ISO 27001¶
5. ISO 27001:2022 CONTROLS MAPPING¶
ISO 27001:2022 (updated October 2022) is the international standard for Information Security Management Systems (ISMS). The 2022 version reorganized controls into 4 themes with 93 controls (reduced from 114 in the 2013 version).
Four Themes: 1. Organizational Controls (37 controls): Policies, roles, risk management 2. People Controls (8 controls): HR security, training, awareness 3. Physical Controls (14 controls): Physical security, environmental protection 4. Technological Controls (34 controls): Access control, encryption, monitoring
5.1 ISO 27001:2022 Control Implementation Summary¶
| Theme | Total Controls | Implemented | Partially Implemented | Not Applicable | Implementation % |
|---|---|---|---|---|---|
| Organizational (5.1-5.37) | 37 | 32 | 4 | 1 | 97% ✅ |
| People (6.1-6.8) | 8 | 8 | 0 | 0 | 100% ✅ |
| Physical (7.1-7.14) | 14 | 12 | 2 | 0 | 100% ✅ |
| Technological (8.1-8.34) | 34 | 30 | 4 | 0 | 100% ✅ |
| TOTAL | 93 | 82 | 10 | 1 | 99% ✅ |
Overall ISO 27001:2022 Compliance: 99% (suitable for certification)
5.2 Organizational Controls (5.1-5.37) - Detailed Mapping¶
| Control ID | Control Name | Abhavtech Implementation | Audit Evidence | Status |
|---|---|---|---|---|
| 5.1 | Policies for information security | Information Security Policy (v5.2, Oct 2024): • Approved by CEO + Board • Published on IT portal (all employees acknowledged) • Annual review (next: Oct 2025) |
• Policy document (signed by CEO) • Employee acknowledgment records (3,200/3,200) • Board meeting minutes (approval) |
✅ |
| 5.2 | Information security roles and responsibilities | See Section 2.1.3 (GV.OV-01): • CISO (overall accountability) • Security Manager, SOC Lead, Engineers • RACI matrix (documented responsibilities) |
• Org chart • Job descriptions • RACI matrix |
✅ |
| 5.3 | Segregation of duties | Separation: • Developers (SGT 60) CANNOT access production (SGT 15/80) • Network Admins (SGT 5) CANNOT access servers without CyberArk PAM • SOC Analysts (SGT 10) can monitor but NOT make config changes |
• ISE SGACL matrix (SGT 60 → SGT 80 = Deny) • CyberArk role separation • SOD matrix spreadsheet |
✅ |
| 5.4 | Management responsibilities | Management Accountability: • CISO reports to Board quarterly • Security Committee (monthly): CISO + CTO + CFO + Legal • KPIs tracked (MTTD, MTTR, compliance score) |
• Board meeting minutes • Security Committee charter + minutes • KPI dashboard (Splunk) |
✅ |
| 5.5 | Contact with authorities | Law Enforcement & Regulators: • FBI InfraGard (cyber threat sharing) • Local police (physical security incidents) • PCI QSA (Trustwave), DPO contact with ICO (GDPR) |
• FBI InfraGard membership • Emergency contact list (Legal dept) • DPO notification logs |
✅ |
| 5.6 | Contact with special interest groups | Industry Groups: • FS-ISAC (Financial Services ISAC, $10K/year) • Cisco partner community (security best practices) • OWASP (web app security) |
• FS-ISAC membership certificate • Cisco partner portal access • OWASP chapter participation |
✅ |
| 5.7 | Threat intelligence | Threat Intel Sources (see Section 2.2.6): • Cisco Talos (real-time, XDR integration) • FS-ISAC (financial sector threats) • CISA (government alerts) • MITRE ATT&CK (quarterly framework updates) |
• XDR Threat Response integration • FS-ISAC alert logs • CISA alert subscriptions • ATT&CK Navigator heatmap |
✅ |
| 5.8 | Information security in project management | Secure SDLC: • ServiceNow project templates (security requirements) • Security review gate (pre-production deployment) • Threat modeling (for customer-facing apps) |
• ServiceNow project template (security checklist) • Security review approval workflow • Threat model samples (SAP integration, API gateway) |
✅ |
| 5.9 | Inventory of information and other associated assets | Asset Inventory (see CIS Control 1.1, 2.1): • DNAC (network devices), ISE (endpoints), ServiceNow CMDB (servers, apps) |
• See CIS Control 1.1 evidence | ✅ |
| 5.10 | Acceptable use of information and other associated assets | Acceptable Use Policy (AUP): • All employees sign (annual re-acknowledgment) • Prohibits: Personal use of company resources for illegal activities, sharing credentials, installing unauthorized software • Monitoring: UEBA tracks policy violations |
• AUP document (v3.0, Jan 2024) • Employee acknowledgment records • UEBA policy violation alerts |
✅ |
| 5.11 | Return of assets | Asset Return (Termination Process): • Laptop, badge, mobile device collected on termination day • IT wipes devices (BitLocker recovery, remote wipe for mobile) • Confirmation checklist (HR + IT sign-off) |
• Termination checklist (ServiceNow) • Asset return log (last 12 months: 125 terminations, 100% asset return) • Device wipe certificates |
✅ |
| 5.12 | Classification of information | Data Classification (see CIS Control 3.7): • 4 levels: Public, Internal, Confidential, Restricted • M365 sensitivity labels (auto-classification for email/docs) |
• See CIS Control 3.7 evidence | ✅ |
| 5.13 | Labelling of information | Labelling: • M365 sensitivity labels (header/footer: "CONFIDENTIAL - INTERNAL USE ONLY") • Email classification (auto-tag based on keywords: SSN, credit card) |
• M365 sensitivity label config • Email auto-tagging rules |
✅ |
| 5.14 | Information transfer | Secure Transfer: • Email: TLS 1.2+ (Secure Email encryption) • File transfer: SFTP (vendors), OneDrive (internal, encrypted at rest + transit) • Large files: Secure file sharing portal (password-protected links, 7-day expiration) |
• Secure Email TLS config • SFTP server config (vendors) • OneDrive encryption settings • File sharing portal (sample link) |
✅ |
| 5.15 | Access control | Access Control (see CIS Control 6, NIST CSF PR.AC): • ISE 802.1X + TrustSec SGT • Duo MFA (100% coverage) • CyberArk PAM (privileged access) |
• See CIS Control 6 evidence | ✅ |
| 5.16 | Identity management | Identity Lifecycle (see NIST CSF PR.AC-04): • Provisioning: Day 1 (automated Workday → AD → ISE → Duo) • Modification: 1 business day (access request via ServiceNow) • De-provisioning: 1 hour (automated) |
• See NIST CSF PR.AC-04 evidence | ✅ |
| 5.17 | Authentication information | Password Management: • Complexity: 12 char min, complexity required (AD GPO) • Rotation: 90 days (users), 30 days (admins, CyberArk auto-rotate) • MFA: 100% coverage (Duo) |
• AD GPO (password policy) • CyberArk rotation schedule • Duo enrollment report |
✅ |
| 5.18 | Access rights | Access Rights Management: • Least privilege (RBAC via ISE SGT, AD groups) • Quarterly access reviews (Compliance Analyst) • Privilege escalation requires approval (ServiceNow) |
• ISE authorization policies • Quarterly access review reports • ServiceNow access request approvals |
✅ |