ISO 27001:2022 - Annex A Controls
cloud-audit maps 88 checks to 93 ISO 27001:2022 Annex A controls across 4 themes. 48 controls are automated, 45 require manual review (organizational, people, and physical controls).
Readiness assessment, not certification
ISO 27001 certification requires a formal audit by an accredited certification body. This tool automates assessment of technical controls from Annex A and generates evidence to support your certification preparation.
Coverage Summary
Automated includes both fully automated and partially automated controls - partial controls have some aspects verified by cloud-audit checks and some requiring manual review.
| Theme | Controls | Automated* | Manual |
|---|---|---|---|
| A.5 - Organizational Controls | 37 | 14 | 23 |
| A.6 - People Controls | 8 | 0 | 8 |
| A.7 - Physical Controls | 14 | 0 | 14 |
| A.8 - Technological Controls | 34 | 34 | 0 |
| Total | 93 | 48 (52%) | 45 (48%) |
Usage
# Terminal output with readiness score
cloud-audit scan --compliance iso27001_2022
# HTML report for auditors
cloud-audit scan --compliance iso27001_2022 --format html --output iso27001-report.html
# Markdown for documentation
cloud-audit scan --compliance iso27001_2022 --format markdown --output iso27001-report.md
# List all frameworks
cloud-audit list-frameworks
# Preview controls without scanning
cloud-audit show-framework iso27001_2022
A.5 - Organizational Controls
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| A.5.1 | Policies for information security | Manual | - |
| A.5.2 | Information security roles and responsibilities | Manual | - |
| A.5.3 | Segregation of duties | Partial | aws-iam-005, aws-iam-010, aws-iam-016 |
| A.5.4 | Management responsibilities | Manual | - |
| A.5.5 | Contact with authorities | Manual | - |
| A.5.6 | Contact with special interest groups | Manual | - |
| A.5.7 | Threat intelligence | Partial | aws-gd-001, aws-gd-002, aws-sh-001 |
| A.5.8 | Information security in project management | Manual | - |
| A.5.9 | Inventory of information and other associated assets | Partial | aws-cfg-001, aws-cfg-002 |
| A.5.10 | Acceptable use of information and other associated assets | Manual | - |
| A.5.11 | Return of assets | Manual | - |
| A.5.12 | Classification of information | Manual | - |
| A.5.13 | Labelling of information | Manual | - |
| A.5.14 | Information transfer | Partial | aws-s3-006, aws-s3-007, aws-lambda-003 |
| A.5.15 | Access control | Auto | aws-iam-005, aws-iam-006, aws-iam-010, aws-iam-014, aws-iam-017 |
| A.5.16 | Identity management | Auto | aws-iam-003, aws-iam-004, aws-iam-009, aws-iam-013 |
| A.5.17 | Authentication information | Auto | aws-iam-001, aws-iam-002, aws-iam-006, aws-iam-015 |
| A.5.18 | Access rights | Auto | aws-iam-005, aws-iam-007, aws-iam-008, aws-iam-010, aws-iam-012 |
| A.5.19 | Information security in supplier relationships | Manual | - |
| A.5.20 | Addressing information security within supplier agreements | Manual | - |
| A.5.21 | Managing information security in the ICT supply chain | Manual | - |
| A.5.22 | Monitoring, review, and change management of supplier services | Manual | - |
| A.5.23 | Information security for use of cloud services | Partial | aws-ct-001, aws-cfg-001, aws-sh-001 |
| A.5.24 | Information security incident management planning | Manual | - |
| A.5.25 | Assessment and decision on information security events | Partial | aws-gd-001, aws-gd-002, aws-cw-001 |
| A.5.26 | Response to information security incidents | Manual | - |
| A.5.27 | Learning from information security incidents | Manual | - |
| A.5.28 | Collection of evidence | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-006, aws-ct-007, aws-ct-008 |
