ISO 27001:2022 contains 93 controls in Annex A, organised into four themes: Organisational (37 controls), People (8), Physical (14), and Technological (34). Not all 93 are mandatory. Each organisation selects the controls relevant to its risks and records the decision, with justification, in its Statement of Applicability (SoA).
This article breaks down the four themes and the controls auditors scrutinise hardest, explains what happened to the old "14 domains," and shows how to decide which controls actually apply to you.
The Four Themes at a Glance
| Theme | Controls | Range | What it covers |
|---|---|---|---|
| Organisational | 37 | 5.1 to 5.37 | Policies, roles, supplier risk, incident management, legal compliance |
| People | 8 | 6.1 to 6.8 | Screening, training, disciplinary process, remote working |
| Physical | 14 | 7.1 to 7.14 | Premises, equipment, media, clear desk |
| Technological | 34 | 8.1 to 8.34 | Access control, cryptography, development, logging, backups |
What Happened to the 14 Domains of ISO 27001?
If you are searching for the "14 domains of ISO 27001," you are looking at the 2013 edition, which had 114 controls organised into 14 control categories. The 2022 revision restructured these into 93 controls across 4 themes. This was not just renumbering: 57 controls were merged or revised, and 11 entirely new controls were added, covering threat intelligence (5.7), cloud services security (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), configuration management (8.9), information deletion (8.10), data masking (8.11), data leakage prevention (8.12), monitoring activities (8.16), web filtering (8.23), and secure coding (8.28).
Certification against ISO 27001:2013 is no longer possible. The transition deadline for existing certificates was 31 October 2025, so every audit from now on assesses you against the 2022 control set below. If your ISMS documentation still references 14 domains, it is out of date.
Organisational Controls (5.1 to 5.37)
The largest theme: governance and process controls covering how security is directed, who is responsible, and how third parties, incidents, and legal obligations are managed. Notable controls auditors probe hardest:
| Control | Name | Why auditors care |
|---|---|---|
| 5.1 | Policies for information security | The first document every audit opens with |
| 5.9 | Inventory of information and other associated assets | No asset inventory means no credible risk assessment |
| 5.15 | Access control | Joiner/mover/leaver discipline is the most-sampled evidence |
| 5.19 to 5.22 | Supplier relationship controls | Vendor risk is a standing Stage 2 focus area |
| 5.23 | Information security for use of cloud services | New in 2022; SaaS companies cannot credibly exclude it |
| 5.24 to 5.28 | Incident management controls | Auditors ask for one worked incident end to end |
| 5.34 | Privacy and protection of PII | The bridge control to DPDP Act compliance |
People Controls (6.1 to 6.8)
The smallest theme, covering the human layer from hiring to exit. All eight:
| Control | Name | Why auditors care |
|---|---|---|
| 6.1 | Screening | Background check evidence is requested in nearly every audit |
| 6.2 | Terms and conditions of employment | Security responsibilities must appear in contracts |
| 6.3 | Information security awareness, education and training | Training completion records are a standing sample |
| 6.4 | Disciplinary process | A documented process must exist, even if unused |
| 6.5 | Responsibilities after termination or change of employment | Pairs with leaver evidence under access control |
| 6.6 | Confidentiality or non-disclosure agreements | NDAs for staff and relevant third parties |
| 6.7 | Remote working | Post-2020, no auditor accepts "not applicable" |
| 6.8 | Information security event reporting | Staff must know how to report, and auditors ask them directly |
Physical Controls (7.1 to 7.14)
Fourteen controls protecting premises, equipment, and media. Cloud-native companies without an office can justify excluding several, with documented reasoning in the SoA. The ones that survive most exclusion arguments:
| Control | Name | Why auditors care |
|---|---|---|
| 7.4 | Physical security monitoring | New in 2022; applies to any premises you do control |
| 7.7 | Clear desk and clear screen | Applies even fully remote: screens, prints, home offices |
| 7.9 | Security of assets off-premises | Laptops outside the office are in scope for everyone |
| 7.10 | Storage media | Covers USB discipline and media disposal |
| 7.14 | Secure disposal or re-use of equipment | Disposal certificates are an easy evidence ask |
Technological Controls (8.1 to 8.34)
The largest evidence surface at Stage 2, especially for SaaS companies. Five of the 11 new 2022 controls live here. The heaviest-sampled:
| Control | Name | Why auditors care |
|---|---|---|
| 8.2 | Privileged access rights | Admin access reviews are a near-certain sample |
| 8.5 | Secure authentication | MFA coverage is checked, not taken on trust |
| 8.8 | Management of technical vulnerabilities | Scan-to-remediation trail, with timestamps |
| 8.9 | Configuration management | New in 2022; baseline and drift evidence |
| 8.12 | Data leakage prevention | New in 2022; expect questions even if tooling is light |
| 8.13 | Information backup | Restore test logs, not just backup schedules |
| 8.15 to 8.16 | Logging and monitoring activities | 8.16 is new in 2022; alerting must be demonstrable |
| 8.23 | Web filtering | New in 2022; often the least-prepared control |
| 8.28 | Secure coding | New in 2022; SDLC evidence for any company shipping software |
| 8.32 | Change management | Production change tickets are a standing sample |
Want the complete control-by-control breakdown? All 93 controls ship pre-seeded in Vratex with descriptions, framework mappings, and evidence tracking, and our ISO 27001 guide explains every theme in depth.
