When Singapore companies first encounter the ISO 27001:2022 Annex A controls, the reaction is often the same: 93 controls across 4 domains — how do we implement all of that without a large security team and unlimited budget? The answer is that you don't implement all of them equally, and you certainly don't implement them all at once. The art of ISO 27001 Annex A is understanding which controls are critical for your organisation, which can be addressed with straightforward documentation, and which might be legitimately excluded with a justified rationale.
This guide demystifies Annex A for Singapore SMEs — covering the four domains, the controls that cause the most trouble in Singapore audits, and practically what "documented evidence" means when a certification auditor asks for proof.
The Four Domains of Annex A
ISO 27001:2022 reorganised the Annex A controls from the previous 14-clause structure into four cleaner domains:
Organisational Controls (37 controls)
These cover governance and process — policies, roles and responsibilities, information classification, threat intelligence, supplier relationships, incident management, and business continuity. This is the largest domain and the one that most directly reflects how mature your information security management actually is. Strong organisational controls mean security is embedded in how you operate, not bolted on after the fact.
People Controls (8 controls)
Covering the human dimension: background screening, terms of employment, security awareness training, and the handling of personnel changes — especially the critical controls around what happens when someone leaves. Termination procedures and the timely revocation of access are two of the most commonly cited findings in Singapore audits.
Physical Controls (14 controls)
Physical security of premises and equipment: secure areas, physical access controls, clear desk policies, secure disposal of equipment and media, and protection against environmental threats. For most cloud-first Singapore SMEs, some physical controls will be excluded with justification (for example, if you have no on-premise data centre). The Statement of Applicability must document and justify all exclusions.
Technological Controls (34 controls)
The technical implementation layer: endpoint security, access control systems, cryptography, network security, application security, vulnerability management, logging and monitoring, and the newer controls from the 2022 revision covering threat intelligence, data masking, and cloud security. This domain requires the most technical depth and generates the most evidence obligations.
Three Controls Where Singapore SMEs Most Often Fall Short
- A.8.2 (Privileged Access Management) — accounts with elevated access aren't formally defined, regularly reviewed, or have MFA enforced. Auditors will request a list of privileged accounts and evidence of periodic access reviews.
- A.5.26 (Response to Information Security Incidents) — many organisations have an incident response policy but have never tested it. No tabletop exercise records, no evidence of a real incident being managed through the documented process.
- A.5.19–A.5.22 (Supplier Relationships) — SaaS vendors, cloud providers, and IT support contractors are used without formal security assessments or contractual security clauses. For Singapore SMEs that rely heavily on cloud platforms, this is consistently the weakest Annex A area.
What "Documented Evidence" Actually Means
This is the question that most confuses Singapore SMEs approaching their first ISO 27001 audit. "Documented evidence" doesn't mean you need a sophisticated GRC platform or a dedicated compliance team producing reports. What auditors are looking for is proof that your controls are actually operating — not just that you have a policy saying they should.
For access control (A.8.2), documented evidence might be: a quarterly spreadsheet showing a review of privileged accounts, signed by the responsible manager, with notes on changes made as a result. For patch management (A.8.8), it might be: a vulnerability scan report from last month, a patch status report showing critical patches applied within your SLA, and a record of exceptions with risk acceptance signatures. For incident management (A.5.26), it might be: a log of incidents from the last 12 months, even if they were minor, showing how each was classified, handled, and closed.
The common thread: something happened, it was recorded, and the record demonstrates that your control operated as designed.
How to Build a Control Register Without a Big Team
A control register — a document mapping each applicable Annex A control to your implementation, owner, and evidence — is not optional in ISO 27001. It underpins your Statement of Applicability and is what auditors use to plan their evidence sampling. But it doesn't need to be complex.
- Start with a spreadsheet — a simple workbook with columns for control reference, control name, applicable (yes/no/excluded), justification for exclusion, implementation description, control owner, and evidence location covers everything you need.
- Assign control owners practically — for a 50-person SME, many controls will be owned by the same two or three people. That's fine. What matters is that someone is accountable and knows what evidence they need to maintain.
- Link to existing documentation — don't recreate what already exists. If your IT vendor has a security hardening document for your cloud environment, that's evidence for A.8.9 (configuration management). Link to it. You don't need to replicate it.
- Review quarterly, not constantly — set a quarterly calendar event to review the control register, update evidence references, and identify controls that need attention. Annual review isn't enough; continuous daily review isn't practical. Quarterly is the right cadence for most SMEs.
Ready to map and implement your Annex A controls?
Our consultants help Singapore SMEs build practical control registers, prepare documentation that satisfies certification auditors, and avoid the pitfalls that derail most first attempts.