Skip to main content

ISO 27001 Compliance

ISO 27001:2022 is the international standard for information security management systems (ISMS). Cloudgeni helps you implement, monitor, and maintain ISO 27001 controls across your cloud infrastructure.

ISO 27001 Coverage

  • 93 controls from Annex A mapped to cloud configurations
  • AWS, Azure, and GCP coverage
  • Continuous monitoring for control effectiveness
  • Statement of Applicability support

Annex A Control Domains

A.5 - Organizational Controls

Policies and procedures for information security management.
ControlDescriptionCloud Mapping
A.5.1Policies for information securityDocumented policies, SCPs
A.5.2Information security rolesIAM roles and responsibilities
A.5.3Segregation of dutiesRole separation, least privilege
A.5.4Management responsibilitiesGovernance structures
A.5.7Threat intelligenceSecurity Hub, Defender, SCC
A.5.8Information security in projectsSecurity by design

A.6 - People Controls

Human resource security throughout employment.
ControlDescriptionCloud Mapping
A.6.1ScreeningBackground checks (external)
A.6.2Terms of employmentAccess agreements
A.6.3Security awarenessTraining programs
A.6.4Disciplinary processPolicy enforcement
A.6.5Post-employmentAccess revocation

A.7 - Physical Controls

Physical security of facilities and equipment.
ControlDescriptionCloud Mapping
A.7.1Physical security perimetersCloud provider responsibility
A.7.2Physical entryCloud provider + console access
A.7.3Securing officesCloud provider responsibility
A.7.4Physical security monitoringCloudTrail, Activity Logs
A.7.5Protecting against threatsMulti-region, backups

A.8 - Technological Controls

Technical security controls for systems and networks.
ControlDescriptionCloud Mapping
A.8.1User endpoint devicesConditional access, MDM
A.8.2Privileged access rightsIAM, PIM, least privilege
A.8.3Information access restrictionRBAC, resource policies
A.8.4Access to source codeRepository permissions
A.8.5Secure authenticationMFA, strong passwords
A.8.6Capacity managementAuto-scaling, monitoring
A.8.7Malware protectionGuardDuty, Defender
A.8.8Technical vulnerabilitiesPatching, scanning
A.8.9Configuration managementConfig rules, policies
A.8.10Information deletionData lifecycle, retention
A.8.11Data maskingEncryption, tokenization
A.8.12Data leakage preventionDLP policies, Macie
A.8.13Information backupBackup policies, snapshots
A.8.14RedundancyMulti-AZ, replication
A.8.15LoggingCloudTrail, CloudWatch
A.8.16Monitoring activitiesSIEM, alerting
A.8.17Clock synchronizationNTP, time services
A.8.18Privileged utility programsBastion hosts, SSM
A.8.19Software installationChange management
A.8.20Networks securityVPCs, security groups
A.8.21Web services securityWAF, API Gateway
A.8.22Segregation of networksSubnets, VNet peering
A.8.23Web filteringDNS filtering, proxies
A.8.24CryptographyKMS, encryption at rest
A.8.25Secure developmentCI/CD security, SAST
A.8.26Security requirementsSecurity in SDLC
A.8.27Secure architectureReference architectures
A.8.28Secure codingCode scanning, reviews
A.8.29Security testingPenetration testing
A.8.30Outsourced developmentThird-party security
A.8.31Separation of environmentsDev/staging/prod
A.8.32Change managementChange tracking, approval
A.8.33Test informationData sanitization
A.8.34Audit system protectionLog integrity, WORM

Control Mapping to Cloud Services

AWS Control Mapping

Annex A ControlAWS ServiceCloudgeni Check
A.5.1 PoliciesService Control Policiesiso27001_a5_1_scp
A.8.2 Privileged accessIAM, Organizationsiso27001_a8_2_iam
A.8.5 AuthenticationIAM MFA, Cognitoiso27001_a8_5_mfa
A.8.7 MalwareGuardDutyiso27001_a8_7_guardduty
A.8.9 ConfigurationAWS Configiso27001_a8_9_config
A.8.15 LoggingCloudTrailiso27001_a8_15_cloudtrail
A.8.20 NetworkVPC, Security Groupsiso27001_a8_20_vpc
A.8.24 CryptographyKMS, ACMiso27001_a8_24_kms

