ISO 27001:2022 — Information Security Management System¶
Reference: ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27001:2022/Amd 1:2024 (Climate Action) Certification body: Accredited certification bodies under national accreditation schemes Scope: Any organization seeking to establish, implement, maintain, and continually improve an information security management system (ISMS).
Scope¶
Covers ISO 27001:2022 ISMS requirements and Annex A controls (organizational, people, physical, and technological) mapped to cloud services, including the 2024 Climate Amendment. Does not cover implementation details for specific cloud providers (see providers/ files) or general governance patterns (see general/governance.md).
Climate Amendment (Amd 1:2024): Published February 2024, this amendment adds a requirement to Clauses 4.1 and 4.2: organizations must determine whether climate change is a relevant issue and, if so, include climate-related requirements from interested parties in the ISMS scope. This applies to all ISO 27001:2022 certifications and audits. For cloud architects, this means evaluating how climate-related risks (extreme weather affecting data center availability, cooling cost volatility, renewable energy commitments) factor into infrastructure design decisions, region selection, and business continuity planning. Certification bodies began assessing compliance with Amd 1:2024 immediately upon publication.
Why This Matters¶
ISO 27001 certification is often a contractual requirement from enterprise customers, a prerequisite for entering regulated markets, and a competitive differentiator. The 2022 revision restructured Annex A from 14 domains to 4 themes, added 11 new controls (including cloud services, threat intelligence, data masking, and monitoring activities), and introduced control attributes for filtering and prioritization.
For cloud architects, ISO 27001 shapes decisions about access control, encryption, logging, network segmentation, change management, and supplier management. A well-designed cloud architecture can make certification audits straightforward; a poorly designed one can make certification impossible without costly rework.
The standard requires a risk-based approach — controls are selected based on a risk assessment, not applied blindly. The Statement of Applicability (SoA) documents which controls are applicable, which are implemented, and the justification for any exclusions.
Common Decisions (ADR Triggers)¶
The following architectural decisions should be captured as Architecture Decision Records when ISO 27001 is in scope:
- ISMS scope definition — Which systems, services, locations, and organizational units are within scope.
- Risk assessment methodology — Qualitative vs. quantitative, risk scales, risk acceptance criteria, risk treatment priorities.
- Identity and access management architecture — Centralized vs. federated identity, MFA strategy, privileged access management approach.
- Logging and monitoring architecture — SIEM selection, log aggregation strategy, retention periods, correlation rules.
- Network segmentation model — VPC/VNet design, microsegmentation, zero-trust network architecture.
- Encryption strategy — Algorithms, key management (provider-managed vs. customer-managed vs. external), key rotation policies.
- Change management process — How infrastructure and application changes are approved, tested, and deployed.
- Backup and recovery strategy — RPO/RTO targets, backup locations, recovery testing frequency.
- Supplier and cloud provider risk management — How cloud providers are assessed, monitored, and governed.
- Vulnerability management program — Scanning frequency, remediation SLAs, exception handling.
- Secure development lifecycle — SAST/DAST integration, code review requirements, dependency scanning.
- Incident response plan — Detection, triage, containment, eradication, recovery, and lessons-learned workflow.
- Business continuity architecture — Multi-region vs. multi-cloud, failover mechanisms, DR testing approach.
Checklist¶
ISMS Foundation (Clauses 4-10)¶
These clauses define the management system itself, not specific security controls.
