Annex A Controls

Practical implementation and audit insights for ISO 27001 Annex A security controls.

ISO 27001:2022 Twenty-Two Controls That Most Implementations Delegate to HR and Facilities. ISO 27001 Delegates Them to Nobody. They are Information Security Controls.

by

ISO 27001 Annex A.6 and A.7 controls are often treated as HR and Facilities tasks. This blog explains why they are ISMS controls requiring governance, ownership, and evidence.

ISO 27001:2022 Thirty-Four Technological Controls. Seven New Since 2022. Stage 2 Auditors Test These Operationally. Most ISMS Programmes are Not Prepared for That Test.

by

ISO 27001 Annex A.8 is where controls are tested technically—not documented. This blog explains how to demonstrate real implementation with logs, configurations, and operational evidence.

ISO 27001:2022 Thirty-Seven Organisational Controls. Three New Since 2022. Most Implementations Treat Them as Policies. The Standard Treats Them as Operational Obligations.

by

Most ISO 27001 Annex A.5 controls are implemented as policies—but policies are not controls. This blog explains how to demonstrate operational evidence for organisational controls.