ISO/IEC 27001:2022

The international standard, operated not stored.

93 Annex A controls, 7 management clauses, one Statement of Applicability — kept current as your business changes, not redrafted before each surveillance audit.

Request a demo Open workspace

93Annex A controls

4Control themes

7Mandatory clauses

3 yrCert + 2 surveillance

Annex A · 4 themes · 93 controls

The 2022 reorganization, mapped

The latest revision collapsed 14 sections into 4 themes. We ship the entire control set ready for applicability decisions on day one.

A.5

Organizational

A.5.1 → A.5.37

37controls

A.6

People

A.6.1 → A.6.8

8controls

A.7

Physical

A.7.1 → A.7.14

14controls

A.8

Technological

A.8.1 → A.8.34

34controls

Clauses 4–10

The mandatory ISMS spine

Annex A is the menu. Clauses 4 through 10 are how you actually run an Information Security Management System.

§ 4

Context

Stakeholders, scope, ISMS boundary

§ 5

Leadership

Top management, policy, roles

§ 6

Planning

Risk + opportunity, treatment

§ 7

Support

Resources, competence, awareness, comms

§ 8

Operation

Risk treatment execution, processes

§ 9

Performance

Monitoring, internal audit, mgmt review

§ 10

Improvement

Nonconformity, corrective action

Statement of Applicability

One source of truth for what's in scope

The SoA is generated from your applicability decisions. Versioned, signed, exportable — never reverse-engineered the night before fieldwork.

Annex A code	Control name	Applicable	Source	Justification
`A.5.7`	Threat intelligence	Yes	Adopted	Required for ISMS effectiveness
`A.5.23`	Cloud service use	Yes	Adopted	Multi-tenant SaaS context
`A.5.30`	ICT readiness for BCM	Yes	Excluded	Covered by group BCP framework
`A.7.4`	Physical security monitoring	No	Excluded	No on-prem perimeter — co-lo only
`A.8.16`	Monitoring activities	Yes	Adopted	Backbone of detection program
`A.8.28`	Secure coding	Yes	Adopted	SDLC requirement

Path to certification

14 weeks to Stage 2

W 1–2

Discover

Scope ISMS, stakeholders, asset inventory baseline

W 3–6

Design

Risk assessment, treatment plan, SoA draft

W 7–12

Deploy

Annex A controls deployed, evidence wired

W 13–14

Audit

Stage 1 doc review, Stage 2 implementation audit

More frameworks

Pair ISO 27001 with

SOC 2Trust services criteria controls and evidence DPDPIndia Digital Personal Data Protection framework IT Act / CERT-InIndian cyber compliance requirements GDPREU data protection requirements and controls HIPAAHealthcare data security and privacy controls PCI DSSPayment card data security standard controls Custom FrameworksBuild or import your own control library

See ISO 27001 in your tenant

Annex A coverage, SoA discipline, and surveillance-audit packaging — all wired in.

Request a demo Open workspace