Azure Control Mapping

Annex A ControlAzure ServiceCloudgeni Check
A.5.1 PoliciesAzure Policyiso27001_a5_1_policy
A.8.2 Privileged accessPIM, RBACiso27001_a8_2_pim
A.8.5 AuthenticationConditional Accessiso27001_a8_5_ca
A.8.7 MalwareDefenderiso27001_a8_7_defender
A.8.9 ConfigurationAzure Policyiso27001_a8_9_policy
A.8.15 LoggingActivity Logiso27001_a8_15_activitylog
A.8.20 NetworkVNet, NSGiso27001_a8_20_vnet
A.8.24 CryptographyKey Vaultiso27001_a8_24_keyvault

GCP Control Mapping

Annex A ControlGCP ServiceCloudgeni Check
A.5.1 PoliciesOrganization Policiesiso27001_a5_1_orgpolicy
A.8.2 Privileged accessIAMiso27001_a8_2_iam
A.8.5 AuthenticationIdentity Platformiso27001_a8_5_identity
A.8.7 MalwareSecurity Command Centeriso27001_a8_7_scc
A.8.9 ConfigurationCloud Asset Inventoryiso27001_a8_9_cai
A.8.15 LoggingCloud Loggingiso27001_a8_15_logging
A.8.20 NetworkVPC, Firewall Rulesiso27001_a8_20_vpc
A.8.24 CryptographyCloud KMSiso27001_a8_24_kms

Implementation Guide

Phase 1: Gap Assessment

  1. Run ISO 27001 Assessment
    • Go to ComplianceISO 27001
    • Click Run Assessment
    • Review control coverage
  2. Identify Gaps
    • Filter by failed controls
    • Prioritize by impact
    • Document exceptions

Phase 2: Statement of Applicability

Document which controls apply to your organization:
ControlApplicableJustification
A.8.1 EndpointsYesRemote workforce
A.7.1 PhysicalNoCloud-only infrastructure
A.8.24 CryptographyYesPII data processing

Phase 3: Control Implementation

For each applicable control:
  1. Review current state in Cloudgeni
  2. Generate remediation code
  3. Apply through pull request
  4. Verify with re-scan

Phase 4: Continuous Monitoring

  • Enable real-time compliance monitoring
  • Set up alerts for control failures
  • Track compliance score trends
  • Regular management reviews

Certification Preparation

Documentation Requirements

DocumentCloudgeni Support
ISMS ScopeDashboard overview
Risk AssessmentFinding analysis
Statement of ApplicabilityControl coverage report
Security PoliciesPolicy documentation
Control EvidenceAutomated evidence collection

Audit Evidence

Cloudgeni provides:
  • Configuration evidence - Point-in-time snapshots
  • Change history - Who changed what, when
  • Compliance trends - Historical compliance data
  • Remediation records - Fix timelines and PRs

Certification Audit

  1. Stage 1 Audit - Documentation review
    • Export ISMS documentation
    • Provide Statement of Applicability
    • Show policy implementation
  2. Stage 2 Audit - Implementation review
    • Demonstrate control effectiveness
    • Show continuous monitoring
    • Provide evidence samples

Maintenance

Surveillance Audits

After certification, maintain compliance:
  • Annual surveillance audits - Partial control review
  • Re-certification - Full audit every 3 years
  • Continuous improvement - Address findings promptly

Change Management

When infrastructure changes:
  1. Assess impact on controls
  2. Update documentation
  3. Verify compliance maintained
  4. Document changes

Compliance Frameworks

Overview of all frameworks

SOC 2

SOC 2 compliance guide

CIS Benchmarks

CIS benchmark coverage

Remediation

Fix compliance issues