- [Critical] Define the ISMS scope, including boundaries, applicability, and interfaces (Clause 4.3)
- [Recommended] Identify interested parties and their requirements relevant to the ISMS (Clause 4.2)
- [Recommended] Establish an information security policy approved by top management (Clause 5.2)
- [Recommended] Assign ISMS roles, responsibilities, and authorities (Clause 5.3)
- [Recommended] Conduct a risk assessment using a defined and repeatable methodology (Clause 6.1.2)
- [Recommended] Produce a risk treatment plan with selected controls from Annex A or other sources (Clause 6.1.3)
- [Recommended] Produce a Statement of Applicability (SoA) documenting all Annex A controls, their applicability, implementation status, and exclusion justifications (Clause 6.1.3 d)
- [Recommended] Define information security objectives that are measurable and monitored (Clause 6.2)
- [Recommended] Ensure competence of personnel performing ISMS-relevant work (Clause 7.2)
- [Recommended] Maintain documented information as required by the standard and as determined necessary by the organization (Clause 7.5)
- [Recommended] Plan and implement operational processes to meet ISMS requirements (Clause 8.1)
- [Recommended] Perform risk assessments at planned intervals or when significant changes occur (Clause 8.2)
- [Recommended] Implement risk treatment plans (Clause 8.3)
- [Recommended] Monitor, measure, analyze, and evaluate ISMS performance (Clause 9.1)
- [Recommended] Conduct internal audits at planned intervals (Clause 9.2)
- [Recommended] Conduct management reviews at planned intervals (Clause 9.3)
- [Recommended] Address nonconformities and implement corrective actions (Clause 10.2)
- [Recommended] Continually improve the ISMS (Clause 10.1)
A.5 Organizational Controls¶
A.5.1 Policies for Information Security¶
- [Recommended] Define and publish an information security policy set, approved by management
- [Recommended] Review information security policies at planned intervals or when significant changes occur
- [Recommended] Communicate policies to all relevant personnel and interested parties
A.5.2 Information Security Roles and Responsibilities¶
- [Recommended] Define and assign all information security roles and responsibilities
- [Recommended] Segregate conflicting duties and areas of responsibility
- [Recommended] Document cloud-specific responsibilities (shared responsibility model per provider)
A.5.3 Segregation of Duties¶
- [Recommended] Identify duties and areas of responsibility that need to be segregated
- [Critical] Implement technical controls to enforce segregation (separate accounts, roles, approval workflows)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Duty segregation | AWS Organizations (separate accounts for dev/staging/prod), IAM permission boundaries | Management Groups, separate subscriptions, Azure RBAC | Resource hierarchy (Organization, Folders, Projects), IAM role bindings |
| Approval workflows | AWS Service Catalog, Control Tower guardrails | Azure Policy, Blueprints | Organization policies, Assured Workloads |
A.5.4 Management Responsibilities¶
- [Recommended] Ensure management demonstrates support for information security through resource allocation and visible engagement
- [Recommended] Require management to ensure personnel follow the information security policy
A.5.7 Threat Intelligence (New in 2022)¶
- [Recommended] Collect and analyze information about threats relevant to the organization
- [Recommended] Integrate threat intelligence into risk management and security monitoring
- [Recommended] Subscribe to cloud provider security bulletins and advisories
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Threat intelligence feeds | GuardDuty threat intelligence, AWS Security Bulletins | Microsoft Defender Threat Intelligence, Microsoft Sentinel threat indicators | Security Command Center threat detection, Google Threat Intelligence |
| Threat detection | GuardDuty, Inspector | Defender for Cloud, Sentinel analytics rules | Security Command Center Premium, Chronicle |
A.5.8 Information Security in Project Management¶
- [Recommended] Integrate information security into project management methodology
- [Recommended] Conduct security architecture reviews for new projects and significant changes
- [Critical] Include security requirements in project scope and acceptance criteria
A.5.9 Inventory of Information and Other Associated Assets¶
- [Recommended] Maintain an inventory of information assets and associated infrastructure
- [Recommended] Assign ownership for all identified assets
- [Recommended] Include cloud resources in asset inventory (auto-discovery where possible)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Asset inventory | AWS Config, Systems Manager Inventory, Resource Explorer | Azure Resource Graph, Microsoft Defender for Cloud asset inventory | Cloud Asset Inventory, Security Command Center asset discovery |
| Configuration tracking | AWS Config rules, Config conformance packs | Azure Policy, Azure Resource Graph | Cloud Asset Inventory, Security Health Analytics |
A.5.10 Acceptable Use of Information and Other Associated Assets¶
- [Recommended] Define and communicate acceptable use rules for information and assets
- [Recommended] Include cloud service usage guidelines (approved services, data classification handling)
A.5.15 Access Control¶
- [Critical] Define and implement access control policies based on business and security requirements
- [Critical] Apply least privilege principle across all cloud environments
- [Recommended] Review access rights at planned intervals
A.5.19 Information Security in Supplier Relationships¶
- [Recommended] Establish security requirements for supplier relationships
- [Recommended] Maintain a register of cloud providers and their security posture
- [Critical] Review cloud provider compliance certifications (SOC 2, ISO 27001, etc.)
