In October 2022, the ISO 27001:2013 standard was updated to accommodate the ever-changing landscape of technology and information security. While there were minor changes in clauses related to terminology and structure, major changes appeared in Annex A of ISO 27001:2022 to adapt to the evolving digital environment. This includes cloud computing, remote work, and IoTs.
Annex A in ISO 27001:2022 includes a comprehensive set of information security controls categorized into four themes, namely Organizational, People, Physical, and Technological.
While the previous version of Annex A (in ISO 27001:2013) contained 114 controls grouped into 14 categories, the new Annex A was revised to contain 93 controls. While the previous version of Annex A (in ISO 27001:2013) contained 114 controls grouped into 14 categories, the new Annex A was revised to contain 93 controls. Although there are 11 new controls added, multiple controls were merged and streamlined, which reduced the total number to 93. These 11 new controls address emerging information security concerns, such as threat intelligence, secure coding, data masking, ICT readiness for business continuity, and physical security monitoring, among others.
Annex A plays an important role during the preparation of the Statement of Applicability (SoA) as it provides a comprehensive list of controls to meet an organization’s unique needs and operational goals.
Let’s now take a closer look at what the Statement of Applicability (SoA) entails.
The Statement of Applicability (SoA) is a mandatory document for any organization planning ISO 27001:2022 certification. It serves as the crucial link between risk assessment and the implementation of security controls from Annex A, justifying the inclusion or exclusion of controls and demonstrating compliance with ISO 27001. For lead auditors, the SoA is an essential document during internal audits, certification audits, and subsequent surveillance audits. In essence, a well-drafted SoA not only demonstrates an organization’s preparedness for the certification journey but also helps auditors gain a clearer understanding of the client’s environment.
While SoA serves as a central piece in the ISO 27001 jigsaw, preparing a perfect one with all relevant controls can be tedious and challenging. Annex A provides a comprehensive list of controls, but not all controls apply to every organization. Without an appropriate selection, the SoA may become inaccurate, potentially leading to extra efforts, overlook of security controls, and blindness to security risks.
Lack of understanding an organization’s unique needs: There’s no one-size-fits-all approach to control selection. Each organization faces unique risks, possesses different assets, and operates in distinct environments. Choosing controls from Annex A without carefully considering these factors can lead to an imperfect SoA and critical gaps in protection.
Limited understanding of Annex A: Annex A provides a comprehensive list of controls, but not all controls apply to every organization. For instance, a manufacturing firm may focus more on operational resilience and physical security, along with the protection of confidential designs and its access management. In contrast, a healthcare provider handling electronic patient records may prioritize data confidentiality and access management. Applying the same set of Annex A controls to both cases without understanding their specific relevance and effectiveness is not advisable.
Confusion in understanding the interdependency between controls: The effectiveness of some controls depends on supporting controls. For example, implementing an incident response plan (Annex A control A.5.25) requires security event monitoring (A.8.16) to detect incidents in the first place. Overlooking these relationships leads to an ineffective SoA.
Inadequate knowledge of control implementation: Sometimes organizations unknowingly apply too many controls from Annex A, which can hinder operational efficiency. In other cases, implementing too few controls increases the risk of vulnerabilities. To avoid these discrepancies, organizations need a thorough understanding of the functionality of each control in Annex A. Additionally, lacking contextual information, such as the risk profile, available resources, and compliance obligations, prevents organizations from choosing the right controls.
Dynamic nature of risks: Risks are not static; as the global attack surface evolves, controls that were once sufficient may become inadequate or outdated. Therefore, organizations must regularly reassess their risk treatment plans and associated controls. This ongoing review adds another layer of complexity to the control selection process.
To effectively address the challenges of selecting and implementing Annex A controls, organizations must adopt a structured and informed approach that ensures alignment with their unique risks, operational needs, and compliance requirements. For this, they need to:
In a situation where an organization lacks the internal capability to effectively select, implement, and maintain Annex A controls, it can always turn to external cybersecurity consultants that bring deep expertise in ISO 27001 and Annex A controls. With the help of external consultants, organizations can overcome the chances of missing out on any critical controls and receive indispensable support that would help them achieve ISO certification in their first attempt. They can conduct a risk assessment, guide control selection, and assist in preparing a robust SoA, among others. These activities are done by the Auditor and the Internal Audit & InfoSec Team.
Validate control selection: They review the Statement of Applicability and assess whether the selected controls align with the organization’s risk assessment and business context.
Verify implementation effectiveness: During audits, they examine evidence to ensure controls are not only selected but also properly implemented and maintained.
Identify gaps and non-conformities: Auditors highlight any weaknesses or missing controls that could jeopardize compliance or security.
Provide recommendations: Based on their findings, Lead Auditors suggest improvements to the control selection and implementation processes, helping the organization strengthen its ISMS.
Risk assessment and gap analysis: The team identifies and evaluates information security risks across assets, processes, and systems. They conduct gap analysis against ISO 27001 Annex A requirements and map identified risks to the relevant Annex A controls for effective treatment.
Control design and implementation: They design controls tailored to the organization’s unique risk profile and operational environment. The team collaborates with IT, security and business units to ensure proper integration of these controls into day-to-day operations.
Control review and continuous improvement: They review the effectiveness of implemented controls through monitoring, testing, and audits. Additionally, they conduct incident and change review to assess whether existing controls are sufficient.
Policy review and compliance maintenance: The team updates policies, procedures, and controls during the annual policy review or in response to evolving risks. Additionally, they maintain the compliance calendar to ensure timely review, audits and updates to controls.
Partnering with specialized compliance providers like Ampcus Cyber can help organizations overcome the challenges of finding certified and skilled consultants.
Ampcus Cyber offers expert guidance in the complex process of selecting and implementing Annex A controls tailored to each organization’s unique risk profile and business environment. Our team of experts includes certified professionals, such as the internal InfoSec & audit team, lead auditors, and lead implementers, who play a significant role in simplifying the entire certification journey. Starting from the preparation of the SoA to performing risk assessments and precision control selection tailored to your business needs, our team of in-house consultants ensures robust information security across assets, processes, and technologies. Our team of certified cybersecurity consultants brings deep experience in ISO 27001:2022 compliance, helping organizations navigate the nuances of control applicability, interdependencies, and industry-specific requirements.
Ampcus Cyber’s uniqueness lies in the TSAMA approach, which it follows for a successful ISO 27001 certification journey. By choosing us as your partner, you not only get technical expertise and compliance guidance but also end-to-end support.
This includes:
Our support extends beyond these steps, with our consultants providing additional guidance during subsequent audits in the second and third years. By embedding compliance, such as ISO 27001, into day-to-day operations and maintaining it throughout, Ampcus Cyber supports clients in sustaining long-term security and regulatory readiness.
Enjoyed reading this blog? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
This website uses the following additional cookies:
(List the cookies that you are using on the website here.)
More information about our Cookie Policy
