ISO/IEC 27001:2022 checklist: all 93 Annex A controls
ISO 27001 isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What ISO 27001 requires
ISO 27001 is assessed against 93 controls across 5 families: Organizational, People, Physical, Technological, ISMS evidence. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
The four Annex A themes (93 controls in ISO/IEC 27001:2022) with the key controls in each. Use the table below as your working checklist — 21 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| A.5 — Organizational (37 controls) | ||
| A.5.1 | Policies for information security | Manual |
| A.5.7 | Threat intelligence | Auto |
| A.5.19 | Supplier relationships | Manual |
| A.5.23 | Cloud services security | Manual |
| A.5.24 | Incident management planning | Manual |
| A.5.30 | ICT readiness for business continuity | Manual |
| A.6 — People (8 controls) | ||
| A.6.1 | Screening | Manual |
| A.6.3 | Awareness, education & training | Manual |
| A.6.5 | Responsibilities after termination | Manual |
| A.7 — Physical (14 controls) | ||
| A.7.1 | Physical security perimeters | Manual |
| A.7.10 | Storage media | Manual |
| A.7.14 | Secure disposal or re-use of equipment | Manual |
| A.8 — Technological (34 controls) | ||
| A.8.1 | User endpoint devices | Auto |
| A.8.2 | Privileged access rights | Auto |
| A.8.5 | Secure authentication (MFA) | Auto |
| A.8.8 | Management of technical vulnerabilities | Auto |
| A.8.12 | Data leakage prevention | Auto |
| A.8.15 | Logging | Auto |
| A.8.16 | Monitoring activities | Auto |
| A.8.24 | Use of cryptography | Auto |
| A.8.28 | Secure coding | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of ISO 27001 controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.