Annex A is the control catalogue associated with ISO 27001. It gives organisations a structured list of security controls that can be selected and adapted according to risk, helping teams turn broad governance requirements into concrete technical and administrative safeguards.
Expanded Definition
Annex A controls are the reference control set in ISO 27001, used to select and tailor safeguards based on risk, scope, and operating context. In practice, they function as a menu of organisational, technical, physical, and human-centric controls that support an information security management system rather than replacing it. For NHI and agentic AI programs, Annex A is useful because it provides a governance anchor for access control, logging, supplier oversight, cryptography, and secure operations without prescribing one fixed implementation path.
Definitions vary across vendors when they map Annex A into product checklists, but the standard itself treats the catalogue as risk-based guidance, not a universal minimum baseline. That distinction matters when teams try to apply the same control set to service accounts, API keys, workloads, and autonomous agents. Annex A should be read alongside the ISO 27001 management system requirements, and mapped to operational practices such as secret handling and identity lifecycle controls. For a broader NHI context, the Ultimate Guide to NHIs — Standards frames how governance expectations translate into repeatable NHI controls, while NIST Cybersecurity Framework 2.0 offers a complementary outcomes-based structure.
The most common misapplication is treating Annex A as a compliance checklist to copy verbatim, which occurs when organisations ignore scope, risk treatment decisions, and control tailoring.
Examples and Use Cases
Implementing Annex A rigorously often introduces documentation and review overhead, requiring organisations to weigh audit readiness and governance clarity against faster delivery cycles.
- A platform team maps service-account lifecycle management to access control and identity governance controls, then records the risk justification for every exception.
- A security team uses Annex A to justify secret storage standards, rotation rules, and logging requirements for CI/CD pipelines and orchestration systems.
- A procurement group applies supplier and cloud assurance controls before granting an AI agent access to third-party APIs or data stores.
- An internal audit team tests whether selected controls are actually operated, not merely documented, and checks evidence across owners and systems.
- A governance committee ties control selection to the organisation’s risk appetite so that NHI, workload, and human identity controls stay aligned.
For NHI-specific control mapping, Ultimate Guide to NHIs — Standards is especially useful when translating policy into technical guardrails, and NIST Cybersecurity Framework 2.0 helps teams express the same intent in outcome language across protect, detect, and recover activities.
Why It Matters in NHI Security
Annex A matters in NHI security because it gives organisations a defensible way to show that service accounts, API keys, tokens, and agent permissions are not being managed ad hoc. That is critical when identities proliferate across CI/CD, cloud workloads, and autonomous tooling. NHI Mgmt Group research shows that only 5.7% of organisations have full visibility into their service accounts, which means control selection and evidence collection are often operating without a reliable inventory. In that environment, Annex A becomes the bridge between policy intent and practical oversight.
It is also a useful language for governance teams that need to prove that key risks are being treated consistently across departments, vendors, and environments. The controls are not a substitute for a mature NHI program, but they do help establish accountability for rotation, access review, logging, and supplier dependency management. The same control catalogue can support zero trust planning, but only if it is paired with continuous validation and clear ownership. Organisations typically encounter the cost of weak control selection only after a secrets leak, privilege misuse, or audit failure, at which point Annex A becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Annex A maps well to NHI governance, lifecycle, and control selection for non-human identities. |
| NIST CSF 2.0 | GV.RM-01 | Annex A is a governance control catalogue used to document risk-based security decisions. |
| NIST Zero Trust (SP 800-207) | Annex A supports zero trust control mapping but does not itself define ZTA architecture. |
Align Annex A selections to risk management objectives and maintain evidence for control ownership and review.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
