How Many ISO 27001 Controls Are There? A Complete Breakdown

ISO 27001 sets the global benchmark for information security, helping businesses safeguard data and mitigate cyber risks. A key part of the standard is its set of security controls, but how many are there, and what do they cover? This guide breaks down the number of ISO 27001 controls and explains their role in protecting…
Open laptop

ISO 27001 is the leading standard for Information Security Management Systems (ISMS), helping organisations protect sensitive data, manage risks, and comply with regulatory requirements. A key part of this framework is Annex A, which outlines the security controls businesses can implement to mitigate threats and safeguard information assets. But how many controls are there in ISO 27001, and what do they cover? Let’s break it down.

Understanding ISO 27001 Controls

ISO 27001 follows a risk-based approach to information security, allowing organisations to tailor their security measures based on their specific risks. The standard was updated in 2022, refining its structure and consolidating several controls to improve clarity and relevance in today’s digital landscape.

As of the ISO 27001:2022 revision, there are 93 security controls grouped into four key themes:

  1. Organisational Controls (37 controls) – Policies, procedures, and governance measures to manage security.
  2. People Controls (8 controls) – Employee awareness, training, and role-based security measures.
  3. Physical Controls (14 controls) – Protection of physical assets, secure facilities, and equipment management.
  4. Technological Controls (34 controls) – Cybersecurity measures, encryption, access control, and system security.

What Changed in ISO 27001:2022?

The previous version (ISO 27001:2013) contained 114 controls, divided into 14 categories. The 2022 update streamlined these into 93 controls, with 11 brand-new additions reflecting modern security needs, such as:

  • Threat intelligence – Keeping up with evolving cybersecurity threats.
  • Web filtering – Managing internet access to prevent risks.
  • Data masking – Protecting sensitive information from exposure.
  • Monitoring activities – Enhancing security oversight.

This update makes it easier for organisations to implement, monitor, and improve their ISMS while aligning with current cybersecurity challenges.

Why Are ISO 27001 Controls Important?

Each control within ISO 27001 is designed to help organisations:

  • Identify and mitigate cybersecurity risks.
  • Protect confidential data and prevent breaches.
  • Ensure regulatory compliance (e.g., GDPR, NIS2).
  • Build trust with clients, partners, and stakeholders.
  • Strengthen their overall security posture against evolving threats.

How to Implement ISO 27001 Controls Effectively

For businesses looking to implement ISO 27001, here are some key steps:

  1. Conduct a risk assessment – Identify threats and vulnerabilities.
  2. Define security objectives – Align controls with business goals.
  3. Implement necessary controls – Apply the relevant Annex A controls.
  4. Monitor and improve – Regular audits and updates to stay secure.

Final Thoughts

Understanding ISO 27001 controls is essential for any organisation aiming to strengthen its cybersecurity framework. With the updated 93 controls, businesses have a clear, structured approach to protecting their information assets in an ever-evolving digital world.

If your organisation is looking to achieve ISO 27001 certification or improve its information security strategy, get in touch with our team for expert guidance.

Get Started

There has never been a better time to invest in ISO certification. Show your commitment to quality management, the environment or occupational health & safety performance with a UKAS certified ISO certification from Compliant.
Get in Touch

Free Download

Download our free “The ISO process and ongoing Support pdf”