Exploring Annex A: My First Steps with ISO 27001 Controls

As an experienced ISO professional in quality, environment, and OH&S, I find myself stepping into new territory—ISO 27001 Information Security. It’s a whole new world for me, and I’ve been wondering whether my background in other ISO standards can help me add this one to my toolkit. 

Last week’s Lead the Standard took a closer look at the question: Do you really need IT experience to work with ISO 27001? The consensus from experts pointed to one key challenge: while IT experience might not be essential, understanding Annex A and the controls in ISO 27001 is critical.

Armed with this insight, I’ve focused this week’s ISO 27001: Beginner for Beginners article on exploring Annex A and what it means for someone like me just starting out in this space. 

Our very own Information Security Expert, Dr. Georg Thomas, gave a short answer of Anything related to a third party and backed it up with. 

"There are many controls that can be difficult to implement, because every environment is different in risk profile, size, and complexity; the larger and more complex generally being more difficult. Having said that, if there had to be a common winner, it would have to be controls that are related to third parties.

With third parties, the ability to influence and get controls implemented to meet your organisations security requirement outside of your own organisation, comes with it’s own set of challenges and can be very difficult to implement and manage."

Most other ISO standards provide a framework for management systems but don’t go as far as prescribing specific controls in this way. So, what exactly is in Annex A? Think of it as the ultimate security checklist—4 categories with 93 controls covering everything an organization needs to protect its information. If ISO 27001 were a fortress, Annex A would be the blueprint for its defenses.  

Now, before you panic at the thought of implementing all 93 security controls, here’s the good news—you don’t have to! Annex A isn’t a checklist where you tick off every item; it’s more like a menu of security measures. You choose the ones that make sense for your organization based on your risk assessment and business needs. 

This is different from something like a hierarchy of controls, which I’m already familiar with from my experience in ISO 45001 (OH&S) and ISO 14001 (Environment). In those standards, risk is controlled using a structured approach—eliminate the hazard if possible, then substitute, engineer, or put administrative controls in place before relying on personal protective measures. 

While ISO 27001 doesn’t structure Annex A as a strict hierarchy, that same thinking still applies. The idea is to prioritize controls that provide the greatest level of protection with the least dependence on reactive measures. For example: 

• Instead of relying on training alone (people control), I’d look at stronger access controls (technical control) to prevent unauthorized access in the first place—just like how engineering controls are prioritized over administrative ones in safety management. 

• Encryption and multi-factor authentication act as proactive security layers, much like how safety barriers or ventilation systems reduce risk in OH&S. 

So, while Annex A isn’t a step-by-step hierarchy, my background in risk-based decision-making helps me approach it strategically. Instead of applying every control blindly, I can assess which ones provide the best protection with the least effort and impact. 

Rather than viewing it as an overwhelming list, think of it as four key areas that work together to safeguard information:

• Organizational Controls – The bigger picture!
  These controls focus on policies, risk management, and ensuring security is built into how an organization operates.
• People Controls – Because security isn’t just about technology!
  This covers things like training, responsibilities, and making sure everyone understands how to protect information.
• Physical Controls – Security isn’t just digital!
  This covers things like locked doors, secure server rooms, and making sure unauthorized people can’t physically access sensitive information.
• Technological Controls – The techy side of things.
  Encryption, access controls, and making sure systems are secure from cyber threats.

Each of these areas has its own set of controls, but at the end of the day, they all work together to protect information—whether it's online, on paper, or even just spoken in a meeting. 

An Ethical Hacker Can Help You Beat a Malicious One

Our soon to be released ISO 27001 course is authored by our Information Security expert, Dr. Georg Thomas. In his article, "An ethical hacker can help you beat a malicious one," Georg discusses the role of ethical hackers in identifying and addressing system vulnerabilities before malicious actors can exploit them.

He explains the distinctions between black hat, grey hat, and white hat hackers, emphasizing how ethical hackers (white hats) use their skills to strengthen organizational security.

Visualizing Annex A

This model shows how the four Annex A categories influence both strategic and operational levels (up and down) as well as technical and non-technical domains (side to side). It helps to connect the dots and shows how all the pieces work together to build a strong information security framework. As an ISO professional stepping into this new standard, creating this model has been a game-changer for me.

It’s helped me take the complexity of ISO 27001 and break it down into something familiar and relatable by linking the Annex A controls to what I already know from other ISO standards. Not only has it made ISO 27001 clearer for me, but it’s also given me a practical tool I can use and share with others exploring this space.

Policy Development (Physical + Organizational)

• Information security policies: These are the rules and guidelines an organization follows to keep information safe, like a playbook everyone sticks to.
• Risk management frameworks: A plan to identify and deal with potential risks to information, helping to keep surprises under control.
• Supplier relationship management: Ensuring that third parties or suppliers follow security standards to protect your information.
• Business continuity planning: Making sure the organization can keep running smoothly, even if something unexpected happens, like a cyberattack.

Encryption (Organizational + Technological)

• Data encryption at rest and in transit: This means protecting data while it's stored (at rest) and while it's being sent from one place to another (in transit), so no one can access it without permission.
• Key management practices: Just like you’d carefully store and manage a physical key, encryption keys need to be securely handled to keep data safe.
• Cryptographic controls for secure communications: These are tools to ensure that messages, emails, and other communications stay private and can only be read by the right people.

Access Management (People + Technological)

• Multi-factor authentication: A way to confirm your identity by requiring two or more proofs, like a password and a phone verification code.
• Role-based access control systems: Giving access only to people who need it for their job, so not everyone can see everything.
• Monitoring and logging of access attempts: Keeping track of who tries to access systems and when, so you can spot anything unusual.
• Password management protocols: Guidelines for creating strong passwords and keeping them secure, like not reusing old ones or sharing them.

Security Training (Physical + People)

• Employee awareness programs: Teaching staff how to spot risks like phishing emails and what to do to stay secure.
• Phishing simulation exercises: Practice scenarios that show employees what a phishing attempt looks like so they know how to avoid it.
• Incident response role-based training: Helping staff learn their roles in case of a security incident, so everyone knows exactly what to do.
• Secure remote working guidelines: Tips and rules for staying safe when working from home or other remote locations.

Next Steps to Explore ISO 27001 

1. Familiarize Yourself with Annex A Controls

Take some time to review the 93 controls in Annex A and think about how they might apply to your organization or projects. Start by focusing on the controls most relevant to your industry or role. 

2. Assess Your Current Knowledge and Skills

Reflect on your experience with other ISO standards and identify areas where your existing knowledge overlaps with ISO 27001. Consider where you might need to build new skills, like understanding technical controls or conducting a risk assessment. 

3. Take Action with Learning Resources

Whether it's enrolling in an ISO 27001 course, attending a webinar, or exploring online tools, commit to deepening your understanding of this standard. For those ready to dive in, our soon-to-be-released ISO 27001 course is a great place to start!