ISO 27001 Annex A Controls - Unlocking the Full Potential
DATE:
Wednesday
1
October
2025
TIME:
11:00
-
12:00
location:
Online
Navigating ISO/IEC 27001:2022 Annex A can be challenging. While implementation of the Standard’s main clauses is mandatory for conformance, implementation of the Annex A controls is not. Instead, their applicability is determined by your organisation’s risk assessment. This flexibility has countless benefits but can also lead to uncertainty, leaving many with common questions such as:
- Which controls are really necessary for us?
- How can we effectively justify our control selections in the Statement of Applicability (SoA)?
- What’s the distinction between Annex A and ISO/IEC 27002?
- How do we choose controls to manage our unique risk profile?
URM’s practical webinar is aimed at taking the confusion out of Annex A and helping you achieve the maximum benefit from implementing controls. Whether you're preparing for certification, updating your SoA, or simply looking at the most effective way to mitigate your information risks, we will provide clarity and actionable guidance.
Who Should Attend
This session is ideal for professionals involved in implementing, managing, or auditing against ISO 27001, including:
- Information security managers
- Compliance officers
- Risk managers
- Internal and external auditors
- IT managers and technical leads
- Data protection officers
- Consultants and advisors supporting ISO 27001 initiatives.
What We’ll Cover
- ISO 27001 Annex A – What Is It For?
Understand its purpose in risk mitigation. Learn why all controls must be considered, and how they become mandatory once included in your Statement of Applicability (SoA).
- The Link Between Annex A and ISO/IEC 27002
Demystify the relationship between these two standards – one defines what must be considered, the other explains how to implement it, using purpose statements, attributes, and guidance.
- Structure of Annex A
Get to grips with the four control themes – organisational, people, physical, and technological – and learn how the new attribute model in ISO 27002 allows for flexible grouping of controls (e.g., by cybersecurity concepts or operational capabilities).
- Selecting Controls for Implementation
Learn how to base control selection on your risk assessment, and how to mix and match attributes like confidentiality, physical threats, and control types to build a defensible and effective control set.
- Control Examples in Practice
Gain insights through practical examples from each control theme to see how they function, their intended outcomes, and how they apply in real-world situation
-
Register for the event
Please note, we can only process business email addresses.
Submit your question
If you have any immediate questions, please use the form provided below to ask up to 3 questions. You will also be able to ask additional questions during the session. No question will be left unanswered.
Did you miss the live event? Do not worry. We are recording the webinar and make the recording available within a week after the webinar.
Did you miss the live event? Do not worry. We have recorded the webinar for you. Please watch the introduction to the webinar below. For the full recording please register using the form below the video.
Please register using the form below and we will provide you with the link to the recorded webinar.
Register to access full recording
Please note, we can only process business email addresses.
Event
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Find out more