Control domains
ISO 27002:2022 organises controls into four thematic domains:Organisational
Policies, roles, responsibilities, and governance controls. Covers information security policies, asset management rules, and supplier relationships.
People
Human resource controls covering screening, terms of employment, awareness, training, and disciplinary processes.
Physical
Physical and environmental security controls including secure areas, equipment protection, and clear desk policies.
Technological
Technical controls covering access management, cryptography, vulnerability management, logging, and network security.
Evaluating a control
Open the Annex A page
Navigate to Annex A in the sidebar. The table shows all 93 controls with their current status.
Filter by domain (optional)
Use the domain tabs or filter at the top of the table to narrow the view to a single theme such as Technological or People.
Set the implementation status
Click the status cell for the control you want to evaluate and select one of the four options:
| Status | Meaning |
|---|---|
| Not evaluated | Default — no assessment has been recorded |
| In progress | Control is partially implemented |
| Implemented | Control is fully in place |
| Not applicable | Control does not apply to your scope |
Assign a responsible party
Enter the name or role of the person accountable for this control in the Responsible column.
Control data reference
Each control in the table carries the following fields:| Field | Description |
|---|---|
| ID | ISO 27002:2022 control identifier (e.g. A.5.1) |
| Domain | Thematic group (Organisational, People, Physical, Technological) |
| Name | Official control title |
| Description | Summary of the control objective |
| Status | Current implementation status |
| Responsible | Accountable person or role |
| Last review | Date of last assessment |
Exporting the Statement of Applicability
The Statement of Applicability (SoA) is a mandatory ISO 27001 document that lists every Annex A control and records whether it is applicable and implemented. To export the SoA:- Evaluate all relevant controls (at minimum set every control to a status other than Not evaluated).
- Click Export SoA in the page header.
- ISOwl generates a PDF containing the full control table with statuses, responsible parties, and review dates.
- The file downloads to your browser’s default download folder.
How the Annex A score is calculated
The Annex A maturity percentage displayed on the Executive Dashboard is:Frequently asked questions
Can I add custom controls beyond the 93 in ISO 27002:2022?
Can I add custom controls beyond the 93 in ISO 27002:2022?
The control library is fixed to the 93 controls defined in ISO 27002:2022. If your organisation uses supplementary controls, document them in the notes field of the closest applicable control.
Does the SoA PDF include my justifications for Not applicable controls?
Does the SoA PDF include my justifications for Not applicable controls?
The exported PDF includes the status of each control. Free-text justifications entered in notes fields are also included if present. Ensure you document exclusion rationale before the export.
How often should I review controls?
How often should I review controls?
ISO 27001 requires periodic review of the ISMS. Most organisations review controls at least annually or after significant changes. The Last review date field helps you track which controls are overdue for reassessment.