None of the 93 controls from Annex A are mandatory. Based on an analysis of its risks and taking into account the security requirements of interested parties, a company must choose which controls are 'applicable' (i.e. necessary and appropriate to mitigate unacceptable risks). In other words, the Annex A controls are discretionary.

Examples:
- A company has found they have a risk of loss of data, so they decided to apply control A.8.13 Information backup
- An important customer requires a certain type of encryption to be implemented, so the company decided to apply control A.8.24 Use of cryptography