ISO/IEC 27001:2022 evidence at the per-Annex-A-code level — the way ISO Lead Auditors actually walk Stage 2.

TL;DR — what this does for ISO/IEC 27001:2022

NSAuditor AI EE generates ISO/IEC 27001:2022 per-Annex-A-code-level evidence — at the same institutional grade as SOC 2, HIPAA, NIST CSF 2.0, and PCI DSS. It maps cloud infrastructure findings (AWS, Azure, GCP) and network scan results to specific Annex A codes (A.5.15, A.8.5, A.8.24, etc.), produces signed evidence artifacts (cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, cryptographic suppression signing), and ships ISO 27001 reports in machine-readable form suitable for ISO-aware GRC platform ingestion + ISO/IEC 17021-1 certification body assessor workflow.

What it IS: the per-Annex-A-code technical-evidence layer covering A.5.15-A.5.18 identity + access + cryptography substrate, A.5.23 cloud services NEW 2022 substrate, A.5.28 evidence collection (CloudTrail), A.5.33-A.5.34 records protection + PII substrate, A.5.36 compliance monitoring (Config drift), A.8.2-A.8.5 privileged access + secure auth, A.8.8 vulnerability management (CVE pipeline), A.8.9 configuration management NEW 2022 (Config recorder substrate), A.8.13 backup (AWS Backup substrate), A.8.15 logging (CloudTrail substrate), A.8.16 monitoring NEW 2022 (GuardDuty substrate), A.8.20-A.8.22 network security + segregation, A.8.24 use of cryptography (KMS substrate) — complete and assessor-ready. Compatible with operator-side ISO 27001 SoA preparation, internal audit program execution, management review cycle, and accredited certification body (BSI, DNV, BVQI, Schellman, Coalfire, A-LIGN, TÜV, SGS) Stage 1 + Stage 2 + annual surveillance workflow. Honest about what infrastructure scanning fundamentally cannot evidence (ISMS Clauses 4-10, internal audit execution, management review, risk treatment methodology) — saves you from the textbook ISO-canonical overclaim findings.

The market split: ISO-aware GRC platforms (Drata ISO 27001, Vanta ISO 27001, AuditBoard, OneTrust ISMS, Secureframe ISO 27001) automate SoA workflow + ISMS Clauses 4-10 + risk register + internal audit + management review + supplier risk management but lack deep cloud-infrastructure scanning at the per-Annex-A-code-evidence level. Legacy compliance scanners produce voluminous CVE reports but don't map findings to Annex A controls at the auditor-canonical per-code level. NSAuditor's wedge is the bridge — deep cloud + network scanning + ISO 27001:2022 per-Annex-A-code-mapped output + same Zero Data Exfiltration architecture used for SOC 2 + HIPAA + NIST CSF + PCI DSS (sensitive data never leaves customer infrastructure; air-gapped deployment for operator threat models requiring controlled boundary per Clause 4.3 ISMS scope).

Why per-Annex-A-code-level mapping

ISO/IEC 27001:2022 Annex A has a 2-level hierarchy:

• Theme (4 — A.5 Organizational, A.6 People, A.7 Physical, A.8 Technological) — the top-level navigational grouping; reorganized from the 2013 edition's 14 categories.
• Annex A code (93 — e.g., A.5.15 Access control, A.8.5 Secure authentication, A.8.24 Use of cryptography) — the per-control granularity ISO/IEC 17021-1 certification body assessors attach evidence to during Stage 2 + surveillance.

ISO Lead Auditors walk Stage 2 + annual surveillance per-Annex-A-code against the operator's Statement of Applicability inclusions. Auditor-canonical evidence is per-Annex-A-code. Theme-level claims (e.g., "we cover A.8 Technological") don't survive institutional ISO Lead Auditor review — A.8 alone spans 34 controls; the assessor will ask which specific Annex A codes with what evidence.

NSAuditor maps at the per-Annex-A-code level. Per-control fields in data/compliance/iso-27001.json:

The 6 load-bearing schema enrichments (theme + annexACode + controlObjective + soaApplicability + isoEdition + iso2013Source) + the 5-attribute taxonomy + cloudProviderAttestation defend against 17 ship-blocker classes surfaced by the EE 0.12.0 P0 skill-research synthesis (Skill #18 audit-iso-27001-2022-statement-of-applicability + audit-soc2-evidence-sufficiency + audit-hipaa-risk-analysis-ocr + audit-nist-csf-2-implementation-tiers + audit-pci-dss-qsa-perspective lenses applied PRE-author at tasks/audit-iso-27001-2026-05-24.md). A schema-additive-fields propagation test enforces these fields reach the rendered report.

