Skip to main content
This page lists the highest-traffic ISO 27001:2022 Annex A controls and the exact evidence Codex collects for each. Companion to the ISO 27001 framework guide.

Theme A.5 — Organizational controls

A.5.7 — Threat intelligence

SourceAPI callCadence
CrowdStrike/intel/queries/indicators/v1Daily
SentinelOne/web/api/v2.1/threat-intelligence/indicatorsDaily
Wiz/api/v1/issues?type=THREATEvery 6 hours
Auditors look for: documented threat intel feed configured AND evidence the team reviews/acts on it. Codex tracks both ingestion cadence and ticket-creation rate against incoming threats.

A.5.16 — Identity management

Same evidence as SOC 2 CC6.1. Codex pulls IdP user creation logs (Google Admin SDK, Microsoft Graph audit logs, Okta /api/v1/logs?filter=eventType eq "user.lifecycle.create") and matches each provisioning event to the HRIS new-hire record.

A.5.18 — Access rights

Quarterly access review snapshot exported as the ISMS access-review record. Per-user, per-app role table with reviewer attestation timestamp.

A.5.23 — Information security for use of cloud services

Cloud baseline configuration evidence per CSP:
  • AWS: Config rules + Security Hub findings + IAM Access Analyzer
  • GCP: Security Command Center findings + Asset Inventory baseline
  • Azure: Defender for Cloud secure score + Policy compliance
Per-CSP baseline drift report shows configurations changed vs documented baseline.

A.5.24-27 — Information security incident management

Per-incident evidence pulled from PagerDuty / Linear / Jira:
  • Incident detection time (alert fired)
  • Acknowledgment time (oncall paged)
  • Resolution time
  • Post-mortem document link
  • Root cause + corrective action
Aggregate metrics (MTTR by severity, incident volume trends) for ISMS reporting.

Theme A.6 — People controls

A.6.1 — Screening

HRIS connector pulls background-check completion records for each new hire:
  • Hire date
  • Background check vendor (Checkr, Sterling, etc.)
  • Check completion date
  • Status (clear, with-flags, declined)
Auditors look for: every active employee has a completed check on file before their start date OR documented exception with risk acceptance.

A.6.3 — Information security awareness, education and training

LMS connector pulls per-user training completion:
  • Course name (Security Awareness, GDPR, HIPAA, role-specific)
  • Completion date
  • Score (where applicable)
  • Cadence: annual mandatory + new-hire onboarding

A.6.5 — Responsibilities after termination

The killer evidence: HRIS termination → IdP deactivation gap report (same as SOC 2 CC6.6). 
Termination event:    2026-04-15 17:00 UTC (BambooHR: bob@company.com)
IdP deactivation:     2026-04-15 17:08 UTC (Okta: bob@company.com)
Gap:                  8 minutes ✓ (under 24h SLA)
Asset return:         2026-04-16 (MDM: 3 devices wiped + reassigned)

Theme A.8 — Technological controls (highest density)

A.8.1 — User endpoint devices

MDM device inventory with:
  • Compliance state per device
  • Last check-in time
  • Encryption status (FileVault, BitLocker)
  • OS patch level vs latest
Filtered by org unit + assigned user for risk segmentation.

A.8.5 — Secure authentication

SourceEvidence
OktaMFA enrollment per user; auth policy strength per app
Google Workspace2-Step Verification status per user; Advanced Protection enrollment
Microsoft EntraConditional access policy effectiveness; sign-in risk reports
Auditors specifically want: MFA enrollment rate ≥ 95% across active users, exceptions documented.

A.8.7 — Protection against malware

EDR coverage from CrowdStrike / SentinelOne:
  • Endpoints with EDR installed (% coverage)
  • Endpoints with stale definitions (% out-of-date)
  • Detected threats in period + remediation outcomes

A.8.8 — Management of technical vulnerabilities

Multi-source vulnerability roll-up:
  • Snyk / GitHub Dependabot: dependency CVEs
  • Wiz / Orca / Aqua: cloud workload + IaC findings
  • Qualys / Tenable: infrastructure scans
  • Nuclei / OWASP ZAP: web app scans
Per-finding lifecycle: discovered → triaged → remediated, with SLA tracking by severity (Critical 7d, High 30d, Moderate 90d).

A.8.9 — Configuration management

SourceEvidence
AWS ConfigPer-resource baseline drift
GCP Asset InventoryResource state changes
Azure PolicyCompliance score per policy
Terraform CloudPlan/apply log + drift detection
Configuration changes correlate to PRs in code host (CM-3 from NIST).

A.8.13 — Information backup

Backup snapshot history per cloud connector + restore-test attestation log. 
Resource: prod-database (RDS instance)
Backup type: Automated daily snapshots + weekly cross-region
Retention: 30 days
Last successful backup: 2026-04-17 02:00 UTC
Last restore test: 2026-03-15 (passed, RPO < 5 min)
Next scheduled restore test: 2026-06-15

A.8.15 — Logging

SIEM coverage report per system + per event type:
  • Auth events (success, failure, MFA bypass)
  • Configuration changes
  • Privileged operations
  • Data access (read/write)
Coverage gaps surfaced as exceptions.

A.8.20-23 — Network security

Cloud connector pulls VPC config, security group rules, WAF policies, and network segmentation diagrams (DNS records + service mesh config).

A.8.24 — Use of cryptography

Asset classEvidence
TLS endpointsTLS 1.2+ enforcement; weak cipher absence; cert expiration tracking
At-rest encryptionPer-resource encryption config (RDS KMS, S3 SSE, etc.)
Key managementKMS key inventory + rotation history

A.8.25-29 — Secure development lifecycle

GitHub / GitLab connector pulls:
  • Branch protection rules per repo
  • Required reviewer count + status
  • CI status enforcement (tests must pass, security scans must pass)
  • Secret-detection (GitHub Secret Scanning, GitGuardian) findings + remediation
  • Code review participation rates per developer

A.8.31 — Separation of dev / test / prod

Cloud account/project separation evidence:
  • Dev resources in dev account, prod in prod account
  • IAM roles cannot cross account boundaries
  • Network isolation between environments

What this catalog isn’t

This is the technical-control bucket — about 35 of Annex A’s 93 controls. The other ~58 (organizational policy, HR process, supplier mgmt, physical security) are tracked in Codex via document links + manual attestations + assigned owners. See the ISO 27001 framework guide for the full mapping.