How Annex A controls relate to ISO 27001 Requirements

ISO 27001 Annex A Controls do not map to ISO27001 Requirements. They are used to help fulfill requirements “c” and “d” from clause 6.1.3 (Information security risk treatment), i.e., they are related to the main part of the standard primarily through the risk assessment and treatment processes.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

These materials will also help you regarding ISO 27001 controls from Annex A:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thanks for this explanation. You mention 'They are used to help fulfill requirements “c” and “d” from clause 6.1.3'. What are requirements “c” and “d” and where can one see all the requirements for all the clauses?

Requirement 6.1.3 “c” refers to a comparison between controls to be applied with those in Annex A, to ensure that no necessary controls have been omitted.

Requirement 6.1.3 “d” refers to the development of the Statement of Applicability (SoA), informing the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

The full text of these requirements can be found in the ISO 27001 standard (https://www.iso.org/standard/54534.html).
Due to Intellectual Property rights, the standard is not included in the toolkit, but you can find some explanation about the requirements in this paper:

• Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001