ISO/IEC 27001:2022
Aligned with ISO/IEC 27001, Annex A.
ISO/IEC 27001 is the international standard for an information security management system. AxioRank gives you a live control for the Annex A technical safeguards, plus evidence an auditor can verify offline.
Evidence of technical controls, not a certification. Only an accredited body can certify your ISMS.
- A.5 Organizational controls
- A.6 People controls
- A.7 Physical controls
- A.8 Technological controls
The mapping
Every Annex A theme, tied to a control that is actually running.
Below, representative Annex A controls are paired with the AxioRank capability that addresses each, and we are honest about where we only help in part. This table is generated from the same catalog that computes your live posture and your evidence pack.
Organizational controls
Accountability, incident-management planning, and protection of records.
- A.5.15Access controlPartially addressed
What the standard asks: Rules to control physical and logical access to information are established and implemented based on business and security requirements.
How AxioRank addresses it: Four-level workspace RBAC, enforced MFA and SSO, and scoped, expiring API keys gate every actor; the access review is exported in the evidence bundle.
- A.5.24Information security incident management planningPartially addressed
What the standard asks: Information security incident management is planned and prepared by defining, establishing, and communicating processes, roles, and responsibilities.
How AxioRank addresses it: Correlated incidents open automatically from governed-call signals, and response rules can quarantine an agent or revoke its keys the moment a threshold trips.
- A.5.25Assessment and decision on information security eventsPartially addressed
What the standard asks: Information security events are assessed and it is decided whether they are to be categorized as information security incidents.
How AxioRank addresses it: Every governed call is scored and recorded, so security events are triaged against policy and promoted to correlated incidents on a durable, reviewable record.
- A.5.33Protection of recordsFully addressed
What the standard asks: Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release.
How AxioRank addresses it: The audit log is append-only and sealed hourly into a signed Merkle ledger; any alteration, deletion, or reordering breaks the chain, and retention is attested.
People controls
Awareness and training for the workforce that handles information.
- A.6.3Information security awareness, education and trainingOut of scope
What the standard asks: Personnel receive appropriate information security awareness, education, and training relevant to their role.
How AxioRank addresses it: A people control: AxioRank does not train your staff. Your ISMS owns awareness and training.
Physical controls
Facility and premises safeguards for the systems that hold data.
- A.7.4Physical security monitoringOut of scope
What the standard asks: Premises are continuously monitored for unauthorized physical access.
How AxioRank addresses it: A physical control over your premises and data-center provider; out of scope for an application-layer control plane.
Technological controls
Access, logging, monitoring, and cryptography enforced in the system.
- A.8.2Privileged access rightsPartially addressed
What the standard asks: The allocation and use of privileged access rights are restricted and managed.
How AxioRank addresses it: Admin-scoped roles, per-key scopes with rotation and expiry, and dual control for high-risk actions restrict privilege; each privileged change is recorded.
- A.8.5Secure authenticationPartially addressed
What the standard asks: Secure authentication technologies and procedures are implemented based on access control rules.
How AxioRank addresses it: SAML single sign-on and enforced MFA authenticate every human; agents authenticate with short-lived, scoped credentials rather than shared static secrets.
- A.8.12Data leakage preventionPartially addressed
What the standard asks: Data leakage prevention measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.
How AxioRank addresses it: Information-flow control blocks untrusted-to-sink exfiltration, egress allowlists stop off-list destinations, and secrets and PII are redacted before they reach the log.
- A.8.15LoggingFully addressed
What the standard asks: Logs recording activities, exceptions, faults, and other relevant events are produced, stored, protected, and analyzed.
How AxioRank addresses it: Every governed tool call is logged before the decision returns, into an append-only, hash-chained, signed ledger that is verifiable offline against a published key.
- A.8.16Monitoring activitiesPartially addressed
What the standard asks: Networks, systems, and applications are monitored for anomalous behavior and appropriate actions taken to evaluate potential incidents.
How AxioRank addresses it: Content and ML risk scoring runs on every call, coverage rollups show monitored breadth, and response rules act on anomalies automatically.
- A.8.24Use of cryptographyPartially addressed
What the standard asks: Rules for the effective use of cryptography, including key management, are defined and implemented.
How AxioRank addresses it: The audit ledger is sealed with Ed25519 signed tree heads and the verification keys are published as a JWKS; data is encrypted in transit and at rest by the platform.
Evidence, not certification
Provable, not just stated
Compute your live posture and download the evidence.
Inside the console, the Compliance view projects your live AxioRank configuration onto the Annex A controls and scores your coverage. Export a point-in-time evidence pack with the control mapping, your governance config, decision counts, and the signed, tamper-evident log, so a reviewer can verify it without trusting our word.
Evidence, not assertions
Sources
Straight from the standard.
The standard and its companion controls guidance, in the publisher's own words.
Keep exploring
Continue across the control plane.
Meet ISO/IEC 27001 with controls you can prove.
Map your live AxioRank configuration onto Annex A, then hand your reviewer an evidence pack they can verify offline.