Statement of Applicability discipline (Clause 6.1.3.d)

The Statement of Applicability per Clause 6.1.3.d is THE central artifact of an ISMS conformant to ISO/IEC 27001:2022. For each of the 93 Annex A controls, the operator's SoA documents:

1. Control reference — the Annex A code (e.g., A.5.15) + the control title from ISO/IEC 27001:2022 Annex A
2. Inclusion or exclusion decision — "Included" or "Excluded"
3. Justification — anchored to the operator's risk assessment per Clause 6.1.2, legal/regulatory/contractual requirements per Clause 4.2 + A.5.31, and ISMS scope statement per Clause 4.3
4. Implementation status — Planned / In progress / Implemented / Not applicable
5. Reference to documentation — pointer to policies / procedures / runbooks / technical configuration evidence

Stage 1 certification body assessors review the SoA FIRST — before any technical evidence. The SoA must address every Annex A control; exclusions need particularly strong justification.

How NSAuditor pairs with the SoA

SoA discipline checklist: Completeness (all 93 controls addressed; no skips) · Justification quality (exclusions particularly scrutinized) · Internal consistency (risk register → risk treatment decisions per Clause 6.1.3 → SoA inclusions) · Edition currency (2022 codes, not 2013) · 11 NEW controls each explicitly addressed · Documentation traceability (implementation references producible on demand). If the SoA fails Stage 1, Stage 2 does NOT proceed — operator must remediate before scheduling Stage 2.

ISMS Clauses 4-10 — OOS-by-design

ISO/IEC 27001:2022 certification requires BOTH dimensions:

1. Annex A control implementation (93 controls — engine produces substrate per this report)
2. ISMS management-system Clauses 4-10 (operator-side processes — OOS-by-design for any infrastructure scanner)

This report evidences (1) only. For (2), pair with your GRC platform.

Coverage matrix by theme

Source of truth is data/compliance/iso-27001.json; this matrix mirrors it. The anchor-drift defense test asserts every (source, titlePattern) pair in iso-27001.json exists in soc2.json (inheritance contract — closes the silent false-CLEAN class at the ISO 27001 mapping layer, parallel to HIPAA + NIST CSF + PCI DSS inheritance defenses).

How to run an ISO 27001 scan

Penta-framework: SOC 2 + HIPAA + NIST CSF + PCI DSS + ISO 27001 in one scan

The engine is framework-agnostic — single scan, five compliance reports, zero duplicate scanning effort:

Cross-framework citation isolation defended by test: ISO 27001 renderer output cites only Annex A codes (A.X.Y format); SOC 2 / HIPAA / NIST CSF / PCI DSS citations never leak into ISO 27001 reports (10-pair-direction cross-framework defense matrix).

What you get — output artifacts

• Cover-page Scope Attestation — operator's ISMS scope per Clause 4.3 + per-Annex-A-code coverage matrix
• SoA-pairing disclaimer — explicit operator-prompt per Clause 6.1.3.d (engine produces substrate; SoA is operator-side)
• ISMS Clauses 4-10 OOS disclaimer — 7 Major Nonconformity classes enumerated + operator-side platform pairings per Clause
• Per-Annex-A-code findings — covered / partial / OOS sections with full rationale + informativeReferences cross-refs
• 5-attribute filtering — per-control attributes for assessor-style navigation
• Cloud-provider Certificate inheritance map — per-control cloudProviderAttestation field documenting which substrate AWS / Azure / GCP ISO 27001:2022 Certificates cover
• SHA-256 chain-of-custody sidecars — per-artifact tamper-evidence
• RFC 3161 trusted-timestamps — optional .tsr sidecars (operator-configured TSA)
• Markdown + HTML + JSON outputs — assessor-friendly markdown + browser-viewable HTML + machine-readable JSON

Covered Annex A controls (17)

Strongest substrate match — engine evidences full implementation:

A.5 Organizational (5)

