Study Document 05

ISO 27002 Annex A control reference.

A lead auditor reference for ISO/IEC 27001:2022 Annex A and ISO/IEC 27002:2022 control guidance: themes, control selection, audit evidence, Statement of Applicability linkage, and exam traps.

Purpose

Use Annex A as a control catalogue, not a standalone ISMS.

Annex A helps organizations check whether necessary information security controls have been considered during risk treatment. ISO 27002 provides implementation guidance, but ISO 27001 Clauses 4 to 10 remain the certifiable management system requirements.

27001Defines the ISMS requirements and Annex A reference controls.
27002Provides guidance for implementing and understanding controls.
SoARecords applicability, justification, implementation status, and exclusions.

Four themes

The 2022 control set is easier to audit by theme.

When studying, focus on the control purpose, risk being treated, owner, evidence, and operating effectiveness. Do not try to memorise every sentence of every control.

A.537

Organizational controls

Governance, roles, policies, assets, suppliers, cloud, incident handling, legal requirements, continuity, and procedures.

  • Good for management-system and supplier scenarios.
  • Often links to SoA, legal register, incident records, and documented procedures.
A.68

People controls

Screening, employment terms, awareness, discipline, termination, confidentiality, remote working, and event reporting.

  • Good for HR, awareness, and insider-risk scenarios.
  • Often links to competence, onboarding, HR records, and interviews.
A.714

Physical controls

Facilities, physical entry, monitoring, secure areas, environmental threats, equipment, media, utilities, cabling, and disposal.

  • Good for site visit and observation evidence.
  • Often links to access logs, CCTV, visitor records, and equipment disposal records.
A.834

Technological controls

Endpoint, privileged access, authentication, malware, vulnerability, logging, backup, network, cryptography, and secure development.

  • Good for technical and operational evidence questions.
  • Often links to configurations, tickets, logs, test results, and monitoring records.

2022 control changes

Know the newer controls that appear in modern scenarios.

These controls often appear in questions because they reflect current security realities such as cloud, threat intelligence, configuration, DLP, monitoring, and secure coding.

Theme
Control area
Audit evidence to expect
Exam clue
A.5
Threat intelligence, cloud service security, ICT readiness.
Threat feeds, cloud requirements, shared-responsibility review, recovery tests.
Risk assessment should use current threat and cloud context.
A.7
Physical security monitoring.
Monitoring coverage, access logs, CCTV or guard records, incident escalation.
Observation and physical records matter.
A.8
Configuration, deletion, masking, DLP, monitoring, web filtering, secure coding.
Baselines, deletion records, DLP alerts, log review, coding standards, test evidence.
Technical controls still need owners, process, and effectiveness evidence.

High-value control areas

Prioritise controls that frequently create audit scenarios.

Use this as a revision shortlist. It is not a substitute for the official standard, but it helps you recognise the control family behind a scenario.

Governance

Policies, roles, segregation, assets, classification.

Look for approved policies, ownership, review, communication, asset register, and classification or labelling evidence.

Supplier and cloud

Supplier agreements, ICT supply chain, cloud use.

Look for supplier risk assessment, security clauses, service reviews, cloud controls, exit planning, and shared responsibility.

Incident and continuity

Event assessment, response, evidence, disruption readiness.

Look for incident process, decision records, response evidence, lessons learned, continuity tests, and recovery readiness.

Access

Identity, authentication, privileged access, access rights.

Look for joiner/mover/leaver records, approvals, periodic review, MFA, privileged account controls, and removal evidence.

People

Screening, awareness, confidentiality, remote work.

Look for HR records, training, awareness effectiveness, signed agreements, remote work rules, and event reporting channels.

Physical

Perimeters, entry, monitoring, media, equipment.

Look for visitor logs, badge access, CCTV review, secure areas, clear desk checks, media handling, and disposal certificates.

Operations

Malware, backup, logging, vulnerability, network.

Look for EDR/AV status, restore tests, SIEM/log reviews, vulnerability remediation, exceptions, and network rules.

Development

Secure SDLC, secure coding, testing, change.

Look for security requirements, code review, test evidence, vulnerability fixes, change approvals, and audit-test safeguards.

Evidence examples

Auditors need objective evidence of operation.

A control title in the SoA is not enough. The auditor should verify whether the control is designed, implemented, operating, reviewed, and improved.

Policy

  • Approved policy.
  • Review records.
  • Communication evidence.
  • Exception handling.

Assets

  • Inventory.
  • Ownership.
  • Classification.
  • Review history.

Access

  • Approval records.
  • Access reviews.
  • Removal evidence.
  • Privileged account logs.

Supplier

  • Supplier register.
  • Risk assessment.
  • Security clauses.
  • Review meetings.

Technology

  • Configuration baseline.
  • Patch records.
  • Monitoring alerts.
  • Backup restore tests.

How to audit Annex A

Start from risk and SoA, then sample control operation.

The best audit trail does not start with a random control. It starts with risk, legal or contractual need, SoA applicability, implementation status, and then objective evidence.

Trace the driver

Identify why the control is needed: risk treatment, legal obligation, contractual requirement, business need, or interested party expectation.

Check the SoA

Confirm applicability, justification, implementation status, exclusion rationale, and whether the SoA is current.

Confirm ownership

Ask who owns the control, who operates it, who reviews it, and who accepts residual risk where relevant.

Sample evidence

Use records, interviews, observations, configurations, logs, tickets, reports, and test results to confirm operation.

Evaluate effectiveness

Check whether the control is achieving its intended outcome and whether monitoring, internal audit, or incidents show weakness.

Common nonconformities

Typical Annex A findings.

  • Control selected in the SoA but not implemented or not operating.
  • Control excluded without evidence-based justification.
  • Supplier or cloud controls rely only on certificates without organization oversight.
  • Technical control exists but no review, owner, procedure, or effectiveness evidence.
  • Access rights are approved but not periodically reviewed or removed after role changes.
  • Backup, incident, or continuity controls exist but are not tested.

Exam traps

Read carefully before choosing a control answer.

  • ISO 27002 is guidance; ISO 27001 is the certifiable requirement standard.
  • Annex A controls may be excluded with justification; Clauses 4 to 10 cannot be excluded for ISO 27001 conformity.
  • A supplier certificate can support assurance, but it does not remove accountability for supplier risk management.
  • A technical tool does not prove effectiveness without configuration, monitoring, ownership, and review evidence.
  • The SoA links controls to risk treatment; it is not only a list of controls.

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 27002 and Annex A study materials as references. It is intentionally a learning aid, not a reproduction of the official standard. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.