The Financial Conduct Authority (FCA) has made clear that UK financial services organisations must maintain robust, well-documented security controls frameworks. With the transition to ISO 27001:2022 now required for organisations maintaining accredited certification — the IAF transition deadline for accredited certifications is 31 July 2026 — financial institutions face the challenge of implementing the updated Annex A controls while navigating an increasingly complex regulatory environment that includes FCA requirements, the Senior Managers and Certification Regime (SM&CR), operational resilience expectations, and, for EU-based entities, the Digital Operational Resilience Act (DORA).

ISO 27001:2022 Annex A provides a catalogue of 93 controls organised into four clusters — Organisational, People, Physical, and Technological — replacing the 114 controls under 14 clauses in the 2013 version. This restructured framework reflects the evolution of the threat landscape, the adoption of cloud services, and the integration of cybersecurity into organisational governance. For financial services organisations, the updated controls address modern security challenges including cloud security, threat intelligence, and information security for the use of cloud services, while maintaining compatibility with the ISMS audit and certification process.

In this article, our team examines how to implement the ISO 27001 Annex A controls in a UK financial services context, the key changes in the 2022 update, and how our consultants help organisations build security controls frameworks that satisfy both ISO 27001 and FCA requirements.

Understanding the Security Controls Framework in ISO 27001:2022

The Annex A 2022 controls are a significant restructuring from the 2013 version. The 93 controls are now organised into four thematic clusters that make it easier for organisations to navigate and implement controls based on their risk profile and operational context:

  • Organisational controls (Clause 5, 37 controls): Covering information security policies, roles and responsibilities, risk management, supplier relationships, threat intelligence, security in project management, and compliance with legal and regulatory requirements. This cluster reflects the standard's increased emphasis on security governance as a board-level concern.
  • People controls (Clause 6, 8 controls): Covering screening, terms and conditions of employment, information security awareness and training, disciplinary processes, remote working, and the return of assets and removal of access upon termination or role change.
  • Physical controls (Clause 7, 14 controls): Covering physical security perimeters, entry controls, securing offices and facilities, physical security monitoring, visitor management, equipment siting and protection, and secure disposal and reuse of equipment.
  • Technological controls (Clause 8, 34 controls): Covering user endpoint devices, privileged access management, information access restriction, identity management, authentication, capacity management, protection against malware, technical vulnerability management, configuration management, information deletion, data masking, data leakage prevention, network security, web filtering, encryption, secure development, security testing, and audit logging.

For UK financial services organisations, the technological controls cluster is particularly significant. Controls 8.2 (privileged access rights), 8.5 (secure authentication), 8.12 (data leakage prevention), 8.16 (monitoring activities), 8.20 (networks security), and 8.29 (security testing in development and acceptance) directly map to FCA expectations for access control, monitoring, and testing of financial systems.

Why Annex A 2022 Implementation Matters for Financial Services

The Annex A 2022 update introduced several new controls that are particularly relevant for financial services organisations:

  • 5.7 Threat intelligence: Requires organisations to gather and analyse threat intelligence to inform their security controls. For financial services, this aligns with the FCA's expectation that firms maintain situational awareness of the threat landscape.
  • 5.23 Information security for use of cloud services: Establishes requirements for procuring, using, managing, and exiting cloud services. Given the financial sector's rapid adoption of cloud infrastructure and the FCA's outsourcing and third-party risk management guidance, this control is critical.
  • 5.30 ICT readiness for business continuity: Requires organisations to plan, implement, maintain, and test ICT readiness for business continuity. This control integrates with the operational resilience framework that the FCA and PRA require.
  • 8.10 Information deletion: Requires organisations to establish and implement procedures for the deletion of information when no longer required, supporting compliance with UK GDPR data minimisation and storage limitation principles.
  • 8.11 Data masking: Requires organisations to implement data masking techniques where appropriate, particularly relevant for protecting production data used in test or development environments — a common concern in financial services.
  • 8.16 Monitoring activities: Requires organisations to monitor networks, systems, and applications for anomalous behaviour, aligning with the FCA's expectation for continuous monitoring of operational risk indicators.

For financial services organisations, implementing these controls is not just an ISO 27001 requirement — it is a regulatory necessity. The FCA's approach to operational resilience requires firms to map important business services, identify the technology and data that support them, and ensure they can remain within impact tolerances. The Annex A controls provide the technical and organisational building blocks for achieving this resilience.

