Understanding ISO 27001’s 93 Security Controls: Your Essential Guide

If you’ve ever wondered what lies behind ISO 27001’s reputation as the gold standard for information security management, the answer is largely found in Annex A. This technical appendix contains 93 specific security controls that form the backbone of any robust information security framework.

Think of these controls as your organisation’s security toolkit. They’re organised into four main themes that cover every aspect of information security:

  • organisational security policies,
  • people security,
  • physical and environmental security, and
  • technology security.

Rather than being a rigid checklist, they provide a comprehensive framework that you can adapt to your organisation’s specific needs and risk profile.

The Four Pillars of Security

Organisational Controls make up the largest group, covering everything from how you manage information security policies to supplier relationships and incident response procedures. These aren’t just about having the right paperwork in place—they ensure your entire organisation understands and implements security consistently across all departments and processes.

People Controls recognise that your staff are both your greatest asset and potentially your biggest vulnerability. These controls cover screening procedures, security awareness training, disciplinary processes, and ensuring people understand their responsibilities when they join, during their employment, and crucially, when they leave your organisation.

Physical and Environmental Controls might seem old-fashioned in our digital world, but they remain absolutely critical. From securing your server rooms and protecting against environmental threats to managing equipment disposal and ensuring clean desk policies, these controls protect the physical infrastructure that supports your digital operations.

Technological Controls address the digital heart of modern business operations. They cover access management, cryptography, system security, network security, application development security, and supplier relationship management from a technical perspective.

Why This Matters to You

The beauty of ISO 27001’s approach is that it doesn’t prescribe exactly how you must implement each control. Instead, it gives you the flexibility to choose measures that make sense for your organisation’s size, sector, and risk appetite. A small consultancy will implement access controls very differently from a large financial services firm, and that’s perfectly acceptable under the standard.

What’s particularly valuable about these 93 controls is how they work together as an integrated system. Your incident response procedures support your business continuity planning, which connects to your supplier management processes, which link back to your risk assessment methodology. It’s this interconnected approach that makes ISO 27001 so effective at protecting organisations comprehensively.

Getting Started

If you’re beginning your ISO 27001 journey, don’t feel overwhelmed by the number of controls. Start by conducting a thorough risk assessment to understand which controls are most relevant to your organisation’s specific circumstances. Many organisations find they’re already doing much of what’s required—the standard often provides a framework for formalising and improving existing good practices rather than starting from scratch.

Remember that achieving certification isn’t about implementing every single control perfectly from day one. It’s about demonstrating that you have a systematic approach to managing information security risks and that you’re continuously improving your security posture based on regular monitoring and review.

The 93 controls in Annex A represent decades of collective wisdom from information security professionals worldwide. They provide a roadmap that can help protect your organisation’s most valuable asset—its information—whilst supporting business objectives rather than hindering them.