A.5.21 Managing Information Security in the ICT Supply Chain¶
- [Recommended] Assess information security risks from the ICT supply chain
- [Recommended] Include cloud provider sub-processor chains in supply chain risk assessment
- [Recommended] Monitor cloud provider security advisories and incident notifications
A.5.22 Monitoring, Review and Change Management of Supplier Services¶
- [Recommended] Monitor and review cloud provider service levels and security performance
- [Recommended] Track changes to cloud provider services that affect the organization's security posture
- [Recommended] Subscribe to cloud provider service health dashboards and change notifications
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Service health monitoring | AWS Health Dashboard, Trusted Advisor | Azure Service Health, Azure Advisor | Google Cloud Status Dashboard, Recommender |
| Compliance reports | AWS Artifact (SOC, ISO, PCI reports) | Azure Compliance Manager, Service Trust Portal | Google Cloud Compliance Reports Manager |
A.5.23 Information Security for Use of Cloud Services (New in 2022)¶
- [Recommended] Define a cloud services policy covering acquisition, use, management, and exit
- [Recommended] Establish cloud security requirements based on the organization's risk appetite
- [Recommended] Define responsibilities under the shared responsibility model for each cloud provider
- [Critical] Implement cloud security posture management (CSPM) to verify configuration compliance
- [Recommended] Define cloud exit strategy and data portability requirements
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| CSPM | Security Hub, AWS Config conformance packs, Control Tower | Microsoft Defender for Cloud (CSPM), Azure Policy compliance | Security Command Center, Security Health Analytics |
| Shared responsibility documentation | AWS Shared Responsibility Model documentation | Azure Shared Responsibility documentation | Google Cloud Shared Responsibility documentation |
A.5.24 Information Security Incident Management Planning and Preparation¶
- [Recommended] Establish incident management procedures including roles, communication, escalation
- [Recommended] Define incident classification and severity levels
- [Recommended] Integrate cloud provider incident notifications into the incident management process
A.5.25 Assessment and Decision on Information Security Events¶
- [Recommended] Define criteria for assessing security events and deciding whether they constitute incidents
- [Recommended] Implement automated event correlation and triage where possible
A.5.26 Response to Information Security Incidents¶
- [Critical] Implement incident response procedures covering containment, eradication, recovery
- [Critical] Maintain incident response runbooks for common cloud-specific scenarios (compromised credentials, data exposure, cryptomining)
A.5.27 Learning from Information Security Incidents¶
- [Recommended] Conduct post-incident reviews for all significant incidents
- [Recommended] Feed lessons learned back into risk assessments and control improvements
A.5.28 Collection of Evidence¶
- [Recommended] Define procedures for evidence collection and preservation that maintain forensic integrity
- [Critical] Ensure cloud logging configurations support forensic requirements (tamper-proof storage, timestamps, chain of custody)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Tamper-proof log storage | CloudTrail log file integrity validation, S3 Object Lock | Azure Monitor immutable logs, Blob immutable storage | Cloud Audit Logs (admin activity logs cannot be disabled), Cloud Storage retention policies |
A.5.29 Information Security During Disruption¶
- [Recommended] Plan for maintaining information security during business disruption
- [Critical] Include security in business continuity and disaster recovery plans
A.5.30 ICT Readiness for Business Continuity¶
- [Recommended] Identify ICT readiness requirements based on business continuity objectives
- [Recommended] Plan, implement, and test ICT continuity measures
A.6 People Controls¶
A.6.1 Screening¶
- [Recommended] Conduct background verification checks for all candidates prior to employment
- [Recommended] Define screening requirements proportional to the sensitivity of information accessed
- [Recommended] Re-screen personnel when they move into higher-trust roles
A.6.2 Terms and Conditions of Employment¶
- [Recommended] Include information security responsibilities in employment contracts
- [Recommended] Cover cloud service usage responsibilities in employment terms
A.6.3 Information Security Awareness, Education and Training¶
- [Recommended] Deliver information security awareness training to all personnel
- [Recommended] Include cloud security topics in training (shared responsibility, credential management, data handling in cloud environments)
