Skip to main content
ISO 27001:2022 is the international standard for information security management systems (ISMS). The 2022 revision restructured Annex A from 114 controls in 14 domains down to 93 controls in 4 themes. Codex maps to the 2022 revision.

ISO 27001 vs SOC 2

If you sell internationally, you need both. Codex maintains the mapping so evidence collected for SOC 2 also satisfies the equivalent ISO 27001 control. No duplicate work.

The 4 themes (Annex A 2022)

Theme A.5 — Organizational controls (37 controls)

Policy framework, roles, supplier management, incident management. Codex auto-evidences:
  • A.5.7 Threat intelligence — feed from CrowdStrike/SentinelOne/Wiz
  • A.5.10 Acceptable use — link to your published AUP + training completion
  • A.5.16 Identity management — IdP user provisioning logs
  • A.5.18 Access rights — per-app role assignments from IdP
  • A.5.23 Cloud services info security — AWS/GCP/Azure security baseline configs
  • A.5.24-27 Incident management — ticketing system events with timestamps and resolutions
Manual: A.5.1 (policies), A.5.2 (roles), A.5.4 (management direction), A.5.19-22 (supplier security — vendor questionnaires).

Theme A.6 — People controls (8 controls)

HR security: screening, terms of employment, training, disciplinary process. Codex auto-evidences:
  • A.6.1 Screening — background check completion from BambooHR/Rippling/Gusto HRIS connector
  • A.6.3 Information security awareness — LMS training completion records
  • A.6.5 Responsibilities after termination — HRIS termination → IdP deactivation diff (proves access removal SLA)
Manual: A.6.2 (terms of employment — contract template), A.6.4 (disciplinary), A.6.7-8 (remote work + reporting).

Theme A.7 — Physical controls (14 controls)

Facility security, equipment, removable media. Mostly relevant if you have offices/datacenters; SaaS-only companies often scope these out. Codex auto-evidences:
  • A.7.1-2 Physical security perimeter + entry — badge system logs (where integrated)
  • A.7.7 Clear desk/clear screen — MDM screen lock policy + idle timeout enforcement
Manual: most A.7 controls are policy + occasional inspection (you walk the office, take photos, attest annually).

Theme A.8 — Technological controls (34 controls)

The biggest auto-evidence opportunity. Network, endpoint, cryptography, application security, logging. Codex auto-evidences (heavy auto-fill area):

Statement of Applicability (SoA)

ISO 27001 requires you to publish a Statement of Applicability documenting which Annex A controls apply, why, and how they’re implemented. Codex generates a draft SoA from your evidence:
  • Controls auto-evidenced → marked “applicable + implemented” with evidence source
  • Controls assigned to humans → marked “applicable + implemented” with link to evidence repo
  • Controls you’ve explicitly excluded → marked “not applicable” with required justification
Edit the draft, save, and export. The auditor wants to see this document — Codex makes it real-time accurate instead of a stale spreadsheet.

Setup order

Same as SOC 2 — start with IdP, then MDM, then code host, then ticketing, then cloud. You’ll cover ~75% of A.5 + A.6 + A.8 in the first month.

When you’re ready for the auditor

Reports → ISO 27001 evidence package outputs:
  • Statement of Applicability (current state)
  • Per-control evidence snapshots
  • Risk treatment plan + risk register (you import these from your existing risk-mgmt process)
  • Internal audit findings + management review minutes
Most ISO 27001 auditors accept Codex packages directly; some require evidence in their own portal — Codex CSV export covers that.