| A.5.29 | Information security during disruption | Partial | aws-rds-003, aws-ec2-005, aws-backup-001 |
| A.5.30 | ICT readiness for business continuity | Partial | aws-rds-003, aws-rds-004, aws-backup-001 |
| A.5.31 | Legal, statutory, regulatory, and contractual requirements | Manual | - |
| A.5.32 | Intellectual property rights | Manual | - |
| A.5.33 | Protection of records | Partial | aws-ct-004, aws-ct-005, aws-s3-004, aws-s3-005 |
| A.5.34 | Privacy and protection of PII | Manual | - |
| A.5.35 | Independent review of information security | Manual | - |
| A.5.36 | Compliance with policies, rules, and standards for information security | Manual | - |
| A.5.37 | Documented operating procedures | Manual | - |
A.6 - People Controls
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| A.6.1 | Screening | Manual | - |
| A.6.2 | Terms and conditions of employment | Manual | - |
| A.6.3 | Information security awareness, education, and training | Manual | - |
| A.6.4 | Disciplinary process | Manual | - |
| A.6.5 | Responsibilities after termination or change of employment | Manual | - |
| A.6.6 | Confidentiality or non-disclosure agreements | Manual | - |
| A.6.7 | Remote working | Manual | - |
| A.6.8 | Information security event reporting | Manual | - |
A.7 - Physical Controls
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| A.7.1 | Physical security perimeters | Manual | AWS shared responsibility |
| A.7.2 | Physical entry | Manual | AWS shared responsibility |
| A.7.3 | Securing offices, rooms, and facilities | Manual | AWS shared responsibility |
| A.7.4 | Physical security monitoring | Manual | AWS shared responsibility |
| A.7.5 | Protecting against physical and environmental threats | Manual | AWS shared responsibility |
| A.7.6 | Working in secure areas | Manual | AWS shared responsibility |
| A.7.7 | Clear desk and clear screen | Manual | - |
| A.7.8 | Equipment siting and protection | Manual | AWS shared responsibility |
| A.7.9 | Security of assets off-premises | Manual | - |
| A.7.10 | Storage media | Manual | - |
| A.7.11 | Supporting utilities | Manual | AWS shared responsibility |
| A.7.12 | Cabling security | Manual | AWS shared responsibility |
| A.7.13 | Equipment maintenance | Manual | AWS shared responsibility |
| A.7.14 | Secure disposal or re-use of equipment | Manual | AWS shared responsibility |
A.8 - Technological Controls
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| A.8.1 | User endpoint devices | Partial | aws-ssm-001, aws-ssm-003 |
| A.8.2 | Privileged access rights | Auto | aws-iam-005, aws-iam-007, aws-iam-008, aws-iam-014, aws-iam-017 |
| A.8.3 | Information access restriction | Auto | aws-iam-010, aws-iam-016, aws-s3-001, aws-ecs-003 |
| A.8.4 | Access to source code | Partial | aws-iam-007 |
| A.8.5 | Secure authentication | Auto | aws-iam-001, aws-iam-002, aws-iam-006, aws-iam-015 |
| A.8.6 | Capacity management | Partial | aws-cw-001 through aws-cw-016 |
| A.8.7 | Protection against malware | Partial | aws-gd-001, aws-gd-002, aws-inspector-001 |
| A.8.8 | Management of technical vulnerabilities | Auto | aws-ssm-001, aws-ssm-003, aws-inspector-001 |
| A.8.9 | Configuration management | Auto | aws-cfg-001, aws-cfg-002 |
| A.8.10 | Information deletion | Partial | aws-s3-004, aws-sm-002 |
| A.8.11 | Data masking | Partial | aws-ssm-002, aws-lambda-003, aws-sm-001 |
| A.8.12 | Data leakage prevention | Auto | aws-s3-001, aws-s3-005, aws-vpc-002, aws-rds-001 |
| A.8.13 | Information backup | Auto | aws-rds-003, aws-s3-003, aws-ec2-005, aws-backup-001 |
| A.8.14 | Redundancy of information processing facilities | Auto | aws-rds-003, aws-rds-004 |
