ISO/IEC 27001:2022

Aligned with ISO/IEC 27001, Annex A.

ISO/IEC 27001 is the international standard for an information security management system. AxioRank gives you a live control for the Annex A technical safeguards, plus evidence an auditor can verify offline.

Evidence of technical controls, not a certification. Only an accredited body can certify your ISMS.

ISO/IEC 27001:2022 | Annex A themes
  1. A.5 Organizational controls
  2. A.6 People controls
  3. A.7 Physical controls
  4. A.8 Technological controls
evidence for the information security management system (ISMS)
Annex A
2022 controls mapped
4
Control themes covered
2022
Current revision
Offline
Verifiable evidence

The mapping

Every Annex A theme, tied to a control that is actually running.

Below, representative Annex A controls are paired with the AxioRank capability that addresses each, and we are honest about where we only help in part. This table is generated from the same catalog that computes your live posture and your evidence pack.

Theme 1

Organizational controls

Accountability, incident-management planning, and protection of records.

  • A.5.15Access controlPartially addressed

    What the standard asks: Rules to control physical and logical access to information are established and implemented based on business and security requirements.

    How AxioRank addresses it: Four-level workspace RBAC, enforced MFA and SSO, and scoped, expiring API keys gate every actor; the access review is exported in the evidence bundle.

  • A.5.24Information security incident management planningPartially addressed

    What the standard asks: Information security incident management is planned and prepared by defining, establishing, and communicating processes, roles, and responsibilities.

    How AxioRank addresses it: Correlated incidents open automatically from governed-call signals, and response rules can quarantine an agent or revoke its keys the moment a threshold trips.

  • A.5.25Assessment and decision on information security eventsPartially addressed

    What the standard asks: Information security events are assessed and it is decided whether they are to be categorized as information security incidents.

    How AxioRank addresses it: Every governed call is scored and recorded, so security events are triaged against policy and promoted to correlated incidents on a durable, reviewable record.

  • A.5.33Protection of recordsFully addressed

    What the standard asks: Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release.

    How AxioRank addresses it: The audit log is append-only and sealed hourly into a signed Merkle ledger; any alteration, deletion, or reordering breaks the chain, and retention is attested.

Theme 2

People controls

Awareness and training for the workforce that handles information.

  • A.6.3Information security awareness, education and trainingOut of scope

    What the standard asks: Personnel receive appropriate information security awareness, education, and training relevant to their role.

    How AxioRank addresses it: A people control: AxioRank does not train your staff. Your ISMS owns awareness and training.

Theme 3

Physical controls

Facility and premises safeguards for the systems that hold data.

  • A.7.4Physical security monitoringOut of scope

    What the standard asks: Premises are continuously monitored for unauthorized physical access.

    How AxioRank addresses it: A physical control over your premises and data-center provider; out of scope for an application-layer control plane.

Theme 4

Technological controls

Access, logging, monitoring, and cryptography enforced in the system.

  • A.8.2Privileged access rightsPartially addressed

    What the standard asks: The allocation and use of privileged access rights are restricted and managed.

    How AxioRank addresses it: Admin-scoped roles, per-key scopes with rotation and expiry, and dual control for high-risk actions restrict privilege; each privileged change is recorded.

  • A.8.5Secure authenticationPartially addressed

    What the standard asks: Secure authentication technologies and procedures are implemented based on access control rules.

    How AxioRank addresses it: SAML single sign-on and enforced MFA authenticate every human; agents authenticate with short-lived, scoped credentials rather than shared static secrets.

  • A.8.12Data leakage preventionPartially addressed

    What the standard asks: Data leakage prevention measures are applied to systems, networks, and devices that process, store, or transmit sensitive information.

    How AxioRank addresses it: Information-flow control blocks untrusted-to-sink exfiltration, egress allowlists stop off-list destinations, and secrets and PII are redacted before they reach the log.

  • A.8.15LoggingFully addressed

    What the standard asks: Logs recording activities, exceptions, faults, and other relevant events are produced, stored, protected, and analyzed.

    How AxioRank addresses it: Every governed tool call is logged before the decision returns, into an append-only, hash-chained, signed ledger that is verifiable offline against a published key.

  • A.8.16Monitoring activitiesPartially addressed

    What the standard asks: Networks, systems, and applications are monitored for anomalous behavior and appropriate actions taken to evaluate potential incidents.

    How AxioRank addresses it: Content and ML risk scoring runs on every call, coverage rollups show monitored breadth, and response rules act on anomalies automatically.

  • A.8.24Use of cryptographyPartially addressed

    What the standard asks: Rules for the effective use of cryptography, including key management, are defined and implemented.

    How AxioRank addresses it: The audit ledger is sealed with Ed25519 signed tree heads and the verification keys are published as a JWKS; data is encrypted in transit and at rest by the platform.

Evidence, not certification

ISO/IEC 27001 certification is issued only by an accredited certification body after it audits your information security management system. AxioRank maps your live controls to Annex A and produces verifiable evidence for the technical safeguards. It does not certify your ISMS, and the organizational, people, and physical controls remain yours to run.

Provable, not just stated

Compute your live posture and download the evidence.

Inside the console, the Compliance view projects your live AxioRank configuration onto the Annex A controls and scores your coverage. Export a point-in-time evidence pack with the control mapping, your governance config, decision counts, and the signed, tamper-evident log, so a reviewer can verify it without trusting our word.

# the ISO 27001 evidence pack, generated from your live controls
/api/compliance/evidence-bundle?profile=iso-27001
✓ MAPPING.md · posture.json · governance-config.json · signed tree head · JWKS

Evidence, not assertions

The pack does not declare you certified. It gives an auditor the live control mapping and the signed record to check your posture for themselves.

Sources

Straight from the standard.

The standard and its companion controls guidance, in the publisher's own words.

Meet ISO/IEC 27001 with controls you can prove.

Map your live AxioRank configuration onto Annex A, then hand your reviewer an evidence pack they can verify offline.