MENU
TH EN
Home / Knowledge : Administration & Management

ISO/IEC 27001 Controls Handbook 1

Title Thumbnail & Hero Image: ISO27001 Version 2022 Banner, source: questinc.com, access date: Nov.17, 2025.
ISO/IEC 27001 Controls Handbook 1

First revision: Nov.17, 2025
Last change: Dec.12, 2025
Searched, gathered, rearranged, translated, and compiled by Apirak Kanchanakongkha.
1.
Page 1
1. Information security

There are 93 controls - The Ninety-Three Broadly Formulated Controls.
  • IEC - International Electrotechnical Commission, IEC standards are international guidelines developed by the International Electrotechnical Commission to ensure safety, performance, and interoperability of electrical and electronic systems.

1.
2.
Page 2
2. ISO/IEC 27001 - Management system

1.
Page 3
3. ISO/IEC 27001 - Annex A
ANNEX A
Pick up your ISO/IEC 27001 standard and go to Annex A. This annex contains ninety-three controls you can apply to treat information security risks.
       In principle, Annex A could have been left out of the Standard for the implementation of a management system for information security. The appendix is only included in the Standard so that, after choosing your own measures, you can verify that no necessary controls have been omitted (see ISMS Clauses 6.1.3).
       The Standard wants to prevent you from overlooking something and has placed ninety-three commonly used controls in an appendix. The ISO/IEC organization describes these Annex A controls as [5]:
              A generic mixture of organizational, people, physical, and technological information security controls derived from internationally recognized best practices.
       Now read the text directly under the title Annex A. It starts with the statement that the Annex A controls are "directly derived from and aligned with those listed in ISO/IEC 27002."
       The reason the numbering of the controls in Annex A of the ISO/IEC 27001 standard starts at 5 rather than 1 is that these controls come from the ISO/IEC 27002 standards and are covered from Chapter 5 onwards. See the adjacent image for an overview of the relationships between the various ISO/IEC documents.
       There is an important difference between the ninety-three controls listed in the ISO/IEC 27002 standard and the ninety-three controls listed in Annex A of the ISO/IEC 27001 standard. For all controls in the ISO/IEC 27001 standard, the on-binding "should" has been replaced by the mandatory "shall." The following example shows this difference:
Example
 ISO/IEC 27002-8.15: Logging  ISO/IEC 27001-8.15: Logging
 Logs that record activities, exceptions, faults, and other relevant events SHOULD be produced, stored, protected, and analyzed.  Logs that record activities, exceptions, faults, and other relevant events SHALL be produced, stored, protected, and analyzed.
By making the controls normative, the ISO/IEC 27001 standard forces you to make a statement about which Annex A controls do or do not apply to your organization. You must record this statement in a formal document: the Statement of Applicability. More on that later, first something else.
1.
COHERENCE BETWEEN CONTROLS AND RISKS
Take the standard ISO/IEC 27001 and read the short text under the heading "Annex A again." The last part of this text says that all Annex A controls "are to be used in context with 6.1.3." What does this mean?
1.
2.
Page 4

Relationships between ISO/IEC documents, developed on Dec.8, 2025.
 
1.
Page 5
In the Standard, go to ISMS Clause 6.1.3. As you can see, this clause is about information security risk treatment. So, the ninety-three Annex A controls are all intended for treating your information security risks. In other words, there must be a logical coherence between your risks and the use of the Annex A controls.
       The mandatory coherence between controls and risks prompts the following question: Does a list of ninety-three controls mean that you must have identified at least ninety-three information security risks? No, this is not the case. Usually, several controls can be used simultaneously for the treatment of one risk.
Example
       An organization wants to reduce the risk of ransomware affecting the availability of information. The risk is addressed with the following controls: awareness, education, and training (6.3), controls against malware (8.7), and backup of information (8.13).       Likewise, several risks can sometimes benefit from the same control. For example, the control "awareness, education, and training" (6.3) can often be used to treat multiple risks. In short, there is no one-to-one relationship between risks and controls.
       Do you need to apply all counts? No, that is not necessary. If you cannot apply an Annex A control to treat your risks, you may exclude this control in your Statement of Applicability.
1.
STATEMENT OF APPLICABILITY (SoA)
ISMS Clause 6.1.3 requires you to produce a statement of applicability (SoA). This is a document that must contain the following information:
  • The necessary controls. List in your SoA to ninety-three Annex A controls, as well as a description of any other controls you have applied.
  • A justification for their inclusion. For each control applied, provide a brief explanation of why you applied it.
  • Whether the necessary controls are implemented or not. For each control applied, make it clear whether it is currently implemented.
  • The justification for excluding any of the Annex A controls. For each Annex A control that you have not applied, provide a short explanation of why this is the case.
       To ensure that the ISO/IEC 27001 standard is applied correctly, the ISO/IEC organization has published the supporting standard ISO/IEC 27003 [6]. This standard says the following about excluding controls:
          Any control within Annex A that does not contribute to modifying risk should be excluded from the SoA, and justification for the exclusion should be given.
       So the justification for excluding a control must somehow make it clear why the control cannot contribute to changing your information security risks.
  • More information about defining and using a Statement of Applicability can be found in the ISO 27001 ISMS Handbook [20]
1.
2.
Page 6
1.
2.
Page 7
PARTIAL APPLICATION OF AN ANNEX A CONTROL
The supporting ISO/IEC 27003













References:
01. from. ISO 27001 - CONTROLS Handbooks - Implementing and auditing 98 controls to reduce information security risks: ORGANIZATIONAL, PEOPLE, TECHNICAL., Cees Van Wens, ISBN 9798861393560, Deseo Publishing, 2023.






 
back
humanexcellence.thailand@gmail.com
© HUEXONLINE.COM. All Rights Reserved.
Visit : 6150774