What is Annex A?
Annex A is the international standardization of control objectives (14) and controls (114). It is a comprehensive minimum baseline of information security controls that all information security management systems shall consider when selecting controls to mitigate information security risks. ISO 27001 requires that organizations map which Annex A controls apply to them in the statement of applicability (SoA). Annex A is also somewhat generic in that it is only a mid-level control description. There is a wide variety of options regarding which low-level controls you actually choose and implement to reduce risk under the Annex A description, which is why you may seek guidance from an experienced ISO 27001 consultant.
