Annex A and the 93 controls

L’Annexe A et les 93 mesures

Understand how the 2022 control set is grouped and why the control library should be used through a risk-based lens.

Lesson overview

Annex A gives you 93 possible controls grouped into organizational, people, physical, and technological categories.

Professional explanation

The 2022 version reorganized controls into four categories and expects organizations to justify applicability based on risk treatment, not blind adoption.

Practical example

A startup may justify strong technological and supplier controls, while a manufacturing business also needs deeper physical controls. The control set is the same; the applicability pattern differs.

Content blocks

A shared library, not a shared answer

Une bibliothèque commune, pas une réponse commune

Every organization sees the same 93 controls, but not every organization applies them in the same way or to the same depth.

Risk treatment drives applicability

Le traitement du risque pilote l'applicabilité

The control library becomes useful when each selected control can be traced back to risk, legal obligations, contractual expectations, or strategic decisions.

Examples and callouts

Control 5.19 matters heavily when supplier exposure is material to the service.

Physical controls become central when the business runs warehouses, labs, or visitor-access areas.

Blind control selection is weak governance

La sélection aveugle des mesures est une mauvaise gouvernance

Auditors expect a rationale for why a control is applicable, excluded, or only partly implemented.

Use ISO 27002 as the interpretation layer

Utiliser l'ISO 27002 comme couche d'interprétation

ISO 27002 helps teams understand what a control can look like in real implementation rather than just reading the short title.

Interactive prompt

Pick one scenario and identify which category of controls is likely to be most important first, then explain why that is still not enough by itself.

Learning objectives

Recognize the four Annex A categories. / Reconnaître les quatre catégories de l'Annexe A.
Understand why control selection must be justified. / Comprendre pourquoi la sélection des mesures doit être justifiée.
Use the control library as an implementation aid, not a checklist. / Utiliser la bibliothèque de mesures comme aide à la mise en oeuvre, pas comme checklist.

Learning outcomes

Navigate the 93 controls confidently. / Parcourir les 93 mesures avec assurance.
Explain why control categories differ by scenario. / Expliquer pourquoi les catégories de mesures diffèrent selon le scénario.
Prepare for the control library and SoA work. / Se préparer à la bibliothèque de mesures et au travail de SoA.

Key artifacts

Control applicability rationale / Rationnel d'applicabilité des mesures
Implementation notes informed by ISO 27002 / Notes de mise en oeuvre éclairées par l'ISO 27002
Evidence references for selected controls / Références de preuve pour les mesures retenues

Recap summary

Annex A contains 93 controls in the 2022 version. / L'Annexe A contient 93 mesures dans la version 2022.
Controls are grouped into four categories. / Les mesures sont regroupées en quatre catégories.
Applicability must stay tied to risk and context. / L'applicabilité doit rester liée au risque et au contexte.

Continue from here

Open the control libraryOuvrir la bibliothèque des mesures See ISO 27002 in contextVoir l'ISO 27002 dans son contexte

Interactive exercise

Module checkpoint

Answer in either language. The quiz uses the same underlying concept, not literal duplicated wording.

Answered0/2

How many controls are in Annex A of ISO/IEC 27001:2022?

What should mainly decide whether a control is applicable?