Skip to content

ISO 27001

5. ISO 27001:2022 CONTROLS MAPPING

ISO 27001:2022 (updated October 2022) is the international standard for Information Security Management Systems (ISMS). The 2022 version reorganized controls into 4 themes with 93 controls (reduced from 114 in the 2013 version).

Four Themes: 1. Organizational Controls (37 controls): Policies, roles, risk management 2. People Controls (8 controls): HR security, training, awareness 3. Physical Controls (14 controls): Physical security, environmental protection 4. Technological Controls (34 controls): Access control, encryption, monitoring

5.1 ISO 27001:2022 Control Implementation Summary

Theme Total Controls Implemented Partially Implemented Not Applicable Implementation %
Organizational (5.1-5.37) 37 32 4 1 97%
People (6.1-6.8) 8 8 0 0 100%
Physical (7.1-7.14) 14 12 2 0 100%
Technological (8.1-8.34) 34 30 4 0 100%
TOTAL 93 82 10 1 99%

Overall ISO 27001:2022 Compliance: 99% (suitable for certification)

5.2 Organizational Controls (5.1-5.37) - Detailed Mapping

Control ID Control Name Abhavtech Implementation Audit Evidence Status
5.1 Policies for information security Information Security Policy (v5.2, Oct 2024):
• Approved by CEO + Board
• Published on IT portal (all employees acknowledged)
• Annual review (next: Oct 2025)
• Policy document (signed by CEO)
• Employee acknowledgment records (3,200/3,200)
• Board meeting minutes (approval)
5.2 Information security roles and responsibilities See Section 2.1.3 (GV.OV-01):
• CISO (overall accountability)
• Security Manager, SOC Lead, Engineers
• RACI matrix (documented responsibilities)
• Org chart
• Job descriptions
• RACI matrix
5.3 Segregation of duties Separation:
• Developers (SGT 60) CANNOT access production (SGT 15/80)
• Network Admins (SGT 5) CANNOT access servers without CyberArk PAM
• SOC Analysts (SGT 10) can monitor but NOT make config changes
• ISE SGACL matrix (SGT 60 → SGT 80 = Deny)
• CyberArk role separation
• SOD matrix spreadsheet
5.4 Management responsibilities Management Accountability:
• CISO reports to Board quarterly
• Security Committee (monthly): CISO + CTO + CFO + Legal
• KPIs tracked (MTTD, MTTR, compliance score)
• Board meeting minutes
• Security Committee charter + minutes
• KPI dashboard (Splunk)
5.5 Contact with authorities Law Enforcement & Regulators:
• FBI InfraGard (cyber threat sharing)
• Local police (physical security incidents)
• PCI QSA (Trustwave), DPO contact with ICO (GDPR)
• FBI InfraGard membership
• Emergency contact list (Legal dept)
• DPO notification logs
5.6 Contact with special interest groups Industry Groups:
• FS-ISAC (Financial Services ISAC, $10K/year)
• Cisco partner community (security best practices)
• OWASP (web app security)
• FS-ISAC membership certificate
• Cisco partner portal access
• OWASP chapter participation
5.7 Threat intelligence Threat Intel Sources (see Section 2.2.6):
• Cisco Talos (real-time, XDR integration)
• FS-ISAC (financial sector threats)
• CISA (government alerts)
• MITRE ATT&CK (quarterly framework updates)
• XDR Threat Response integration
• FS-ISAC alert logs
• CISA alert subscriptions
• ATT&CK Navigator heatmap
5.8 Information security in project management Secure SDLC:
• ServiceNow project templates (security requirements)
• Security review gate (pre-production deployment)
• Threat modeling (for customer-facing apps)
• ServiceNow project template (security checklist)
• Security review approval workflow
• Threat model samples (SAP integration, API gateway)
5.9 Inventory of information and other associated assets Asset Inventory (see CIS Control 1.1, 2.1):
• DNAC (network devices), ISE (endpoints), ServiceNow CMDB (servers, apps)
• See CIS Control 1.1 evidence
5.10 Acceptable use of information and other associated assets Acceptable Use Policy (AUP):
• All employees sign (annual re-acknowledgment)
• Prohibits: Personal use of company resources for illegal activities, sharing credentials, installing unauthorized software
• Monitoring: UEBA tracks policy violations
• AUP document (v3.0, Jan 2024)
• Employee acknowledgment records
• UEBA policy violation alerts
5.11 Return of assets Asset Return (Termination Process):
• Laptop, badge, mobile device collected on termination day
• IT wipes devices (BitLocker recovery, remote wipe for mobile)
• Confirmation checklist (HR + IT sign-off)
• Termination checklist (ServiceNow)
• Asset return log (last 12 months: 125 terminations, 100% asset return)
• Device wipe certificates
5.12 Classification of information Data Classification (see CIS Control 3.7):
• 4 levels: Public, Internal, Confidential, Restricted
• M365 sensitivity labels (auto-classification for email/docs)
• See CIS Control 3.7 evidence
5.13 Labelling of information Labelling:
• M365 sensitivity labels (header/footer: "CONFIDENTIAL - INTERNAL USE ONLY")
• Email classification (auto-tag based on keywords: SSN, credit card)
• M365 sensitivity label config
• Email auto-tagging rules
5.14 Information transfer Secure Transfer:
• Email: TLS 1.2+ (Secure Email encryption)
• File transfer: SFTP (vendors), OneDrive (internal, encrypted at rest + transit)
• Large files: Secure file sharing portal (password-protected links, 7-day expiration)
• Secure Email TLS config
• SFTP server config (vendors)
• OneDrive encryption settings
• File sharing portal (sample link)
5.15 Access control Access Control (see CIS Control 6, NIST CSF PR.AC):
• ISE 802.1X + TrustSec SGT
• Duo MFA (100% coverage)
• CyberArk PAM (privileged access)
• See CIS Control 6 evidence
5.16 Identity management Identity Lifecycle (see NIST CSF PR.AC-04):
• Provisioning: Day 1 (automated Workday → AD → ISE → Duo)
• Modification: 1 business day (access request via ServiceNow)
• De-provisioning: 1 hour (automated)
• See NIST CSF PR.AC-04 evidence
5.17 Authentication information Password Management:
• Complexity: 12 char min, complexity required (AD GPO)
• Rotation: 90 days (users), 30 days (admins, CyberArk auto-rotate)
• MFA: 100% coverage (Duo)
• AD GPO (password policy)
• CyberArk rotation schedule
• Duo enrollment report
5.18 Access rights Access Rights Management:
• Least privilege (RBAC via ISE SGT, AD groups)
• Quarterly access reviews (Compliance Analyst)
• Privilege escalation requires approval (ServiceNow)
• ISE authorization policies
• Quarterly access review reports
• ServiceNow access request approvals

6. SECURITY OPERATIONS