- [Recommended] Conduct role-specific training for cloud administrators and developers
- [Recommended] Track training completion and measure effectiveness
A.6.4 Disciplinary Process¶
- [Recommended] Establish a disciplinary process for information security policy violations
A.6.5 Responsibilities After Termination or Change of Employment¶
- [Recommended] Define and communicate information security responsibilities that remain valid after termination or change
- [Recommended] Revoke cloud access promptly upon termination (automate via identity lifecycle management)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Automated deprovisioning | IAM user removal, SSO/SCIM integration with IdP | Entra ID lifecycle workflows, SCIM provisioning | Cloud Identity lifecycle management, SCIM provisioning |
A.6.7 Remote Working¶
- [Recommended] Implement security measures for remote working (VPN/ZTNA, endpoint security, secure communications)
- [Recommended] Define policies for remote access to cloud management consoles and APIs
A.7 Physical Controls¶
A.7.1 Physical Security Perimeters¶
- [Critical] Verify cloud provider physical security certifications (SOC 2 Type II, ISO 27001 for data center operations)
- [Critical] For on-premises components within ISMS scope, define and implement physical security perimeters
A.7.2 Physical Entry¶
- [Critical] Rely on cloud provider certifications for data center physical entry controls
- [Recommended] Implement physical entry controls for on-premises infrastructure (offices, co-location, network closets)
A.7.3 Securing Offices, Rooms and Facilities¶
- [Recommended] Secure areas containing information processing facilities relevant to the ISMS
A.7.4 Physical Security Monitoring¶
- [Critical] Verify cloud providers implement continuous physical security monitoring (CCTV, intrusion detection)
- [Recommended] Implement physical security monitoring for on-premises facilities
A.7.5 Protecting Against Physical and Environmental Threats¶
- [Recommended] Verify cloud provider protections against environmental threats (fire, flood, power, cooling)
- [Recommended] Select cloud regions and availability zones considering environmental risk profiles
A.7.9 Security of Assets Off-Premises¶
- [Recommended] Define protection measures for assets (laptops, mobile devices) used outside the organization's premises
A.7.10 Storage Media¶
- [Recommended] Define procedures for managing storage media through its lifecycle
- [Critical] Verify cloud provider media sanitization practices (e.g., NIST 800-88 compliance)
- [Critical] Implement encryption for data on removable media
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Media sanitization verification | AWS data center decommissioning (NIST 800-88, DoD 5220.22-M) documented in SOC reports | Azure data-bearing device destruction documented in SOC reports | Google media sanitization documented in infrastructure security whitepaper |
A.7.14 Secure Disposal or Re-Use of Equipment¶
- [Critical] Verify cloud provider equipment disposal procedures through compliance reports
- [Recommended] Implement secure disposal for on-premises equipment
A.8 Technological Controls¶
A.8.1 User Endpoint Devices¶
- [Recommended] Define and implement a policy for user endpoint device security
- [Recommended] Implement endpoint detection and response (EDR) on devices accessing cloud environments
- [Critical] Enforce device compliance checks before granting access to cloud resources
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Conditional access based on device | AWS SSO with device trust via IdP | Entra ID Conditional Access with device compliance (Intune) | BeyondCorp Enterprise (device trust, context-aware access) |
A.8.2 Privileged Access Rights¶
- [Recommended] Identify and restrict privileged access rights across all cloud environments
- [Recommended] Implement just-in-time (JIT) privileged access where possible
- [Critical] Require MFA for all privileged access
- [Recommended] Log and monitor all privileged access sessions
- [Recommended] Review privileged access rights at planned intervals (at least quarterly)
- [Recommended] Use separate accounts for privileged and non-privileged activities
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Privileged access management | IAM roles with session policies, AWS SSO permission sets, IAM Access Analyzer | Entra ID Privileged Identity Management (PIM), just-in-time access | PAM (Privileged Access Manager), IAM Conditions (time-based) |
| MFA enforcement | IAM MFA, Organizations SCP to require MFA | Entra ID Conditional Access MFA policies | Identity Platform MFA, Organization policy for MFA |
| Privileged session monitoring | CloudTrail, session recording via Systems Manager | Entra ID sign-in logs, Azure Bastion session recording | Cloud Audit Logs, IAM audit logging |
A.8.3 Information Access Restriction¶
