AI-27001guided trial

Annex A

Annex A in ISO/IEC 27001:2022: from 114 controls to 93

The Annex A refresh is the most visible change in ISO/IEC 27001:2022. The control set was reduced from 114 to 93 and regrouped into four themes that are easier to read but not necessarily lighter to implement.

Published 24 April 2026Updated 24 April 20266 min readISO/IEC 27001 practitioners, internal owners, consultants, and teams reviewing a Statement of Applicability

Why Annex A gets most of the attention

When teams talk about ISO/IEC 27001:2022, they often mean Annex A first. That is understandable. Annex A is where the old mental map changes most visibly, and it is where many working documents, gap assessments, and auditor discussions tend to focus.

In the 2013 edition, Annex A listed 114 controls across 14 groups. In the 2022 edition, that becomes 93 controls in four themes. The shift is big enough that anyone familiar with the old numbering feels the change immediately.

The four themes matter because they change how people read the control set

BSI’s summaries of the 2022 structure break the 93 controls into four areas. This makes the set easier to navigate and more obviously aligned to the way modern organizations think about security operations.

  • Organizational controls: 37
  • People controls: 8
  • Physical controls: 14
  • Technological controls: 34

Fewer controls does not mean less work

A common first reaction is to assume that 93 controls must mean a lighter standard than 114 controls. That is too simplistic. The change is better understood as restructuring and modernization rather than reduction for its own sake.

BSI’s published change summaries describe a mix of merged, revised, and new controls. In other words, the control set is not just shorter. It has been reorganized to reflect how information security is actually implemented now, especially in cloud-heavy and more continuously monitored environments.

That is why the updated Annex A can still create real work even for mature teams. The question is not just how many controls exist. It is how well your current evidence, ownership, and treatment decisions map to the 2022 view of the world.

What a useful Annex A review looks like

The unhelpful approach is to treat the whole exercise as a line-by-line renumbering task. That might produce a document that looks updated while leaving the actual control thinking unchanged.

A more useful review starts by asking whether your SoA still shows a clear decision on applicability, whether the reasoning still makes sense, and whether the linked evidence still reflects the real operating environment.

  • Review the SoA against the four new themes rather than trying to preserve the old 14-group layout
  • Check whether merged controls have changed how you describe scope, ownership, or evidence
  • Revisit risk treatment decisions, especially where controls now sit in a different context
  • Look for blind spots around cloud, deletion, monitoring, and secure development practices
  • Make sure the SoA still reads like a current management document rather than a historical artifact

Annex A is still a reference set, not a default checklist

One of the easiest mistakes is to speak about the 93 controls as though every organization must adopt every control in the same way. That is not how Annex A works. It is a reference set that supports control selection and justification through risk assessment and risk treatment.

That is why the Statement of Applicability remains so important. In a good 2022 implementation, the SoA explains not just what the control number is, but why the control is applicable, how it is implemented, and where the evidence or supporting policy sits.

Prefer to talk it through?

If you are reworking an SoA or Annex A mapping, talk to AI-27001.

A lot of Annex A pain comes from trying to preserve old 2013 structure for too long. If you are reviewing your mapping, our team can talk through what usually needs the closest attention.

See the free ISO 27001 evidence review

Related reading

Related articles to read next.

These articles sit closest to the same evidence, assurance, or standards question and give a practical next step after this piece.