• A.5.15 Access control — IAM substrate (SSH password auth, exposed admin panels, no-MFA detection)
• A.5.16 Identity management — IAM identity-lifecycle substrate (no-MFA principals; Azure guest/external identities)
• A.5.17 Authentication information — MFA + Secrets Manager rotation substrate
• A.5.18 Access rights — IAM permission substrate + effective-decrypt + shadow-admin path detection
• A.5.23 Information security for use of cloud services ⭐ NEW 2022 — cloud-provider AOC inheritance substrate

A.8 Technological (12)

• A.8.2 Privileged access rights — IAM privileged-role substrate
• A.8.3 Information access restriction — IAM resource-based-policy substrate
• A.8.5 Secure authentication — MFA + Telnet absence substrate
• A.8.8 Management of technical vulnerabilities — CVE-pipeline substrate via intelligence_engine
• A.8.9 Configuration management ⭐ NEW 2022 — Config drift substrate
• A.8.13 Information backup — AWS Backup Logically Air-Gapped Vault substrate
• A.8.15 Logging — CloudTrail audit-log substrate
• A.8.16 Monitoring activities ⭐ NEW 2022 — GuardDuty anomaly detection substrate
• A.8.20 Networks security — Security Group + NACL + VPC substrate + Azure NSG
• A.8.21 Security of network services — API Gateway TLS configuration + WAF WebACL substrate
• A.8.22 Segregation of networks — VPC segmentation + Subnet substrate
• A.8.24 Use of cryptography — KMS substrate + S3 encryption + crypto_agent weak-cipher detection

Partial Annex A controls (14)

Substrate present, operator-side completion needed:

A.5 Organizational (9)

• A.5.3 Segregation of duties — IAM substrate; operator's role-conflict matrix completes
• A.5.9 Inventory of information assets — VPC endpoint enumeration; operator's CMDB owner-mapping completes
• A.5.13 Labelling of information — S3 access-logging; operator's data classification scheme (A.5.12) completes
• A.5.14 Information transfer — RDS SSL; operator-side transfer-procedure documentation completes
• A.5.22 Supplier services monitoring — cross-account VPC endpoint; operator's TPRM program completes
• A.5.28 Collection of evidence — CloudTrail; operator-side chain-of-custody discipline completes
• A.5.33 Protection of records — S3 lifecycle; operator's records-retention schedule completes
• A.5.34 Privacy and protection of PII — S3 encryption; operator's PII inventory + GDPR/CCPA program completes
• A.5.36 Compliance with policies — Config-rules substrate; operator's compliance-review process (Clause 9.1) completes

A.8 Technological (5)

• A.8.6 Capacity management — CloudWatch capacity-metric; operator's capacity-planning process completes
• A.8.7 Protection against malware — GuardDuty malware-protection; endpoint EDR (CrowdStrike / SentinelOne / MS Defender) + LMS completes
• A.8.10 Information deletion ⭐ NEW 2022 — S3 lifecycle deletion; operator's data-retention schedule completes
• A.8.12 Data leakage prevention ⭐ NEW 2022 — S3 publicly-accessible; endpoint DLP (Proofpoint, Forcepoint) + CASB completes
• A.8.14 Redundancy of information processing facilities — Multi-AZ; operator's availability-target + failover-test cadence completes

Theme A.6 People + A.7 Physical — entirely OOS (22 controls)

22 of 93 Annex A controls = entirely OOS for cloud-hosted operators. Theme A.6 People (8 controls) is workforce-lifecycle; Theme A.7 Physical (14 controls) is facility-tier. For cloud-hosted operators, A.7 is inheritable from cloud-provider's ISO 27001:2022 Certificate via shared-responsibility model.

11 NEW 2022 controls — coverage summary

Pattern: 3 covered (cloud-service-inherited or substrate-native) + 2 partial (substrate + operator completion) + 6 OOS (process-driven or operator-side platform-required). Each NEW control must be explicitly addressed in operator's SoA — silent omission is a freshness-signal failure.

2013-to-2022 transition discipline

Migration pattern: 35 unchanged + 23 renamed + 57 merged-into-24 + 11 NEW = 93 controls in 2022 (down from 114 in 2013). Zero controls deleted entirely from 2013 — but some 2013 controls' content distributed across multiple 2022 controls (operator must re-thread justifications).