- [Critical] Restrict access to information based on access control policies
- [Critical] Implement attribute-based or role-based access control for cloud resources
- [Recommended] Apply resource-level permissions and policies
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Fine-grained access control | IAM policies (identity-based, resource-based), Lake Formation, S3 access points | Azure RBAC, Azure ABAC (attribute-based), Azure Storage access control | IAM (allow/deny policies), IAM Conditions, VPC Service Controls |
| Data-level access control | DynamoDB fine-grained access, RDS row-level security | Azure SQL Row-Level Security, Cosmos DB RBAC | BigQuery column-level security, authorized views |
A.8.4 Access to Source Code¶
- [Recommended] Restrict access to source code and development tools based on need-to-know
- [Recommended] Implement branch protection rules and code review requirements
A.8.5 Secure Authentication¶
- [Critical] Implement secure authentication mechanisms (strong passwords, MFA, passwordless where possible)
- [Critical] Protect authentication information in transit and at rest
- [Critical] Implement centralized authentication for cloud environments (SSO/federation)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Centralized authentication | IAM Identity Center (SSO), federation with external IdPs (SAML/OIDC) | Entra ID (SAML/OIDC/WS-Fed federation) | Cloud Identity, Workforce Identity Federation |
| Passwordless authentication | FIDO2 via IdP integration | Entra ID passwordless (FIDO2, Windows Hello, Authenticator) | FIDO2 via Cloud Identity |
A.8.6 Capacity Management¶
- [Recommended] Monitor and project capacity requirements for cloud resources
- [Recommended] Implement auto-scaling where appropriate
- [Recommended] Set up alerts for capacity thresholds
- [Recommended] Plan capacity for security tooling (log storage, SIEM throughput)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Capacity monitoring | CloudWatch metrics, Trusted Advisor service limits | Azure Monitor metrics, Azure Advisor | Cloud Monitoring metrics, quota monitoring |
| Auto-scaling | EC2 Auto Scaling, Application Auto Scaling | Virtual Machine Scale Sets, App Service auto-scale | Managed Instance Groups autoscaler, Cloud Run auto-scaling |
A.8.7 Protection Against Malware¶
- [Recommended] Implement malware protection for cloud workloads
- [Recommended] Scan files uploaded to cloud storage
- [Recommended] Implement container image scanning
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Workload protection | GuardDuty Malware Protection | Defender for Servers (endpoint protection) | Security Command Center threat detection |
| Storage scanning | GuardDuty Malware Protection for S3 | Defender for Storage (malware scanning) | Cloud Storage malware scanning (via integration) |
| Container scanning | ECR image scanning (Inspector), GuardDuty container runtime monitoring | Defender for Containers, ACR image scanning | Artifact Analysis (container scanning), GKE Security Posture |
A.8.8 Management of Technical Vulnerabilities¶
- [Recommended] Establish a vulnerability management process with defined remediation SLAs
- [Critical] Implement automated vulnerability scanning for cloud resources (VMs, containers, serverless)
- [Recommended] Track and remediate vulnerabilities based on risk (CVSS score, exploitability, exposure)
- [Recommended] Include cloud configuration vulnerabilities (misconfigurations) in vulnerability management
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Vulnerability scanning | Inspector (EC2, ECR, Lambda), GuardDuty | Defender for Cloud vulnerability assessment, Defender for Servers (Qualys/MDVM) | Security Command Center Web Security Scanner, Artifact Analysis |
| Configuration scanning | Security Hub (CIS/AWS Foundational benchmarks), AWS Config rules | Defender for Cloud (regulatory compliance), Azure Policy | Security Health Analytics (CIS benchmarks), SCC compliance |
A.8.9 Configuration Management (New in 2022)¶
- [Recommended] Define and enforce standard security configurations for cloud resources
- [Recommended] Implement configuration-as-code and drift detection
- [Recommended] Manage configurations through a controlled change management process
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Configuration management | AWS Config, CloudFormation, CDK | Azure Policy, ARM/Bicep templates | Organization Policy, Terraform/Deployment Manager |
| Drift detection | AWS Config, CloudFormation drift detection | Azure Policy compliance, ARM what-if | Cloud Asset Inventory change history |
A.8.10 Information Deletion¶
- [Critical] Implement secure deletion mechanisms for information no longer required
- [Critical] Verify that cloud provider deletion is irreversible (provider documentation, cryptographic erasure)
- [Critical] Implement retention policies and automated lifecycle management
