← All guides
ISO 2700111 min read9 June 2026

ISO 27001:2022 Annex A Controls: A Practical Guide for SaaS Companies (2026)

ISO 27001:2022 Annex A has 93 controls across 4 domains. SaaS companies frequently over-complicate implementation. Here's what each control means in practice, which ones are most commonly selected, and how to document applicability for your Statement of Applicability.

ISO 27001:2022 Annex A: what changed from 2013

ISO 27001 was updated in October 2022. The old 2013 version had 114 controls across 14 clauses. The 2022 version restructured to 93 controls across 4 themes. If you're still working from a 2013 SoA, you're out of date.

The 4 themes (formerly 14 domains):

ThemeControlsFocus
5. Organisational Controls37 controls (A.5.1–A.5.37)Policies, roles, governance, supplier relationships, legal compliance
6. People Controls8 controls (A.6.1–A.6.8)Hiring, training, disciplinary, remote working, confidentiality
7. Physical Controls14 controls (A.7.1–A.7.14)Physical security, entry controls, equipment, clear desk
8. Technological Controls34 controls (A.8.1–A.8.34)Endpoint, access, cryptography, logging, vulnerability, SDLC, network

11 new controls in 2022 (not in 2013): A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, A.8.28 Secure coding.

How Annex A works: applicable vs not applicable

Annex A controls are not all mandatory. ISO 27001 requires you to:

  1. Assess your information security risks (Clause 6.1.2)
  2. Select controls to treat identified risks
  3. Produce a Statement of Applicability (SoA) listing all 93 Annex A controls with: applicable/not applicable status, justification for each decision, and implementation status
  4. Have an auditor validate your SoA and control implementation

You can declare a control not applicable — but you need a documented justification. "We have no physical servers" is a valid reason to declare A.7.8 (Equipment siting and protection) as not applicable. "We don't think it's important" is not.

Most commonly applicable controls for SaaS companies

SaaS companies in 2026 are almost always cloud-native, typically have remote teams, and process personal data. Here's how the 93 controls typically apply:

Organisational Controls (A.5) — 37 controls

Almost always applicable for SaaS:

  • A.5.1 Policies for information security: Information Security Policy required. Most important document in your ISMS.
  • A.5.9 Inventory of information and other assets: Asset register covering data, systems, software, cloud accounts. Simple spreadsheet or Notion doc is sufficient for small teams.
  • A.5.10 Acceptable use of information: AUP for employees covering acceptable use of systems, data, email, internet.
  • A.5.12 Classification of information: Data classification scheme (Public/Internal/Confidential/Restricted). Essential for demonstrating proportionate controls.
  • A.5.13 Labelling of information: How classified documents are labelled. Can be simple (document headers, naming conventions) rather than elaborate DLP tagging.
  • A.5.15 Access control: Access control policy covering RBAC, least privilege, provisioning/deprovisioning.
  • A.5.16 Identity management: Managing the full identity lifecycle: provisioning, review, removal.
  • A.5.19 Information security in supplier relationships: Third-party risk management — supplier security questionnaires, DPAs, SOC 2 reports.
  • A.5.23 Information security for cloud services: New in 2022. Cloud service security requirements, shared responsibility understanding, cloud provider audit reports.
  • A.5.26 Response to information security incidents: Incident Response Plan. Covers detection, response, notification, and post-incident review.
  • A.5.28 Collection of evidence: How evidence is collected and preserved for investigations.
  • A.5.33 Protection of records: Records management including retention, protection, and disposal.

People Controls (A.6) — 8 controls

  • A.6.1 Screening: Background checks before hiring. What checks are appropriate depends on role sensitivity and jurisdiction (GDPR note: criminal record checks = Art. 10 special category data).
  • A.6.2 Terms and conditions of employment: Security responsibilities in employment contracts and offer letters.
  • A.6.3 Information security awareness, education, and training: Security awareness programme. Annual training minimum; role-specific training for higher-risk roles.
  • A.6.4 Disciplinary process: Documented process for security policy violations.
  • A.6.5 Responsibilities after termination or change: Offboarding checklist: account deactivation, device return, access revocation, confidentiality continuation.
  • A.6.7 Teleworking: Remote work security policy. Specifically addresses home office, mobile working, and co-working spaces.
  • A.6.8 Information security event reporting: How employees report security events. Clear, simple reporting channel required.