Example merges (per the iso2013Source field on each control):

• A.5.14 Information transfer = merge of 2013's A.13.2.1 + A.13.2.2 + A.13.2.3 + A.6.2.2 (4 separate controls collapsed to 1)
• A.5.17 Authentication information = merge of 2013's A.9.2.4 + A.9.3.1 + A.9.4.3
• A.5.18 Access rights = merge of 2013's A.9.2.2 + A.9.2.5 + A.9.2.6
• A.8.15 Logging = merge of 2013's A.12.4.1 + A.12.4.2 + A.12.4.3
• A.5.31 Legal/statutory/regulatory/contractual requirements = merge of 2013's A.18.1.1 + A.18.1.5

Migration pitfalls: Re-categorization not just renaming (2013's 14 categories A.5-A.18 collapsed to 4 themes A.5-A.8); 57-into-24 merges may obscure operator's prior implementation; 11 NEW controls have no 2013 source. For comprehensive 2013-to-2022 mapping, refer to ISO/IEC 27002:2022 Annex B (the official mapping) or the transition guide published by accredited certification bodies (BSI / DNV / BVQI / Schellman / Coalfire / A-LIGN).

5-attribute taxonomy (NEW in 2022 edition)

Each Annex A control in 2022 carries five attributes for assessor-style navigation:

The renderer surfaces attribute-grouped views ("All preventive controls" / "All confidentiality-property controls") at per-Annex-A surface for assessor walkthroughs.

Certification-cycle cadence — Stage 1 → Stage 2 → surveillance → recertification

ISO 27001 certification follows a 3-year cycle. Evidence needs differ per stage:

Accredited certification bodies (ISO/IEC 17021-1): BSI, DNV, BVQI, Schellman, Coalfire, A-LIGN, TÜV, SGS, Lloyd's Register, NQA, Intertek, KPMG, EY. Pricing typically $15K-$50K for initial Stage 1 + Stage 2 (mid-market scope); $5K-$15K for annual surveillance. Cert body selection: prefer those with ISO 27001 specialization + your target customer-base familiarity (financial services → BSI / DNV; healthcare → Schellman / Coalfire; federal-contractor scope → A-LIGN / Schellman).

Cloud-provider ISO 27001:2022 Certificate inheritance

For cloud-hosted operators, Theme A.7 Physical (all 14 controls) is entirely inheritable from cloud-provider's ISO 27001:2022 Certificate via shared-responsibility model:

• AWS ISO/IEC 27001:2022 Certificate (current as of 2026-Q1) — covers all A.7 controls for AWS-hosted resources
• Microsoft Azure ISO/IEC 27001:2022 Certificate (current as of 2026-Q1) — covers all A.7 controls for Azure-hosted resources
• Google Cloud Platform ISO/IEC 27001:2022 Certificate (current as of 2026-Q1) — covers all A.7 controls for GCP-hosted resources

Per-control cloudProviderAttestation field in data/compliance/iso-27001.json documents the per-cloud-provider Certificate reference. Cloud-provider Certificates are reissued on the provider's own 3-year cycle with annual surveillance — re-pull the current Certificate at every EE release cycle + every annual surveillance.

Zero Data Exfiltration — operator-controlled boundary per Clause 4.3 ISMS scope

NSAuditor AI EE inherits the same Zero Data Exfiltration architecture across all 5 supported frameworks:

• Local-only scanning — no scan data leaves the operator's environment; no SaaS dependency
• Local-only AI — Claude API integration is OPTIONAL (operator-configured); air-gapped fallback for federal-contractor + classified-data scope
• Operator-controlled signing — TSA configuration + Ed25519 suppression signing operator-side
• Chain-of-custody manifest — SHA-256 sidecars + RFC 3161 trusted-timestamps + envelope artifact integrity verification
• Configurable scope — operator excludes targets via CLI; scope-attestation cover page documents exclusions + justifications

This architecture is institutionally critical for ISO 27001:2022 because Clause 4.3 (ISMS scope) + Clause 5.2 (information security policy) require operator-controlled boundaries — a SaaS compliance tool that ingests scan data into a third-party cloud environment introduces a new TPSP per A.5.19-A.5.21 that operator's SoA must address. Zero Data Exfiltration sidesteps that TPSP expansion entirely.

Comparison vs the ISO 27001 market

Positioning: NSAuditor + ISO-aware GRC platform = full ISO 27001:2022 coverage. NSAuditor handles the substrate-evidence dimension where it's strongest (per-Annex-A-code technical configuration + signed evidence); GRC platform handles SoA + ISMS Clauses 4-10 + risk register + internal audit + management review workflow. The bundle is institutionally complete; each tool standalone leaves gaps the other fills.

