Skip to content

ISO/IEC 27001:2013

Deprecated Framework

Superseded by ISO/IEC 27001:2022. The 2022 version reorganizes controls into four themes (Organizational, People, Physical, Technological) with 93 controls in Annex A.

Best for: Organizations previously certified to ISO/IEC 27001:2013 that have not yet transitioned to the 2022 revision. This version applied to any organization, regardless of size or industry, seeking internationally recognized ISMS certification. B2B SaaS vendors, financial services firms, healthcare technology companies, and government contractors commonly pursued it because customers and regulators required the certificate.

Mandatory?Voluntary โ€” demanded by B2B contracts
Who validates?Accredited certification body (IAF member) ยท No self-assessment
Renewal3-year cert; annual surveillance
Observation periodSurveillance: years 1 and 2

๐Ÿ› International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). Certification audits are conducted by accredited certification bodies (e.g., BSI, Schellman, A-LIGN) under national accreditation body oversight. ยท ISO/IEC 27001:2013 (superseded by 2022) Official source โ†’

Get Started

module "..." {
  source  = "iso270012013.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Encryption in Transit: Five controls check TLS configuration on CloudFront distributions and ELB listeners: HTTPS enforcement, cipher suite selection, recommended security policies, and minimum protocol versions.
    • Audit Logging and Monitoring: Eight controls cover the CloudTrail deployment pattern: multi-region enablement for read and write events, S3 bucket access logging on trail buckets, CloudWatch Logs integration, alarm action configuration, and AWS Config recorder status across all regions.
    • Access Control and Least Privilege: Checks five configurations: IAM password policy minimum length, root user usage in ECS task definitions, public accessibility of EBS snapshots and EC2 AMIs, and public access settings on CloudTrail S3 buckets.
    • Vulnerability Management: One control: ECR image scanning on push is enabled. This confirms container images are assessed for known vulnerabilities before deployment reaches production.
    • Availability and Continuity: One control confirming DynamoDB auto scaling is enabled, so database capacity adjusts to demand without manual intervention.

  • What you handle

    • Encryption in Transit: Defining an organizational cryptographic policy per A.10.1.1, selecting approved cipher suites, managing TLS certificate lifecycle, and documenting encryption decisions in the Statement of Applicability.
    • Audit Logging and Monitoring: Log retention periods per A.12.4.1 are your call. You also need to establish incident response procedures triggered by alarms, schedule periodic log reviews, and protect log integrity through immutability controls or a dedicated logging account.
    • Access Control and Least Privilege: Implementing a full access control policy per A.9.1.1, conducting periodic user access reviews per A.9.2.5, managing privileged access provisioning workflows, and enforcing MFA across all accounts.
    • Vulnerability Management: Define remediation SLAs, assign triage ownership, and track findings to closure. Extend vulnerability scanning beyond containers to EC2 instances, Lambda functions, and third-party dependencies.
    • Availability and Continuity: The DynamoDB check is one data point. Full A.17.1 compliance requires tested BCP and DR plans, documented RTO/RPO targets, evidence of regular failover exercises, and multi-AZ or multi-region redundancy for all critical workloads.

Controls by Category

A.10 Cryptography (4 controls)

Auditors verify that a cryptographic policy exists per A.10.1.1 and that encryption in transit uses current, approved protocols and cipher suites. Common findings include outdated TLS versions (1.0, 1.1) still enabled on load balancers and missing HTTPS enforcement on CDN distributions. Evidence includes TLS configuration exports, security policy settings, and documented rationale for cipher suite selection.

CloudFront distributions should require encryption in transit compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module

A.12.4 Logging and Monitoring (3 controls)

A.12.4.1 requires event logging and A.12.4.2 requires protection of log information. Auditors expect multi-region CloudTrail coverage with logs forwarded to a centralized monitoring system. They check that logging infrastructure itself is monitored for failures and that alarms trigger actionable responses. A gap auditors frequently flag: CloudTrail enabled but not integrated with alerting, making logs reactive rather than detective.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudWatch alarm should have an action configured compliance.tf module

A.12.6 Technical Vulnerability Management (1 control)

Container image scanning is the primary evidence point for A.12.6.1 conformity. Beyond confirming scan-on-push is enabled, auditors will ask to see documented SLAs for critical CVE remediation and evidence that findings are tracked to closure, not just acknowledged.

