ISO 27001 Annex A Controls do not map to ISO27001 Requirements. They are used to help fulfill requirements “c” and “d” from clause 6.1.3 (Information security risk treatment), i.e., they are related to the main part of the standard primarily through the risk assessment and treatment processes.
Thanks for this explanation. You mention 'They are used to help fulfill requirements “c” and “d” from clause 6.1.3'. What are requirements “c” and “d” and where can one see all the requirements for all the clauses?
Requirement 6.1.3 “c” refers to a comparison between controls to be applied with those in Annex A, to ensure that no necessary controls have been omitted.
Requirement 6.1.3 “d” refers to the development of the Statement of Applicability (SoA), informing the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
The full text of these requirements can be found in the ISO 27001 standard (https://www.iso.org/standard/54534.html). Due to Intellectual Property rights, the standard is not included in the toolkit, but you can find some explanation about the requirements in this paper: