AI-27001Request a free evidence review

Annex A

Annex A in ISO/IEC 27001:2022: from 114 controls to 93

The Annex A refresh is the most visible change in ISO/IEC 27001:2022. The control set was reduced from 114 to 93 and regrouped into four themes that are easier to read but not necessarily lighter to implement.

6 min readISO/IEC 27001 practitioners, internal owners, consultants, and teams reviewing a Statement of Applicability2026-04-24

Why Annex A gets most of the attention

When teams talk about ISO/IEC 27001:2022, they often mean Annex A first. That is understandable. Annex A is where the old mental map changes most visibly, and it is where many working documents, gap assessments, and auditor discussions tend to focus.

In the 2013 edition, Annex A listed 114 controls across 14 groups. In the 2022 edition, that becomes 93 controls in four themes. The shift is big enough that anyone familiar with the old numbering feels the change immediately.

The four themes matter because they change how people read the control set

BSI’s summaries of the 2022 structure break the 93 controls into four areas. This makes the set easier to navigate and more obviously aligned to the way modern organizations think about security operations.

  • Organizational controls: 37
  • People controls: 8
  • Physical controls: 14
  • Technological controls: 34

Fewer controls does not mean less work

A common first reaction is to assume that 93 controls must mean a lighter standard than 114 controls. That is too simplistic. The change is better understood as restructuring and modernization rather than reduction for its own sake.

BSI’s published change summaries describe a mix of merged, revised, and new controls. In other words, the control set is not just shorter. It has been reorganized to reflect how information security is actually implemented now, especially in cloud-heavy and more continuously monitored environments.

That is why the updated Annex A can still create real work even for mature teams. The question is not just how many controls exist. It is how well your current evidence, ownership, and treatment decisions map to the 2022 view of the world.

What a useful Annex A review looks like

The unhelpful approach is to treat the whole exercise as a line-by-line renumbering task. That might produce a document that looks updated while leaving the actual control thinking unchanged.

A more useful review starts by asking whether your SoA still shows a clear decision on applicability, whether the reasoning still makes sense, and whether the linked evidence still reflects the real operating environment.

  • Review the SoA against the four new themes rather than trying to preserve the old 14-group layout
  • Check whether merged controls have changed how you describe scope, ownership, or evidence
  • Revisit risk treatment decisions, especially where controls now sit in a different context
  • Look for blind spots around cloud, deletion, monitoring, and secure development practices
  • Make sure the SoA still reads like a current management document rather than a historical artifact

Annex A is still a reference set, not a default checklist

One of the easiest mistakes is to speak about the 93 controls as though every organization must adopt every control in the same way. That is not how Annex A works. It is a reference set that supports control selection and justification through risk assessment and risk treatment.

That is why the Statement of Applicability remains so important. In a good 2022 implementation, the SoA explains not just what the control number is, but why the control is applicable, how it is implemented, and where the evidence or supporting policy sits.

Free review

Not ready to book? Get a practical evidence next step instead.

Pick the lower-friction option that fits where you are. We’ll use your page and campaign context to understand the request without adding tracking clutter to the visible URL.

We’ll look at one evidence flow and send practical gaps or next steps.

12
Choose an offer

Send this short request now, or add optional sales context first if it helps route the reply.

Prefer to talk it through?

If you are reworking an SoA or Annex A mapping, compare notes.

A lot of Annex A pain comes from trying to preserve old 2013 structure for too long. If you are reviewing your mapping, I’m happy to compare notes on what usually needs the closest attention.

See the free ISO 27001 evidence review

Related reading

More ISO/IEC 27001 explainers.

These pieces are meant to help technical teams, advisers, and internal owners make sense of the 2022 edition, Annex A, and how older material should be reviewed.

Telecoms insight

What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

The Telecoms Access Review is not an ISO 27001 rule, but it changes the operating environment for ISPs, altnets, wholesale buyers, and infrastructure users. That makes clean evidence ownership more important.

7 min readISP, altnet, wholesale telecoms, and TSA compliance teams
Read What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

Incident evidence insight

Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

When a perimeter firewall zero-day is exploited before every team has patched, the compliance question becomes practical: can you prove exposure, ownership, mitigation, customer impact, and management review quickly enough?

7 min readMSPs, ISPs, SaaS security teams, and ISO 27001 owners
Read Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

AI-27001 is a product of SW DIGITAL SERVICES LIMITED, registered in England and Wales. Company number 17178287.