Skip to main content
ISO_CONTROLS is an array exported from src/store/isoControls.js that contains all 93 controls defined in ISO 27002:2022. It is the authoritative source of Annex A control data throughout ISOwl. 
import { ISO_CONTROLS } from './store/isoControls';

Control data shape

Each element in the array has the following base shape as defined in the source file:
FieldTypeDescription
idstringControl identifier in A.X.Y format (e.g. A.5.1)
domainstringControl domain (one of four values — see Domains below)
namestringControl name
descriptionstringShort description of what the control requires
When controls are loaded into the Zustand store, three additional runtime fields are merged in with default values:
FieldTypeDefaultDescription
statusstring'No Evaluado'Evaluation status — updated via updateControlStatus()
responsiblestring''Responsible person or team
lastReviewstring''ISO date of last review
// Shape of a control as stored in the Zustand state
{
  id: 'A.5.1',
  domain: 'Organizacionales',
  name: 'Políticas de seguridad de la información',
  description: 'Se deben definir, aprobar por la dirección...',
  status: 'No Evaluado',
  responsible: '',
  lastReview: ''
}

Domains

ISO 27002:2022 organizes its 93 controls into four thematic domains (called “themes” in the standard). ISOwl uses the Spanish domain names as defined in isoControls.js.
Domain (Spanish)Theme (English)ID rangeControl count
OrganizacionalesOrganizationalA.5.x37
PersonasPeopleA.6.x8
FísicosPhysicalA.7.x14
TecnológicosTechnologicalA.8.x34
Total93
The control count per domain matches the ISO 27002:2022 edition. Earlier editions of ISO 27002 used 14 domains and 114 controls. ISOwl implements the 2022 restructured version exclusively.

Usage across the app

Store initialization

ISO_CONTROLS is used to seed the controls array in the Zustand store for each new tenant. Controls are copied with default status, responsible, and lastReview values.

Annex A module

The Annex A page reads controls from the store and renders each control grouped by domain. Status updates are written back via updateControlStatus().

Dashboard metrics

getDomainProgress() aggregates control statuses by domain using the domain field. The maturity radar chart uses these aggregated scores.

SoA export

The Statement of Applicability export iterates over all 93 controls and outputs their current status and responsible fields.

Filtering by domain

To work with controls from a specific domain, filter the array by the domain field: 
import { ISO_CONTROLS } from './store/isoControls';

const orgControls = ISO_CONTROLS.filter(c => c.domain === 'Organizacionales');
// 37 controls: A.5.1 through A.5.37

const techControls = ISO_CONTROLS.filter(c => c.domain === 'Tecnológicos');
// 34 controls: A.8.1 through A.8.34

Example entries

[
  {
    id: 'A.5.1',
    domain: 'Organizacionales',
    name: 'Políticas de seguridad de la información',
    description: 'Se deben definir, aprobar por la dirección...'
  },
  {
    id: 'A.6.1',
    domain: 'Personas',
    name: 'Selección',
    description: '...'
  },
  {
    id: 'A.7.1',
    domain: 'Físicos',
    name: 'Perímetros de seguridad física',
    description: '...'
  },
  {
    id: 'A.8.1',
    domain: 'Tecnológicos',
    name: 'Dispositivos de punto final del usuario',
    description: '...'
  }
]

ISO 27002 standard

Background on the ISO 27002:2022 standard, its four themes, and the purpose of each control domain.

Store reference

Full reference for updateControlStatus() and the controls state field in the Zustand store.

Build docs developers (and LLMs) love

Get started for freeTalk to us