ISO 27001
Implement and maintain ISO 27001:2022 certification with CyberOrigen.
Overview
ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information.
Structure
ISMS Requirements (Clauses 4-10)
| Clause | Title |
|---|---|
| 4 | Context of the Organization |
| 5 | Leadership |
| 6 | Planning |
| 7 | Support |
| 8 | Operation |
| 9 | Performance Evaluation |
| 10 | Improvement |
Annex A Controls
93 controls across 4 themes:
| Theme | Controls |
|---|---|
| Organizational | 37 controls |
| People | 8 controls |
| Physical | 14 controls |
| Technological | 34 controls |
Control Categories
A.5 - Organizational Controls
| Control | Title |
|---|---|
| A.5.1 | Policies for information security |
| A.5.2 | Information security roles |
| A.5.3 | Segregation of duties |
| A.5.7 | Threat intelligence |
| ... | (37 total) |
A.6 - People Controls
| Control | Title |
|---|---|
| A.6.1 | Screening |
| A.6.2 | Terms and conditions |
| A.6.3 | Awareness, education, training |
| ... | (8 total) |
A.7 - Physical Controls
| Control | Title |
|---|---|
| A.7.1 | Physical security perimeters |
| A.7.4 | Physical security monitoring |
| A.7.9 | Security of assets off-premises |
| ... | (14 total) |
A.8 - Technological Controls
| Control | Title |
|---|---|
| A.8.1 | User endpoint devices |
| A.8.5 | Secure authentication |
| A.8.7 | Protection against malware |
| A.8.9 | Configuration management |
| A.8.12 | Data leakage prevention |
| A.8.15 | Logging |
| A.8.16 | Monitoring activities |
| A.8.24 | Use of cryptography |
| ... | (34 total) |
Getting Started
1. Enable Framework
- Go to GRC → Frameworks
- Click Enroll on ISO 27001:2022
- Click Enable
2. Statement of Applicability
Define which controls apply:
- Go to GRC → Control Library
- Filter by ISO 27001
- Mark controls as:
- Applicable (implement)
- Not Applicable (with justification)
3. Risk Assessment
- Go to GRC → Risk Register
- Identify information security risks
- Assess likelihood and impact
- Define treatment plans
Key Controls
Technical Controls
CyberOrigen helps with:
| Control | CyberOrigen Feature |
|---|---|
| A.8.7 Malware protection | Quarantine management |
| A.8.8 Vulnerability management | 11-phase scanning |
| A.8.9 Configuration management | Configuration checks |
| A.8.15 Logging | Audit log tracking |
| A.8.24 Cryptography | TLS/encryption scanning |
Organizational Controls
Document management for:
| Control | Evidence Type |
|---|---|
| A.5.1 Policies | Policy management |
| A.5.2 Roles | RACI matrix |
| A.5.23 Third-party | Vendor management |
Certification Process
Stage 1 Audit
Documentation review:
- ISMS scope
- Risk assessment methodology
- Statement of Applicability
- Policies and procedures
Stage 2 Audit
Implementation verification:
- Control testing
- Evidence review
- Interviews
- Site visits
Surveillance Audits
Annual audits to maintain certification:
- Subset of controls tested
- Corrective action follow-up
- Continuous improvement review
Evidence Collection
Automated Evidence
- Vulnerability scan results
- Configuration assessments
- Access reviews
- Log exports
Manual Evidence
- Policies and procedures
- Risk assessment records
- Training records
- Management reviews
Control Mapping
ISO 27001 maps to other frameworks:
| ISO 27001 | SOC 2 | PCI-DSS |
|---|---|---|
| A.5.1 | CC1.4 | 12.1 |
| A.8.5 | CC6.1 | 8.1 |
| A.8.8 | CC7.1 | 6.1 |
| A.8.24 | CC6.7 | 3.4 |
Continuous Compliance
ISMS Maintenance
- Monthly: Review metrics and incidents
- Quarterly: Internal audit sample
- Annually: Management review, full internal audit
- 3-Year: Recertification audit
CyberOrigen Monitoring
- Real-time compliance score
- Control status tracking
- Evidence freshness alerts
- Risk register updates
Common Gaps
| Control | Issue | Solution |
|---|---|---|
| A.5.1 | Outdated policies | Policy review schedule |
| A.6.3 | No security training | Training program |
| A.8.8 | Vulnerability backlog | Remediation SLAs |
| A.8.15 | Incomplete logging | Log aggregation |