Clarification about controls of ISO 27001:2022
IRCA circulars and publications refer to controls of this standard with prefix “A.”;e.g. A.5.34, A.7.1 etc. This was the practice in ISO 27001:2013 also.
The 2022 release of the standard itself refers to them without such prefix. I would like to refer them with the prefix as otherwise controls like 7.1, 8.2. 5.3 etc may be confused with corresponding clauses.
Is there any other logic in favour of referring the controls with prefix “A.”? While browsing the internet we see that both styles are being followed.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the prefix “A” before the control ID is used to relate a control to ISO/IEC 27001 Annex A. Any control identified without the prefix “A” refers to ISO/IEC ISO 27002:2022.
ISO/IEC 27001:2022 defines requirements for the implementation of an Information Security Management System (ISMS).
ISO/IEC 27002:2022 provides guidelines for the implementation of controls from ISO/IEC 27001 Annex A. ISO/IEC 27002 is not mandatory for the implementation of ISO/IEC 27001.
For further information, see:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
This material can also help you:
- Main Changes in ISO 27001/27002 and What To Do About Them [free webinar on demand] https://advisera.com/27001academy/webinar/main-changes-in-iso-27001-27002-and-what-to-do-about-them-free-webinar-demand/
Comment as guest or Sign in
Feb 22, 2023