ISO/IEC 27001:2013
Deprecated Framework
Best for: Organizations previously certified to ISO/IEC 27001:2013 that have not yet transitioned to the 2022 revision. This version applied to any organization, regardless of size or industry, seeking internationally recognized ISMS certification. B2B SaaS vendors, financial services firms, healthcare technology companies, and government contractors commonly pursued it because customers and regulators required the certificate.
| Mandatory? | Voluntary β demanded by B2B contracts |
| Who validates? | Accredited certification body (IAF member) Β· No self-assessment |
| Renewal | 3-year cert; annual surveillance |
| Observation period | Surveillance: years 1 and 2 |
π International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). Certification audits are conducted by accredited certification bodies (e.g., BSI, Schellman, A-LIGN) under national accreditation body oversight. Β· ISO/IEC 27001:2013 (superseded by 2022) Official source β
Get Started
module "..." {
source = "iso270012013.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption in Transit: Five controls check TLS configuration on CloudFront distributions and ELB listeners: HTTPS enforcement, cipher suite selection, recommended security policies, and minimum protocol versions.
- Audit Logging and Monitoring: Eight controls cover the CloudTrail deployment pattern: multi-region enablement for read and write events, S3 bucket access logging on trail buckets, CloudWatch Logs integration, alarm action configuration, and AWS Config recorder status across all regions.
- Access Control and Least Privilege: Checks five configurations: IAM password policy minimum length, root user usage in ECS task definitions, public accessibility of EBS snapshots and EC2 AMIs, and public access settings on CloudTrail S3 buckets.
- Vulnerability Management: One control: ECR image scanning on push is enabled. This confirms container images are assessed for known vulnerabilities before deployment reaches production.
- Availability and Continuity: One control confirming DynamoDB auto scaling is enabled, so database capacity adjusts to demand without manual intervention.
What you handle
- Encryption in Transit: Defining an organizational cryptographic policy per A.10.1.1, selecting approved cipher suites, managing TLS certificate lifecycle, and documenting encryption decisions in the Statement of Applicability.
- Audit Logging and Monitoring: Log retention periods per A.12.4.1 are your call. You also need to establish incident response procedures triggered by alarms, schedule periodic log reviews, and protect log integrity through immutability controls or a dedicated logging account.
- Access Control and Least Privilege: Implementing a full access control policy per A.9.1.1, conducting periodic user access reviews per A.9.2.5, managing privileged access provisioning workflows, and enforcing MFA across all accounts.
- Vulnerability Management: Define remediation SLAs, assign triage ownership, and track findings to closure. Extend vulnerability scanning beyond containers to EC2 instances, Lambda functions, and third-party dependencies.
- Availability and Continuity: The DynamoDB check is one data point. Full A.17.1 compliance requires tested BCP and DR plans, documented RTO/RPO targets, evidence of regular failover exercises, and multi-AZ or multi-region redundancy for all critical workloads.
Controls by Category
A.10 Cryptography (4 controls)
Auditors verify that a cryptographic policy exists per A.10.1.1 and that encryption in transit uses current, approved protocols and cipher suites. Common findings include outdated TLS versions (1.0, 1.1) still enabled on load balancers and missing HTTPS enforcement on CDN distributions. Evidence includes TLS configuration exports, security policy settings, and documented rationale for cipher suite selection.
compliance.tf moduleELB application and network load balancers should use recommended security policiescompliance.tf moduleELB network load balancers should have TLS listener security policy configuredcompliance.tf moduleELB listeners should use approved SSL/TLS protocol versionscompliance.tf moduleA.12.4 Logging and Monitoring (3 controls)
A.12.4.1 requires event logging and A.12.4.2 requires protection of log information. Auditors expect multi-region CloudTrail coverage with logs forwarded to a centralized monitoring system. They check that logging infrastructure itself is monitored for failures and that alarms trigger actionable responses. A gap auditors frequently flag: CloudTrail enabled but not integrated with alerting, making logs reactive rather than detective.
A.12.6 Technical Vulnerability Management (1 control)
Container image scanning is the primary evidence point for A.12.6.1 conformity. Beyond confirming scan-on-push is enabled, auditors will ask to see documented SLAs for critical CVE remediation and evidence that findings are tracked to closure, not just acknowledged.
A.9 Access Control (1 control)
A.9.4.3 covers password management systems, A.9.2.3 addresses privileged access management, and A.9.1.2 requires controlled access to networks and services. Auditors look for enforced password complexity, least privilege in container task definitions (no root), and prevention of unintended public exposure of snapshots, AMIs, and log buckets. Public access to any of these resources is treated as a significant nonconformity.
Additional Controls (21)
AWS IAM (8)
Amazon RDS (4)
Amazon Redshift (3)
Amazon S3 (3)
Amazon SageMaker (1)
Related Frameworks
ISO/IEC 27001:2022 β π’ High overlap (85%)
ISO 27001:2022 is the direct successor. It restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes and added 11 new controls. Organizations certified to 2013 must transition by October 31, 2025.
SOC 2 β π‘ Medium overlap (55%)
SOC 2 Trust Services Criteria (CC6 Logical and Physical Access, CC7 System Operations) overlap with ISO 27001 domains A.9, A.11, and A.12. SOC 2 is attestation-based rather than certification-based, and scope is defined by the service organization's system description rather than an ISMS boundary.
NIST 800-53 Rev 5 β π’ High overlap (70%)
NIST 800-53 Rev 5 is significantly more granular, with over 1,000 controls across 20 families. Most ISO 27001 Annex A controls map to one or more NIST 800-53 controls, but NIST covers supply chain risk management and privacy in greater depth.