A.8.11 Data Masking (New in 2022)¶
- [Critical] Implement data masking for personal and sensitive data in non-production environments
- [Recommended] Use dynamic data masking for query-time protection where appropriate
- [Recommended] Define masking rules based on data classification
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Data masking | Lake Formation data filters, Redshift dynamic data masking | Azure SQL Dynamic Data Masking, Purview data masking | BigQuery data masking (column-level security), Cloud DLP de-identification |
A.8.12 Data Leakage Prevention (New in 2022)¶
- [Recommended] Implement DLP controls for data at rest, in transit, and in use
- [Recommended] Define DLP policies based on data classification
- [Recommended] Monitor and alert on DLP policy violations
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| DLP | Macie (S3 data discovery), CloudWatch + EventBridge for alerting | Microsoft Purview DLP (Exchange, SharePoint, Teams, endpoints), Defender for Cloud Apps | Cloud DLP / Sensitive Data Protection (inspection, de-identification, job triggers) |
A.8.15 Logging¶
- [Recommended] Enable logging for security-relevant events across all cloud services
- [Critical] Centralize logs in a tamper-resistant log store
- [Critical] Define log retention periods based on legal, regulatory, and business requirements
- [Recommended] Protect logs from unauthorized access and modification
- [Recommended] Synchronize clocks across all systems (NTP)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Centralized logging | CloudTrail (management + data events), CloudWatch Logs, VPC Flow Logs, S3 server access logs | Azure Monitor Logs (Log Analytics workspace), Activity Logs, NSG flow logs, diagnostic settings | Cloud Audit Logs (admin activity, data access, system event), VPC Flow Logs, Cloud Logging |
| Log aggregation | CloudTrail organization trail, centralized logging account | Sentinel workspace, cross-subscription log collection | Organization-level log sinks, centralized logging project |
| Tamper protection | CloudTrail log file integrity validation, S3 Object Lock | Log Analytics workspace immutability, Blob immutable storage | Cloud Audit Logs (admin activity logs are immutable), Cloud Storage retention locks |
| Clock synchronization | Amazon Time Sync Service | Azure NTP service | Google NTP (time.google.com) |
A.8.16 Monitoring Activities (New in 2022)¶
- [Recommended] Monitor networks, systems, and applications for anomalous behavior
- [Recommended] Define monitoring baselines and thresholds
- [Recommended] Implement automated alerting for security-relevant events
- [Recommended] Review monitoring effectiveness periodically
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Security monitoring | GuardDuty, Security Hub, CloudWatch anomaly detection | Microsoft Sentinel, Defender for Cloud alerts | Security Command Center, Chronicle Security Operations |
| Network monitoring | VPC Flow Logs, GuardDuty network analysis, Traffic Mirroring | Network Watcher, NSG flow logs, Azure Firewall logs | VPC Flow Logs, Packet Mirroring, Cloud IDS |
A.8.20 Network Security¶
- [Critical] Design and implement network segmentation based on security requirements
- [Critical] Implement network access controls (security groups, NACLs, firewall rules)
- [Critical] Encrypt network traffic between security zones
- [Recommended] Implement network monitoring and anomaly detection
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Network segmentation | VPCs, subnets, security groups, NACLs | VNets, subnets, NSGs, ASGs | VPC networks, subnets, firewall rules, firewall policies |
| Managed firewall | AWS Network Firewall, WAF | Azure Firewall, Azure WAF | Cloud Armor, Cloud NGFW |
| Private connectivity | PrivateLink, VPC endpoints | Private Link, service endpoints | Private Service Connect, Private Google Access |
| DDoS protection | Shield Standard (automatic), Shield Advanced | DDoS Protection Standard | Cloud Armor DDoS protection |
A.8.21 Security of Network Services¶
- [Recommended] Identify and implement security mechanisms for network services
- [Recommended] Include network service security requirements in supplier agreements
A.8.23 Web Filtering (New in 2022)¶
- [Recommended] Implement web filtering to prevent access to malicious or unauthorized websites
- [Recommended] Define web filtering policies based on organizational requirements
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Web filtering | Network Firewall (domain-based filtering), Route 53 Resolver DNS Firewall | Azure Firewall (FQDN filtering, web categories), Defender for Cloud Apps | Cloud NGFW (FQDN-based rules), Chrome Enterprise for endpoints |
A.8.24 Use of Cryptography¶
- [Critical] Define a cryptographic policy covering algorithm selection, key lengths, and key management