Practical Implementation Steps for Financial Services

Our team recommends the following structured approach to implementing ISO 27001:2022 Annex A controls in a financial services context:

  • Conduct a control gap analysis: Compare the organisation's existing controls against the 93 Annex A controls, identifying which are fully implemented, partially implemented, or absent. Prioritise gaps based on the organisation's risk assessment outcomes and regulatory requirements.
  • Select applicable controls: Not all 93 controls are mandatory for every organisation. The Statement of Applicability (SoA) documents which controls apply and justifies any exclusions. For financial services, controls related to cloud security (5.23), threat intelligence (5.7), and monitoring (8.16) should be included even where the organisation might otherwise consider excluding them.
  • Map to regulatory requirements: Create cross-reference mappings between Annex A controls and FCA expectations, SM&CR responsibilities, and operational resilience requirements. This mapping helps auditors and regulators see how ISO 27001 controls support regulatory compliance.
  • Implement controls incrementally: Begin with high-priority controls that address the organisation's most significant risks and regulatory obligations. Implement remaining controls through a phased plan with defined milestones and ownership.
  • Document and test: Each control must be documented — describing how it is implemented, who is responsible, and how its effectiveness is measured. Test controls to ensure they are operating as intended and produce the expected outcomes.
  • Establish ongoing monitoring: Control effectiveness must be monitored continuously. Financial services organisations should implement automated monitoring where feasible, with defined metrics and reporting cadences.

Common Implementation Challenges

Financial services organisations commonly encounter several challenges when implementing the updated controls. The first is scope — organisations that previously implemented the 2013 controls must map their existing implementations to the new structure and identify controls that are genuinely new (such as threat intelligence and cloud security) versus controls that have been reorganised into different groups.

The second challenge is supplier control management. Control 5.19 (information security in supplier relationships), 5.20 (addressing security within supplier agreements), 5.21 (managing security in the ICT supply chain), and 5.22 (monitoring, review, and change management of supplier services) together represent a significant expansion of supplier security requirements that financial services organisations must address — particularly for outsourced services that support important business services.

The third challenge is demonstrating control effectiveness. Simply implementing a control is not sufficient — organisations must be able to demonstrate that the control is operating effectively and achieving its intended outcomes. This requires defined metrics, regular testing, and documented evidence — a significant documentation investment that smaller firms particularly struggle to maintain.

How Our Team Supports Financial Services Organisations

Pyralink Innovation Ltd helps UK financial services organisations implement ISO 27001:2022 Annex A controls as part of an integrated security controls framework. Our team's consultants combine expertise in ISO 27001 certification, FCA compliance, operational resilience, and cloud security — enabling us to design controls that satisfy multiple requirements simultaneously. We help clients conduct gap analyses, develop Statements of Applicability, implement controls, and prepare for certification or surveillance audits.

Our CloudAuditX platform enables organisations to manage control mapping, implementation tracking, evidence collection, and continuous monitoring across ISO 27001:2022, NIST CSF 2.0, FCA requirements, and other frameworks from a single console.

Frequently Asked Questions

What are the main changes in ISO 27001:2022 Annex A compared to 2013?

The 2022 version reduced controls from 114 to 93, reorganised them into four thematic clusters (Organisational, People, Physical, Technological), and introduced 11 new controls including threat intelligence, cloud services security, ICT readiness for business continuity, data masking, and monitoring activities. Several existing controls were merged or restructured.

Does every organisation need to implement all 93 Annex A controls?

No. The Statement of Applicability documents which controls are applicable based on the organisation's risk assessment and business context. Controls may be excluded where the associated risk is not present or is accepted. However, exclusions must be justified in the SoA and accepted by management.

How does ISO 27001:2022 Annex A relate to the FCA's operational resilience requirements?

The Annex A controls provide the security building blocks that support operational resilience. Controls on ICT readiness for business continuity (5.30), information security for cloud services (5.23), monitoring (8.16), and capacity management (8.6) directly support the FCA's expectation that firms identify important business services and ensure they can remain within impact tolerances.

Can we implement Annex A controls incrementally?

Yes, incremental implementation is both acceptable and recommended, particularly for organisations transitioning from the 2013 standard. Implementation should be driven by the risk assessment, with high-priority controls addressing significant risks implemented first. The transition to ISO 27001:2022 must be completed by the IAF deadline of 31 July 2026 for organisations maintaining accredited certification.

Ready to strengthen your security controls framework? Explore our vCISO services → or Get your free compliance score →