Which Controls Are Mandatory?
Strictly speaking, none of Annex A is automatically mandatory. ISO 27001 is a management system standard: the mandatory part is clauses 4 to 10 (context, leadership, planning, support, operation, performance evaluation, improvement). Your risk assessment determines which Annex A controls you need, and the Statement of Applicability documents, for each of the 93 controls, whether it is applicable, implemented, and if excluded, why.
In practice, auditors expect strong justification for excluding common controls. A SaaS company excluding 8.28 (secure coding) or 5.23 (cloud services security) will face hard questions at Stage 2.
How to work through the list:
- Run the risk assessment first. Controls are risk treatments, not a to-do list. Selecting controls before assessing risks is the most common beginner inversion.
- Map each material risk to controls. Most risks map to 2 or 4 controls across themes; a vendor risk might touch 5.19 to 5.22 plus 8.30.
- Justify every exclusion in the SoA. "Not applicable: we have no physical office" is a valid justification for parts of theme 7. Silence is not.
- Collect evidence per control, continuously. The control existing on paper is Stage 1; the control operating with evidence is Stage 2.
The DPDP Act overlap is significant: security safeguards under Rule 6 of the DPDP Rules 2025 (encryption, access control, logging, backups) map directly onto Annex A themes 5 and 8. If you are building for both, implement once and map the evidence to both frameworks. Our guide to ISO 27001 and DPDP overlap covers this in detail.
Where Vratex Fits
Vratex ships with all 93 ISO 27001:2022 Annex A controls pre-seeded into a controls library, linked to a risk register and audit checklists, so your SoA and evidence collection run from live data rather than a spreadsheet.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessHow many controls does ISO 27001 have?+
ISO 27001:2022 has 93 controls in Annex A, organised into four themes: Organisational (37), People (8), Physical (14), and Technological (34). The previous 2013 edition had 114 controls in 14 categories.
Are all 93 ISO 27001 controls mandatory?+
No. The mandatory requirements are clauses 4 to 10 of the standard. Annex A controls are selected based on your risk assessment, and the Statement of Applicability records which controls apply, which are implemented, and the justification for any exclusions.
What are the 4 themes of ISO 27001:2022?+
Organisational (controls 5.1 to 5.37), People (6.1 to 6.8), Physical (7.1 to 7.14), and Technological (8.1 to 8.34). They replaced the 14 control categories of the 2013 edition.
What are the 11 new controls in ISO 27001:2022?+
Threat intelligence (5.7), information security for use of cloud services (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), configuration management (8.9), information deletion (8.10), data masking (8.11), data leakage prevention (8.12), monitoring activities (8.16), web filtering (8.23), and secure coding (8.28).
What is the Statement of Applicability (SoA)?+
The SoA is the document that lists all 93 Annex A controls and states, for each one, whether it is applicable to your organisation, whether it is implemented, and the justification for any exclusion. It is one of the first documents a certification auditor asks for.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness