ISO/IEC 27001:2022
Best for: Organizations that need to prove a functioning ISMS to enterprise buyers, government procurement, or regulated-sector partners. Certification is contractually required in financial services, healthcare, SaaS, and telecoms. There is no revenue or size threshold; a 15-person startup selling to banks faces the same commercial requirement as a Fortune 500. GDPR Article 32, EU NIS2, and APAC sector regulators treat ISO 27001 as evidence of appropriate technical and organizational measures.
🏛 International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), with national accreditation bodies (e.g., UKAS, ANAB) overseeing certification bodies. · ISO/IEC 27001:2022 Official source →
Get Started
module "..." {
source = "iso27001.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Checks encryption configuration across API Gateway caches, Athena workgroups, Backup recovery points, and Bedrock invocation logs. Validates KMS key usage where applicable. Maps to Annex A control A.8.24.
- Logging and Monitoring: Validates that logging is enabled on API Gateway stages, AppSync GraphQL APIs, Athena workgroups, and Bedrock model invocations. Detects services where logging was disabled or never configured.
- Network Exposure: Detects publicly accessible API Gateway REST endpoints and AppStream fleets with default internet access enabled. Flags resources that violate network segmentation expectations.
- Backup and Recovery: Verifies that AWS Backup plans and vaults exist in active regions, that recovery points are encrypted, and that backup report plans are configured. Checks multi-AZ deployment for Auto Scaling groups and CloudFront origin failover.
- Account Governance: Validates that AWS accounts have a security contact registered, that contact details are current, and that accounts belong to AWS Organizations for centralized management.
- Certificate Lifecycle: Flags ACM certificates expiring within 30 days, giving teams lead time to renew or rotate before expiration causes a service disruption.
What you handle
- Encryption at Rest: Documenting a cryptographic policy covering algorithms, key lengths, and approved use cases. Configuring and auditing KMS key rotation schedules. Maintaining key access policies and reviewing them during internal audits per Clause 9.2.
- Logging and Monitoring: Defining log retention periods per A.8.15. Implementing centralized log review processes and alerting thresholds. Conducting periodic reviews of log data to satisfy A.8.16 monitoring requirements.
- Network Exposure: Maintaining network architecture diagrams (A.8.20). Documenting and reviewing firewall rules, security groups, and NACLs. Performing risk-based security testing (for example, penetration testing) where required by your ISMS and risk treatment plan, rather than as a blanket Clause 8.1 mandate.
- Backup and Recovery: Defining and documenting RTO/RPO targets. Testing recovery procedures at planned intervals based on risk and business requirements, consistent with A.5.30. Maintaining business continuity plans and reporting results to management review (Clause 9.3).
- Account Governance: Establishing the ISMS governance structure (Clauses 5.1 through 5.3). Defining roles and responsibilities per A.5.2. Conducting management reviews and maintaining records of decisions.
- Certificate Lifecycle: Maintaining a certificate inventory. Defining renewal procedures and ownership. Integrating certificate monitoring into incident management processes per A.5.24.
Controls by Category
Cryptographic Controls (A.8.24) (2 controls)
A.8.24 (Use of cryptography) requires a documented cryptographic policy specifying algorithms, key lengths, and key management procedures. Auditors verify encryption at rest across data stores, caches, and backups, and check certificate lifecycle management. Expired or nearly expired ACM certificates are a consistent finding and signal weak operational controls. Be prepared to show KMS key policies and rotation schedules.
Logging, Monitoring, and Accountability (A.8.15, A.8.16) (3 controls)
The core evidence request here is proof that logging is enabled across all in-scope services, directly supporting A.8.15 (Logging) and A.8.16 (Monitoring activities). Assessors want to see centralized log aggregation, documented retention periods, and evidence of regular review. Field-level logging for APIs like AppSync and invocation logging for Bedrock are where gaps appear most often, particularly for services added after initial certification.
compliance.tf module Athena workgroups should have logging enabledNetwork Security and Access Restriction (A.8.20, A.8.21, A.8.22) (1 control)
Publicly exposed API endpoints and AppStream fleets with default internet access enabled are the most common non-conformities in this category, mapped to A.8.20 (Networks security), A.8.21 (Security of network services), and A.8.22 (Segregation of networks). Expect to produce network diagrams showing segmentation, evidence of private endpoint usage, and written justification for any public-facing resource.
Additional Controls (140)
AWS CloudTrail (4)
AWS CodeBuild (3)
AWS Database Migration Service (1)
AWS IAM (9)
AWS KMS (1)
AWS Lambda (3)
compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module AWS Step Functions (1)
AWS WAF (1)
Amazon CloudFront (3)
compliance.tf module CloudFront distributions should have field level encryption enabled compliance.tf module CloudFront distributions access logs should be enabled compliance.tf module Amazon CloudWatch (1)
Amazon CloudWatch Logs (1)
Amazon DocumentDB (2)
Amazon DynamoDB (2)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module Amazon DynamoDB Accelerator (2)
Amazon EBS (3)
compliance.tf module EBS snapshots should be encryptedEBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (10)
compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should not use multiple ENIs compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module Paravirtual EC2 instance types should not be used compliance.tf module EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) compliance.tf module AWS EC2 launch templates should not assign public IPs to network interfaces compliance.tf module EC2 transit gateways should have auto accept shared attachments disabledAmazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EKS (4)
compliance.tf module EKS clusters endpoint public access should be restricted compliance.tf module EKS clusters endpoint should restrict public access compliance.tf module EKS clusters should be configured to have kubernetes secrets encrypted using KMS compliance.tf module Amazon ElastiCache (4)
compliance.tf module ElastiCache for Redis replication groups should be encrypted at rest compliance.tf module ElastiCache for Redis replication groups should be encrypted with CMK compliance.tf module ElastiCache for Redis replication groups should be encrypted in transit compliance.tf module Amazon Kinesis (3)
Amazon MQ (1)
Amazon MSK (1)
Amazon Neptune (3)
Amazon OpenSearch Service (7)
compliance.tf module OpenSearch domains should have at least three data nodes compliance.tf module OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains internal user database should be disabled compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (15)
compliance.tf module RDS DB clusters should be configured to copy tags to snapshots compliance.tf module RDS DB clusters should be encrypted with CMK compliance.tf module RDS DB clusters should be encrypted at rest compliance.tf module RDS DB clusters should be configured for multiple Availability Zones compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS instances should be deployed in a VPC compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (7)
compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module Redshift clusters should have Multi-AZ deployments enabled compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (13)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module Amazon SNS (1)
Amazon SQS (2)
compliance.tf module SQS queues should be encrypted with KMS CMK compliance.tf module Amazon SageMaker (6)
Amazon VPC (2)
compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module Elastic Load Balancing (3)
compliance.tf module ELB load balancers should prohibit public access compliance.tf module ELB classic load balancers should span multiple availability zones compliance.tf module Other (19)
compliance.tf module FSx for Lustre file systems should be configured to copy tags to backups compliance.tf module FSx for Windows File Server file systems should be configured for Multi-AZ deployment compliance.tf module Access logging should be configured for API Gateway V2 Stages compliance.tf module Glue data catalog metadata encryption should be enabledGlue data catalog connection password encryption should be enabledGlue jobs bookmarks encryption should be enabledGlue jobs CloudWatch logs encryption should be enabledGlue jobs S3 encryption should be enabledMSK Connect connectors should be encrypted in transitAmazon Redshift Serverless workgroups should use enhanced VPC routingRelated Frameworks
Frequently Asked Questions
Does ISO 27001 apply to my organization if we only use cloud services and have no on-premises infrastructure?
Yes. ISO 27001 applies to information security regardless of where systems run. Cloud-only organizations define their ISMS scope around cloud accounts, SaaS tools, and remote workforce practices. The 2022 revision added control A.5.23 (Information security for use of cloud services) specifically for cloud environments. Your Clause 4.3 scope statement will reference AWS accounts, regions, and services rather than physical data centers.
How long does ISO 27001 certification take from scratch?
Expect 6 to 14 months for a first-time certification. Smaller organizations (under 50 employees) with a focused scope can finish in 6 to 8 months. Larger enterprises with multiple business units, regions, or complex supply chains commonly need 10 to 14 months. The time breaks down roughly as: ISMS design and documentation (2 to 4 months), implementation and evidence gathering (3 to 6 months), internal audit and management review (1 month), Stage 1 audit (1 to 2 weeks), remediation of findings (2 to 6 weeks), and Stage 2 audit (1 to 2 weeks).
What changed between ISO 27001:2013 and 2022, and do I need to recertify?
The management system clauses (4 through 10) had minor wording changes. The significant change was in Annex A: 114 controls across 14 domains were reorganized into 93 controls across 4 themes (Organizational, People, Physical, Technological). Eleven new controls were added, including A.5.7 (Threat intelligence), A.5.23 (Cloud services), A.8.11 (Data masking), and A.8.12 (Data leakage prevention). Organizations certified under the 2013 version had until October 31, 2025, to transition. If you have not transitioned, your certification has expired.
How much overlap can I expect if we are already SOC 2 Type II compliant?
Roughly 60 to 65 percent of evidence from a SOC 2 Type II engagement transfers to ISO 27001. Technical controls for encryption, logging, access management, and incident response overlap significantly. The gap is primarily in ISO 27001's management system requirements: you will need an ISMS scope statement (Clause 4.3), a formal risk assessment methodology and risk treatment plan (Clauses 6.1.2 and 6.1.3), a Statement of Applicability, an internal audit program (Clause 9.2), and management review minutes (Clause 9.3). None of these have direct SOC 2 equivalents.
What does the compliance.tf coverage for ISO 27001 actually prove to an auditor?
Automated checks prove that specific technical configurations existed at the time of the scan. An auditor may accept PowerPipe benchmark results as supporting evidence for Annex A.8 technological controls, specifically that encryption, logging, network restrictions, and backup configurations are in place. That said, compliance.tf produces no evidence for the management system (Clauses 4 through 10), people controls (A.6), or physical controls (A.7). You still need documented policies, risk assessments, training records, supplier agreements, and internal audit reports. Treat the automated checks as covering roughly 40 to 50 percent of total audit evidence.