- [Critical] Implement encryption at rest using AES-256 or equivalent
- [Recommended] Enforce TLS 1.2 or higher for data in transit
- [Critical] Implement key rotation policies
- [Recommended] Manage cryptographic keys using hardware security modules where required
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Key management | KMS (symmetric/asymmetric), CloudHSM | Key Vault (keys, secrets, certificates), Managed HSM | Cloud KMS, Cloud HSM, Cloud External Key Manager |
| Certificate management | ACM (public/private certificates) | Key Vault certificates, App Service certificates | Certificate Manager, Certificate Authority Service |
| TLS enforcement | ALB/NLB TLS policies, API Gateway | Application Gateway TLS policies, Front Door | Cloud Load Balancing SSL policies |
A.8.25 Secure Development Life Cycle¶
- [Recommended] Define and implement a secure development lifecycle (SDLC)
- [Recommended] Integrate static application security testing (SAST) into CI/CD pipelines
- [Recommended] Integrate dynamic application security testing (DAST) into CI/CD pipelines
- [Recommended] Implement software composition analysis (SCA) for dependency vulnerabilities
- [Recommended] Conduct security code reviews
- [Recommended] Implement infrastructure-as-code security scanning
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| CI/CD security | CodePipeline, CodeBuild (with security scanning steps), CodeGuru Reviewer | Azure DevOps Pipelines (with security tasks), GitHub Advanced Security | Cloud Build (with security scanning steps), Artifact Analysis |
| IaC scanning | cfn-lint, cfn_nag, CloudFormation Guard | Azure Policy for ARM/Bicep, template validation | Terraform Validator, gcloud deployment-manager validate |
| Artifact security | ECR image scanning, CodeArtifact | ACR image scanning, Azure Artifacts | Artifact Registry vulnerability scanning, Binary Authorization |
A.8.26 Application Security Requirements¶
- [Recommended] Define security requirements for application development and acquisition
- [Recommended] Include input validation, output encoding, session management, error handling requirements
A.8.28 Secure Coding¶
- [Recommended] Establish and apply secure coding principles
- [Recommended] Implement automated code quality and security checks in the development pipeline
- [Critical] Use secrets management services (never hardcode credentials)
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Secrets management | Secrets Manager, Systems Manager Parameter Store (SecureString) | Key Vault Secrets | Secret Manager |
A.8.31 Separation of Development, Test and Production Environments¶
- [Recommended] Separate development, test, and production environments
- [Recommended] Implement separate cloud accounts/subscriptions/projects for each environment
- [Critical] Apply different access controls and security policies per environment
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Environment separation | AWS Organizations (separate accounts per environment), Control Tower | Separate subscriptions, Management Groups | Separate projects per environment, folder-based hierarchy |
A.8.32 Change Management¶
- [Recommended] Implement change management procedures for cloud infrastructure and applications
- [Recommended] Test changes before deployment to production
- [Recommended] Implement rollback capabilities
- [Recommended] Log all changes with who, what, when, and approval
Cloud Service Mappings:
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Change tracking | CloudTrail, Config change timeline | Activity Log, Change Analysis | Cloud Audit Logs, Cloud Asset Inventory change history |
| Deployment automation | CodeDeploy, CloudFormation change sets | Azure DevOps, ARM/Bicep deployments | Cloud Deploy, Cloud Build |
A.8.33 Test Information¶
- [Recommended] Protect test information (do not use production data in test environments without sanitization)
- [Recommended] Implement data masking or synthetic data generation for test environments
A.8.34 Protection of Information Systems During Audit Testing¶
- [Recommended] Plan and control audit testing to minimize impact on production systems
- [Recommended] Use read-only audit accounts for cloud environment assessments
- [Recommended] Restrict audit tool access and results to authorized personnel
Reference Links¶
- ISO/IEC 27001:2022 — official standard for information security management systems
- ISO/IEC 27002:2022 — guidance on implementing Annex A controls from ISO 27001
- CSA STAR Registry — public registry of cloud provider security assessments and certifications
See Also¶
general/security.md— General security controls and architecture patternsgeneral/governance.md— Cloud governance, tagging, and policy enforcementcompliance/soc2.md— SOC 2 Trust Service Criteria (often pursued alongside ISO 27001)compliance/csa-ccm.md— CSA CCM controls (maps to ISO 27001 Annex A)