| A.8.15 | Logging | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-006, aws-ct-007, aws-ct-008 |
| A.8.16 | Monitoring activities | Auto | aws-gd-001, aws-gd-002, aws-cw-001 through aws-cw-016, aws-ecs-002 |
| A.8.17 | Clock synchronization | Auto | aws-ct-001 |
| A.8.18 | Use of privileged utility programs | Partial | aws-iam-005, aws-iam-014 |
| A.8.19 | Installation of software on operational systems | Partial | aws-ssm-001, aws-lambda-002, aws-ecs-001 |
| A.8.20 | Networks security | Auto | aws-vpc-001, aws-vpc-002, aws-vpc-003, aws-vpc-004, aws-vpc-005, aws-vpc-006 |
| A.8.21 | Security of network services | Auto | aws-vpc-002, aws-vpc-004, aws-waf-001, aws-ec2-001 |
| A.8.22 | Segregation of networks | Auto | aws-vpc-001, aws-vpc-004, aws-vpc-005, aws-vpc-006 |
| A.8.23 | Web filtering | Partial | aws-waf-001 |
| A.8.24 | Use of cryptography | Auto | aws-kms-001, aws-kms-002, aws-s3-002, aws-rds-002, aws-ec2-002, aws-ec2-006, aws-efs-001 |
| A.8.25 | Secure development life cycle | Partial | aws-iam-007 |
| A.8.26 | Application security requirements | Partial | aws-ec2-004, aws-lambda-001 |
| A.8.27 | Secure system architecture and engineering principles | Partial | aws-vpc-001, aws-vpc-004, aws-vpc-005 |
| A.8.28 | Secure coding | Partial | aws-lambda-002, aws-ecs-001 |
| A.8.29 | Security testing in development and acceptance | Partial | aws-inspector-001 |
| A.8.30 | Outsourced development | Manual | - |
| A.8.31 | Separation of development, test, and production environments | Partial | aws-iam-005, aws-iam-010 |
| A.8.32 | Change management | Partial | aws-cfg-001, aws-cfg-002, aws-cw-005, aws-cw-009 |
| A.8.33 | Test information | Manual | - |
| A.8.34 | Protection of information systems during audit testing | Partial | aws-ct-001, aws-ct-002 |
Why 45 Controls Are Manual
ISO 27001 is a management system standard. Nearly half the Annex A controls address organizational governance, people management, physical security, and supplier relationships. These cannot be verified by scanning AWS infrastructure - they require document review and interviews by a certification auditor.
Examples:
- A.6.3 (security awareness training) - training records, participation rates, knowledge assessments
- A.7.1-A.7.14 (physical controls) - covered by AWS shared responsibility model; AWS SOC 2 report provides evidence
- A.5.19-A.5.22 (supplier relationships) - vendor assessments, contracts, SLA monitoring
cloud-audit marks these as NOT_ASSESSED with actionable manual steps for each.
Global Adoption
ISO 27001 is the most widely adopted information security management standard globally:
- Required or expected in 150+ countries
- Mandatory for government suppliers in the UK, EU, and many APAC markets
- Foundation for sector-specific standards (ISO 27017 for cloud, ISO 27018 for PII in cloud)
- Recognized by SOC 2 auditors as complementary evidence
The 2022 revision restructured controls into 4 themes (previously 14 domains) and added 11 new controls covering threat intelligence, cloud services, data masking, and monitoring activities.
Attack Chain Integration
All 25 attack chain rules are mapped to ISO 27001 Annex A controls. When a chain is detected, the compliance report shows which controls it violates:
| Chain | ISO 27001 Controls Violated |
|---|---|
| AC-01 Internet-Exposed Admin Instance | A.5.15, A.8.20, A.8.22 |
| AC-02 SSRF to Credential Theft | A.8.20, A.8.26, A.5.17 |
| AC-12 Admin Without MFA | A.5.17, A.8.5 |
| AC-17 Exposed Database Without Audit Trail | A.8.12, A.8.24, A.8.15 |
| AC-26 Unmonitored Admin Escalation | A.5.15, A.5.17, A.8.16 |
Source
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection