All insights
ISO 27001
· 10 min read

ISO 27001:2022 — The Four Themes of Annex A

Organizational, people, physical and technological controls: how the 93-control 2022 revision reshapes ISMS implementation.

Published 18 September 2025 · Updated 22 March 2026

From 114 to 93 controls

The 2022 revision consolidated the Annex A control set from 114 into 93 controls, grouped into four themes: Organizational (37), People (8), Physical (14) and Technological (34).

Eleven controls are entirely new, including threat intelligence, cloud services, ICT readiness for business continuity, and secure coding.

The Statement of Applicability today

The SoA remains the anchor artefact — every included and excluded control must be justified. Auditors now expect explicit references to the new controls even where they are excluded.

Engage CHNYD Trace

Talk to a partner about ISO 27001 — scoping calls are complimentary.

Request consultation →