ECR repositories should have image scan on push enabled compliance.tf module

A.9 Access Control (1 control)

A.9.4.3 covers password management systems, A.9.2.3 addresses privileged access management, and A.9.1.2 requires controlled access to networks and services. Auditors look for enforced password complexity, least privilege in container task definitions (no root), and prevention of unintended public exposure of snapshots, AMIs, and log buckets. Public access to any of these resources is treated as a significant nonconformity.

Ensure IAM password policy requires a minimum length of 14 or greater
Additional Controls (21)

AWS IAM (8)

Ensure IAM password policy requires at least one lowercase letter Ensure IAM password policy requires at least one number Ensure IAM password policy requires at least one symbol Ensure IAM password policy requires at least one uppercase letter Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations Ensure IAM password policy expires passwords within 90 days or less

Amazon RDS (4)

RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instances should have iam authentication enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS DB instances should prohibit public access compliance.tf module

Amazon Redshift (3)

AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon S3 (3)

S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SageMaker (1)

SageMaker notebook instances root access should be disabled

Amazon VPC (1)

VPC Security groups should only allow unrestricted incoming traffic for authorized ports compliance.tf module

  • ISO/IEC 27001:2022 โ€” ๐ŸŸข High overlap (85%)

    ISO 27001:2022 is the direct successor. It restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes and added 11 new controls. Organizations certified to 2013 must transition by October 31, 2025.

  • SOC 2 โ€” ๐ŸŸก Medium overlap (55%)

    SOC 2 Trust Services Criteria (CC6 Logical and Physical Access, CC7 System Operations) overlap with ISO 27001 domains A.9, A.11, and A.12. SOC 2 is attestation-based rather than certification-based, and scope is defined by the service organization's system description rather than an ISMS boundary.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (70%)

    NIST 800-53 Rev 5 is significantly more granular, with over 1,000 controls across 20 families. Most ISO 27001 Annex A controls map to one or more NIST 800-53 controls, but NIST covers supply chain risk management and privacy in greater depth.

Frequently Asked Questions

Is ISO 27001:2013 certification still valid?

Certification bodies stopped issuing new ISO 27001:2013 certificates when the 2022 revision published. Existing 2013 certificates expire on October 31, 2025. After that date, only ISO 27001:2022 certifications are recognized, so if your current certificate runs to or past that date, you must complete the transition at your next surveillance or recertification audit.

How long does the transition from 2013 to 2022 take?

Plan for 3 to 6 months. The main work involves updating the Statement of Applicability to reflect the restructured 93 controls, performing a gap assessment against the 11 new controls in the 2022 Annex A, and revising risk treatment plans. The transition audit typically adds 1 to 2 days to a standard surveillance or recertification audit.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 specifies requirements for an ISMS and is the certifiable standard. ISO 27002 is implementation guidance for the controls listed in Annex A. You cannot be certified to ISO 27002. Auditors assess conformity against ISO 27001 requirements but reference ISO 27002 to understand expected implementation depth for individual controls.

How do these 20 mapped controls relate to the full 114 controls in Annex A?

The 20 controls cover AWS infrastructure checks that align with specific Annex A requirements, primarily in A.9 (Access Control), A.10 (Cryptography), A.12 (Operations Security), and A.17 (Business Continuity). Annex A domains like A.5 (Information Security Policies), A.6 (Organization of Information Security), A.7 (Human Resource Security), and A.8 (Asset Management) require procedural and organizational evidence that automated cloud controls cannot address.

Can I use compliance.tf benchmark results as audit evidence?

Yes. PowerPipe benchmark outputs showing control pass/fail status, timestamps, and resource- level detail are accepted by most certification bodies as technical evidence. Export results before each surveillance audit. Auditors will still require complementary evidence: policies, risk assessments, management review minutes, and corrective action records.