ISO/IEC 27001:2022 Annex A Controls Explained for SMEs – Practical Overview

December 4, 2025

Minimalist vector illustration showing SMEs applying ISO 27001:2022 Annex A controls using a risk-based information security approach.

ISO/IEC 27001:2022 is the global standard for managing information security, and Annex A provides a structured set of controls to protect your business’s critical data. For SMEs and startups, a risk-based approach helps organisations focus on what truly matters.

This practical guide explains how to interpret Annex A, prioritise key controls, and link decisions to your Statement of Applicability, helping lean teams implement an efficient, risk-focused ISMS without unnecessary complexity. Learn which areas often have the highest impact for small, modern organisations.

What is Annex A in ISO/IEC 27001:2022?

A clean vector infographic illustrating the four themes of ISO 27001:2022 Annex A: Organisational, People, Physical, and Technological controls for SMEs.

Annex A in ISO/IEC 27001:2022 provides a structured set of information security controls that organisations can apply based on their risk assessment. Rather than requiring every control, ISO 27001 recommends a risk-driven approach, guiding SMEs and startups to focus on controls that protect their critical information assets.

The 2022 update simplified the standard from 114 controls to 93 controls, organised under four high-level themes for practical implementation:

Organisational Controls (A.5): Governance, policies, supplier management, and incident planning.
People Controls (A.6): Employee awareness, onboarding / offboarding, and responsibilities.
Physical Controls (A.7): Workspace security, device protection, and visitor management.
Technological Controls (A.8): Access management, logging, encryption, backups, and vulnerability monitoring.

Critical Distinction: Annex A vs. The Standard:

ISO 27001 certification requires compliance with two elements:

Clauses 4 to 10 – These are mandatory ISMS requirements covering context, leadership, planning, support, operation, performance evaluation, and continual improvement.
Annex A Controls – Selected and justified controls based on your risk assessment and risk treatment plan.

Annex A controls are applied selectively; the requirements of Clauses 4 to 10 are foundational and always required. Understanding this distinction helps SMEs focus their effort on both mandatory ISMS requirements and risk-driven controls.

A minimalist vector diagram illustrating the structure of ISO 27001, separating mandatory Clauses 4-10 (the ISMS engine) from the selective Annex A controls.

Key Takeaway: Remember, ISO 27001 does not mandate all controls. Focus your effort on controls relevant to your specific business risks, documenting decisions carefully in the Statement of Applicability (SoA).

How SMEs Can Apply ISO 27001 Annex A Strategically

For small teams, Annex A works best as a practical risk-based guide, not a one-size-fits-all checklist.

Focus on Relevant Risks: Select only the controls that address your actual business risks to avoid unnecessary complexity.
Document Decisions Clearly: Record your choices in the Statement of Applicability (SoA) to show which controls are applied and why.
Maximise Operational Value: Prioritise controls that improve real security outcomes, maintain consistency with your ISMS, and keep workflows lean.

Result: This approach supports an ISMS that is actionable, efficient, and aligned with ISO 27001 principles.

Organisational Controls (A.5) – Governance and Policy

These controls define the framework for decision-making, accountability, and supplier risk management.

Key takeaways:

Policies and Governance: Establish a clear, concise information security policy, assigning owners where possible, and ensure employees understand their responsibilities.
Supplier Risk Management: Identify critical suppliers and integrate security requirements into contracts.
Incident Planning: Document procedures for detecting, responding to, and learning from security incidents.

Lean startups can implement these controls effectively by mapping each to a specific owner, policy, or process, ensuring practical, risk-based adherence to the principles of ISO 27001.

People Controls (A.6) – Awareness and Accountability

Human error is a leading cause of information security incidents. A.6 controls help SMEs manage personnel-related risks efficiently:

Security Awareness Training: Conduct targeted training for all employees to reduce risk.
Roles and Responsibilities: Define information security roles clearly for accountability.
Onboarding and Offboarding: Define consistent procedures for managing access throughout the personnel lifecycle.

A structured yet lightweight approach ensures personnel understand expectations, strengthens your risk-based ISMS, and demonstrates documented adherence to policies and the standard’s requirements.

Physical Controls (A.7) – When and How They Matter

Many SMEs operate remote-first or cloud-based environments, making physical security less critical – but it still requires careful consideration:

Key Actions:

Protect On-Site Assets: Security controls should be applied to critical equipment and storage that remains on-site.
Visitor Management: Control access to your office or premises.
Document Decisions: If your operations are fully remote, clearly note which physical controls are not applicable and why.

A risk-based approach helps ensure physical controls are implemented where they add value, maintaining consistency with your ISMS, and supporting thoughtful decision-making.

Technological Controls (A.8) – Practical Implementation

Technological controls are often the highest-impact area for modern SMEs. Focus on practical measures that protect critical business information without overcomplicating operations:

Key Actions:

Access Management: Implement or strongly consider multi-factor authentication (MFA) and role-based permissions based on risk.
Device Security and Logging: Ensure endpoint security, centralised logging, and monitoring of critical systems.
Backups and Recovery: Maintain encrypted backups and regularly test recovery processes.
Vulnerability Management: Apply updates, patches, and continuously monitor systems for potential threats.

Prioritising controls based on risk and business impact supports a lean, practical, and effective ISMS that safeguards critical assets while helping keep operations simple.

