entry, required artefacts and acceptance criteria. For audit preparation, gather one primary artefact per control, a dated implementation note, and a named owner. If you outsource an ISO 27001 control, include the supplier’s proof of performance such as penetration test reports or service logs in the evidence pack.

❓ Frequently asked questions