Physical Controls (A.7) — 14 controls

For cloud-native SaaS companies with no physical offices or data centres, many A.7 controls are genuinely not applicable. However:

  • A.7.1 Physical security perimeters: For office space (if any). Even a home office with a door is a perimeter.
  • A.7.7 Clear desk and clear screen: Applicable everywhere — including home offices. Document and train.
  • A.7.8 Equipment siting and protection: Not applicable if no on-premises servers. Applicable for office equipment.
  • A.7.9 Security of assets off-premises: Always applicable — laptops, mobile devices taken off-premises by remote workers.
  • A.7.10 Storage media: Always applicable — USB drives, external drives, laptop encrypted storage.
  • A.7.11 Supporting utilities: Not applicable for cloud-native SaaS (cloud provider's responsibility under shared responsibility model). Document this in your SoA.
  • A.7.14 Secure disposal or re-use of equipment: Applies to decommissioned laptops and devices. Data wiping or destruction required.

Technological Controls (A.8) — 34 controls

This is where most SaaS effort goes. Key controls:

  • A.8.2 Privileged access rights: PAM controls: separate privileged accounts, JIT access, no permanent root, privileged session logging.
  • A.8.3 Information access restriction: Least privilege, need-to-know, RBAC implementation.
  • A.8.5 Secure authentication: Password and authentication policy: MFA, password complexity, session management, account lockout.
  • A.8.7 Protection against malware: EDR/antivirus on all endpoints, email scanning, anti-phishing controls.
  • A.8.8 Management of technical vulnerabilities: Vulnerability management programme: scanning, CVSS scoring, remediation timelines, patch management.
  • A.8.9 Configuration management: New in 2022. Baseline configurations for systems, hardening, IaC in version control, configuration drift detection.
  • A.8.15 Logging: Log management policy: what is logged, retention period, log sources, NTP clock sync.
  • A.8.16 Monitoring activities: New in 2022. SIEM, anomaly detection, alert configuration, regular log review.
  • A.8.20 Networks security: Network segmentation, firewalls, WAF, DDoS protection.
  • A.8.24 Use of cryptography: Cryptography policy: approved algorithms, key management, prohibited algorithms.
  • A.8.25 Secure development lifecycle: SDLC policy: dev/staging/prod separation, code review, security scanning, change management.
  • A.8.28 Secure coding: New in 2022. OWASP Top 10 awareness, static analysis, dependency scanning, peer review for security-sensitive changes.
  • A.8.29 Security testing in development and acceptance: Penetration testing, security review before major release, staging environment testing.
  • A.8.32 Change management: Change Management Policy: approval process, testing, rollback, emergency change procedure.
  • A.8.33 Test information: Test data management: no production personal data in test/dev without masking, synthetic data preferred.

Statement of Applicability: what it must contain

The SoA is one of two mandatory documented outputs from ISO 27001 (the other being the Risk Treatment Plan). Auditors review it carefully. It must include:

  • All 93 Annex A controls listed
  • Applicable/not applicable status for each
  • Justification for each decision (inclusion: which risk it treats; exclusion: why it doesn't apply)
  • Implementation status (implemented/planned/partially implemented)
  • Reference to where the control is documented (policy name, procedure reference)

A common mistake: declaring controls as not applicable without documented justification. Auditors will question every exclusion. "We don't have any external users" is a justification; "N/A" alone is not.

Getting from 0 to ISMS: the SaaS shortcut

A full ISO 27001 ISMS sounds complex. For a typical SaaS company (20–200 employees, cloud-native, no on-premises infrastructure), the practical scope is:

  1. Scope statement: Define what's in scope (cloud infrastructure, applications, employee devices, personnel). Be specific but not artificially narrow.
  2. Risk assessment: Identify your most significant information assets, threats, and vulnerabilities. A spreadsheet with probability × impact = risk score is sufficient for a first pass.
  3. Control selection: Choose Annex A controls to address your identified risks. For a cloud-native SaaS, approximately 60–70 of the 93 will apply.
  4. Policy documentation: Write the policies that evidence the selected controls (InfoSec Policy, Access Control, Password Policy, IRP, BCP/DRP, Vulnerability Management, etc.).
  5. Statement of Applicability: Document all 93 controls, applicability, and justification.
  6. Internal audit: Test your own controls before the certification audit. Identify and remediate gaps.
  7. Stage 1 audit: Auditor reviews documentation. Typically 1 day for 50-person company.
  8. Stage 2 audit: Auditor tests evidence. Typically 2–3 days.

Timeline: 3–6 months from starting to certification for a focused effort at a 50-person SaaS company.

Build your ISMS policy library: Information Security Policy, Access Control Policy, Password & Authentication Policy, Remote Work Security Policy, Vulnerability Management Policy, Cryptography Policy, Secure SDLC Policy, ISO 27001 Gap Assessment.

Related reading: ISO 27001 vs SOC 2 for SaaS, ISO 27701 PIMS Guide, SOC 2 Gap Analysis Guide.

⚠️ This guide is for informational purposes only and does not constitute legal or audit advice. ISO 27001 certification scope and control applicability depend on your specific risk assessment. Engage an accredited certification body for a formal audit.

More guides