sr3global

How many controls in ISO 27001 is one of the most frequently searched questions by companies preparing for compliance or certification. The answer is straightforward: ISO 27001:2022 has 93 controls, organized under a modernized structure to address evolving security challenges.

Whether you’re beginning your ISO 27001 journey or updating from the 2013 version, knowing exactly how many controls in ISO 27001 exist—and what they mean for your business—is essential. This guide walks you through the total number of controls, the changes in the latest standard, how they’re grouped, and what it takes to implement them effectively. We also show how SR3 (27001.in) can support you at every step, from risk assessments to audits and full ISO certification.

How Many Controls in ISO 27001:2022?

Let’s start with the core question: how many controls in ISO 27001 today?

• The ISO 27001:2022 revision includes a total of 93 controls
  
• The previous 2013 version had 114 controls
  
• Controls in ISO 27001:2022 are grouped into 4 themes, replacing the earlier 14 domains
  

The four new themes are:

• Organizational – 37 controls
  
• People – 8 controls
  
• Physical – 14 controls
  
• Technological – 34 controls
  

The reduction from 114 to 93 doesn’t mean ISO 27001 is less comprehensive. In fact, several older controls were merged, rewritten, or enhanced to reflect current cybersecurity risks. Understanding how many controls in ISO 27001 there are now—and how they map to your business objectives—is a foundational part of becoming certified and staying secure.

What Changed from ISO 27001:2013 to ISO 27001:2022?

The 2022 update of ISO 27001 is more than a cosmetic change. It reflects the rapid evolution of technology, cloud infrastructure, and digital threats.

Here are the key differences:

• ISO 27001:2013 had 114 controls split across 14 control domains
  
• ISO 27001:2022 has 93 controls grouped into 4 control themes
  
• 11 entirely new controls have been introduced in the 2022 version
  
• Several existing controls were merged, rewritten, or clarified
  

New controls include:

• Threat intellige
  
• Information security for cloud services
  
• Web filtering
  
• Secure coding
  
• Data leakage prevention
  
• Data masking
  
• Physical security monitoring
  
• ICT readiness for business continuity
  

When reviewing how many controls in ISO 27001 apply to your organization, it’s important to assess not only quantity but also relevance to your risk environment. These changes make the framework more adaptable and scalable for businesses across all industries.

ISO 27001:2022 Control Themes and Breakdown

To simplify implementation and interpretation, the 2022 version reorganizes the controls into four themes:

Organizational (37 controls):  These relate to the policies, processes, roles, and responsibilities that govern information security across the business. Examples include information classification, access control, risk management, and security monitoring.

People (8 controls):  These controls are focused on human-related aspects of security, such as employee awareness, responsibilities, and remote work. They ensure that your team is equipped to prevent and respond to threats.

Physical (14 controls):  These controls protect physical assets and environments where information is stored or processed. Topics include secure areas, equipment disposal, and environmental protection.

Technological (34 controls):  These involve the technical side of security, including encryption, secure coding, logging and monitoring, malware protection, and data backup. For many organizations, this is where the bulk of implementation effort is required.

So, how many controls in ISO 27001 fall into each category? The answer varies depending on how your business interprets risk, but all 93 controls are available to be adopted or justified for exclusion through the SoA.

What is the Statement of Applicability (SoA)?

The Statement of Applicability (SoA) is one of the most critical documents in the ISO 27001 compliance process. It serves as a declaration of which controls your organization has selected from the full list of 93.

It also includes:

• Whether each control is applicable to your business
  
• Justification for inclusion or exclusion
  
• Current implementation status
  
• Reference to relevant documentation or procedures
  

When asking how many controls in ISO 27001 apply to your business, the SoA becomes your personalized answer. It shows auditors that your implementation is risk-based, documented, and defensible.

The SoA is required for certification and is a key piece of evidence during audits. Incomplete or generic SoAs can lead to non-conformities or certification delays.

ISO 27002 vs Annex A – What’s the Difference?

A common source of confusion when researching how many controls in ISO 27001 is the difference between ISO 27001’s Annex A and ISO 27002.

Here’s how they compare:

• Annex A (part of ISO 27001): Lists the 93 reference controls—essentially a checklist of what should be considered.
  
• ISO 27002: Provides detailed guidance on how to implement each of those controls.
  

In simple terms:

• ISO 27001 tells you what you need to do.
  
• ISO 27002 tells you how to do it.
  
  

If your team is trying to understand how many controls in ISO 27001 are mandatory or how they should be applied, ISO 27002 is your go-to guidance resource.

How to Select the Right ISO 27001 Controls

While ISO 27001:2022 lists 93 controls, not all of them are mandatory. Your goal is to select controls based on a risk-driven approach.

Steps to follow:

• Conduct a risk assessment tailored to your information assets
  
• Identify threats, vulnerabilities, and potential impact
  
• Select controls that mitigate your high-risk areas
  
• Justify exclusions in your Statement of Applicability
  
  

Understanding how many controls in ISO 27001 are relevant for you is about more than numbers—it’s about relevance, effectiveness, and alignment with your organizational goals.

Avoid turning ISO 27001 into a checklist exercise. The standard emphasizes contextual implementation, not simply box-ticking.

Why Knowing How Many Controls in ISO 27001 Matters

If you’re wondering why it’s important to know how many controls in ISO 27001 exist or apply to your business, here are several reasons:

• Helps you scope your ISO project correctly
  
• Informs budgeting and resource allocation
  
• Ensures that no required controls are missed during audits
  
• Provides transparency to leadership and stakeholders
  
• Allows better prioritization of remediation and improvements
  
• Enables faster and smoother ISO 27001 certification
  

Whether you’re a small enterprise or a global organization, having a clear understanding of how many controls in ISO 27001 are involved is the first step in building a strong and compliant security framework.

How SR3 Helps You Implement ISO 27001 Controls

SR3 (27001.in) offers tailored ISO 27001 solutions that eliminate guesswork and delays.

Our ISO 27001 services include:

• In-depth gap assessments based on the 93 updated controls
  
• Risk assessment and risk treatment planning
  
• Full support with drafting policies, SoAs, and implementation evidence
  
• Training your teams on control effectiveness
  
• Internal audits and pre-certification readiness
  
• Transition services from ISO 27001:2013 to ISO 27001:2022
  

You don’t need to figure out how many controls in ISO 27001 apply to you on your own—our team will guide you through every control selection, justification, and implementation detail.

Work with SR3

Ready to streamline your ISO 27001 implementation? Whether you’re starting from scratch or upgrading to the 2022 version, SR3 can help you simplify compliance and maximize control effectiveness.

We bring real-world experience, industry-aligned frameworks, and end-to-end ISO 27001 services—designed around your needs.

Let’s make ISO 27001 work for your organization.