The purpose of ISO 27001 Annex A is to provide a catalog of security controls that can be selected to treat the risks. The 2022 revision of ISO 27001 has 93 security controls grouped into four sections.

These four sections are numbered from A.5 to A.8, and they cover the following:
- A.5 Organizational controls – This section contains 37 controls that are used to increase the security of an organization’s processes and activities, including management responsibilities, handling of assets, access rights, and so on.
- A.6 People controls – This section covers 8 controls that aim to increase security related to human resources, including hiring, training and awareness, and similar.
- A.7 Physical controls – This section covers 14 controls developed to increase the protection of information against physical threats, including protection of secure areas and protection of equipment.
- A.8 Technological controls – This section covers 34 controls designed to increase the security of IT and communication systems, focusing on operational systems, software development, and code management.

Each of these four sections presents specific controls, with a short description of what each control must achieve – for example, section 8 has a control named “A.8.13 Information backup” where the standard requires a backup of your data, software, and systems to be performed regularly, but also that the backups need to be tested to make sure they work properly.