ISO Lead Auditor FAQ

Does this report substitute for our Statement of Applicability?

No. The SoA per Clause 6.1.3.d is operator-side, maintained in your ISO-aware GRC platform. This report is INPUT to your SoA — for each covered/partial control, your SoA shows the control as Included with implementation status = Implemented/In progress + this report as documentation reference.

Does this report substitute for our internal audit per Clause 9.2?

No. Internal audits per Clause 9.2 are MANDATORY operator-side processes — must verify ISMS conforms to ISO 27001:2022 + the operator's own requirements + is effectively implemented and maintained. Cannot be performed by the same people who designed/implemented the ISMS (independence requirement). Absence = auto-fail Major Nonconformity.

Does this report substitute for our management review per Clause 9.3?

No. Management reviews per Clause 9.3 are MANDATORY — top management reviews the ISMS at planned intervals. Specific inputs + outputs required per the standard. Absence = auto-fail Major Nonconformity.

We're migrating from a 2013 certification. Can we use our existing SoA?

No. The 2013 edition transition deadline passed October 31, 2025. All active certificates must be 2022 edition. Use the iso2013Source field in data/compliance/iso-27001.json to map your 2013 controls to 2022 Annex A codes. Re-author your SoA against the 2022 Annex A before your next surveillance audit.

How do we address the 11 NEW 2022 controls in our SoA?

Each NEW control must be explicitly addressed (Included or Excluded with justification). 3 are substrate-evidenceable (A.5.23 cloud services, A.8.9 configuration management, A.8.16 monitoring activities — NSAuditor maps these); 2 are partial-substrate (A.8.10 information deletion, A.8.12 DLP); 6 are operator-side platform-required (A.5.7 threat intelligence, A.5.30 ICT readiness, A.7.4 physical security monitoring, A.8.11 data masking, A.8.23 web filtering, A.8.28 secure coding). See the per-control rows above for named operator-side platform pairings.

Why does the engine show 5 cybersecurity concepts and not 6 like NIST CSF 2.0?

ISO 27001:2022 retains the original 5 cybersecurity concepts (identify / protect / detect / respond / recover). NIST CSF 2.0 added Govern as the 6th category in 2024 — but ISO 27001:2022 was published in October 2022 and retains the original 5. The engine's per-control attributes.cybersecurityConcepts field reflects ISO 27001:2022 semantics; do not conflate with NIST CSF 2.0's 6 categories. A schema-level test asserts no 'govern' value leaks into the ISO 27001 cybersecurityConcepts attribute.

What's the difference between the engine's controlType and operating effectiveness?

controlType describes WHAT the control does (preventive = blocks events; detective = detects events; corrective = remediates after events). Operating effectiveness is WHETHER the control is operating correctly across the assessment window. NSAuditor evidences the CONFIGURATION substrate (i.e., the control is configured in a way that supports its type); operating effectiveness across the assessment window requires audit-log sampling + SIEM correlation that pair with engine substrate.

Our cloud provider has an ISO 27001:2022 Certificate. Can we exclude all A.7 Physical controls from our SoA?

Likely yes for cloud-hosted operators. The cloudProviderAttestation field references the cloud-provider Certificates (AWS / Azure / GCP). Your SoA shows A.7.* controls as Excluded with justification "operator uses [AWS / Azure / GCP] shared-responsibility model; [Provider]'s ISO 27001:2022 Certificate covers the physical layer." Provide the current [Provider] Certificate to your assessor at Stage 1.

What's the cadence for re-verifying cloud-provider Certificates?

Annually. Cloud-provider Certificates are reissued on the provider's own 3-year cycle with annual surveillance — re-pull the current Certificate at every EE release cycle + every annual surveillance.

What's the recommended approach for documenting evidence cadence for surveillance?

Schedule scans at cadence matching the control's operating frequency. For continuous-monitoring controls (A.8.16 Monitoring activities), monthly or weekly scans align to "continuous" semantics. For periodic-review controls (A.5.36 Compliance reviews), quarterly scans align. Operator's SoA documents the planned cadence; engine substrate evidences the executed cadence.

Does NSAuditor cover ISO/IEC 27001:2013?

No — explicitly only ISO/IEC 27001:2022. The 2013 edition transition deadline passed October 31, 2025. The version pin is enforced in data/compliance/iso-27001.json version: "2022" and reflected in the rendered frameworkLabel. Schema validation rejects 2013-edition Annex A codes.