Practical Prioritisation of ISO 27001 Annex A Controls

To implement Annex A efficiently, focus on the controls that provide the highest impact first:

Organisational Controls (A.5): Establish governance, risk management, and supplier oversight. These set the foundation for all other controls.
People Controls (A.6): Define roles, responsibilities, and run targeted awareness training to reduce human error.
Technological Controls (A.8): Protect access, logging, and endpoint / cloud security to safeguard critical systems.
Physical Controls (A.7): Apply only if your environment has on-site assets; otherwise, document them as not applicable.

A clean vector flowchart suggesting a prioritised implementation order for ISO 27001 Annex A themes for SMEs, starting with Organisational controls.

Prioritising in this way supports small teams in addressing the most impactful areas first, helping keep your ISMS efficient, risk-focused, and practical.

Statement of Applicability (SoA) – Linking ISO 27001 Annex A Controls to Risks

The Statement of Applicability (SoA) is the key document demonstrating how your team applies Annex A controls based on actual business risks:

Lists Each Control as Applicable or Not Applicable: Capture which Annex A controls are selected or excluded.
Risk Treatment Output: The SoA formalises the link between your Risk Register and selected controls, demonstrating how each control addresses a specific risk identified during the risk treatment process (Clause 6.1.3).
References Evidence: Link each control to the policy, procedure, or documented process that implements it.
Justification Based on Risk: Clearly explain why controls are included or excluded to demonstrate a risk-based approach.

A conceptual vector illustration showing how the Statement of Applicability (SoA) links an SME's risk register to selected ISO 27001 Annex A controls and evidence.

Lean SMEs can maintain a practical SoA by mapping controls to risks and owners. This ensures controls are implemented where they add value, keeps your ISMS focused, and supports clear, risk-driven decision-making.

Common ISO 27001 Annex A Challenges for SMEs and Practical Solutions

Overcomplicating Technical Controls: Focus on the high-impact areas first: access management, logging, backups, and vulnerability monitoring. Avoid unnecessary complexity that does not reduce real risk.
Assuming All Controls as Mandatory: ISO 27001 is risk-based. Use a structured decision framework to select controls that address actual risks, and clearly document why some are excluded.
Lack of Ownership: Even in small teams, assign a responsible owner for each control to ensure accountability and consistent implementation.
Minimal Evidence or Records: Maintain simple, practical logs, checklists, and documentation to show that controls are applied and monitored. This approach demonstrates control effectiveness without overloading small teams.

Key Takeaways for SMEs Using ISO 27001 Annex A

Risk-Based Implementation: Annex A is a flexible guide. Implement only the controls relevant to your specific business risks.
Prioritise High-Impact Areas: Focus first on organisational governance, personnel awareness, and technological safeguards.
Maintain Evidence and Ownership: Assign control owners and keep simple records to demonstrate that processes are followed effectively.
Link Controls to Risks via SoA: Use your Statement of Applicability to clearly connect each control to identified risks and its implementation.
Keep It Lean and Practical: A concise, structured approach strengthens security and operational efficiency without unnecessary complexity.

By applying Annex A strategically, SMEs and startups can protect critical information, manage risk efficiently, and demonstrate alignment with the requirements of ISO/IEC 27001:2022.

Frequently Asked Questions About ISO 27001 Annex A for SMEs

Q: Do SMEs need to implement all Annex A controls?

A: No. ISO/IEC 27001:2022 is risk-based. SMEs should implement only controls relevant to their specific business risks, clearly documenting decisions in the Statement of Applicability (SoA) to show a structured, evidence-backed approach.

Q: What is the Statement of Applicability (SoA)?

A: The Statement of Applicability is a central document that lists which Annex A controls are applied or excluded, and why. It links each control to the supporting policy, procedure, or evidence, helping SMEs maintain clarity and demonstrate a risk-driven approach.

Q: How should remote-first startups approach physical controls?

A: Physical controls (A.7) can be marked “Not Applicable” if all critical assets are secured in certified cloud environments. Justification must be documented in the SoA to show a practical, risk-based approach.

Q: Which controls should SMEs prioritise first?

A: Start with high-leverage areas: organisational governance, key people-related processes (training, roles, onboarding / offboarding), and critical technological measures such as access management, logging, and endpoint security. Prioritisation ensures practical, operationally efficient risk management.

Next Step: Browse our ISO 27001 templates to support a risk-based ISMS approach, helping your SME or startup maintain clear, consistent, and traceable security processes.

Next Article: In How to Write a Well-Structured Statement of Applicability for ISO 27001, we explain how to clearly link your risk assessment to selected controls, provide concise justifications, and maintain practical evidence that supports effective information security decisions for SMEs and startups.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:

Start Here: Complete Guide

ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

C. Risk, Statement of Applicability, and Annex A Controls – Detailed Guides by Topic

A Practical Guide to the ISO 27001 Risk Assessment (SME Focus) – Step-by-step guidance to identify, assess, and prioritise risks, linking them to your Statement of Applicability and controls.
How to Write a Well-Structured Statement of Applicability for ISO 27001 – Step-by-step guidance for SMEs to create a clear SoA that links risks, documents controls, and supports audit preparation.
ISO 27001 Risk Register Template Walkthrough (SME Guide) – Risk Register walkthrough for SMEs: covering structure, L / M / H scoring, Annex A mapping, and documenting Risk Acceptance.
Illustrative Guide to Common ISO 27001 Risks for SMEs – Clear examples of frequently observed SME risks, with likelihood / impact scoring, mitigation suggestions, and aligned Annex A control references.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.