compliance.tf
Compliance FrameworksCore Frameworks

ISO/IEC 27001:2022

Best for: Organizations that need to prove a functioning ISMS to enterprise buyers, government procurement, or regulated-sector partners. Certification is contractually required in financial services, healthcare, SaaS, and telecoms. There is no revenue or size threshold; a 15-person startup selling to banks faces the same commercial requirement as a Fortune 500. GDPR Article 32, EU NIS2, and APAC sector regulators treat ISO 27001 as evidence of appropriate technical and organizational measures.

Mandatory?Voluntary โ€” demanded by B2B contracts
Who validates?Accredited certification body (IAF member) ยท No self-assessment
Renewal3-year cert; annual surveillance
Observation periodSurveillance: years 1 and 2

๐Ÿ› International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), with national accreditation bodies (e.g., UKAS, ANAB) overseeing certification bodies. ยท ISO/IEC 27001:2022 Official source โ†’

Get Started

module "..." {
  source  = "iso27001.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Checks encryption configuration across API Gateway caches, Athena workgroups, Backup recovery points, and Bedrock invocation logs. Validates KMS key usage where applicable. Maps to Annex A control A.8.24.
  • Logging and Monitoring: Validates that logging is enabled on API Gateway stages, AppSync GraphQL APIs, Athena workgroups, and Bedrock model invocations. Detects services where logging was disabled or never configured.
  • Network Exposure: Detects publicly accessible API Gateway REST endpoints and AppStream fleets with default internet access enabled. Flags resources that violate network segmentation expectations.
  • Backup and Recovery: Verifies that AWS Backup plans and vaults exist in active regions, that recovery points are encrypted, and that backup report plans are configured. Checks multi-AZ deployment for Auto Scaling groups and CloudFront origin failover.
  • Account Governance: Validates that AWS accounts have a security contact registered, that contact details are current, and that accounts belong to AWS Organizations for centralized management.
  • Certificate Lifecycle: Flags ACM certificates expiring within 30 days, giving teams lead time to renew or rotate before expiration causes a service disruption.

What you handle

  • Encryption at Rest: Documenting a cryptographic policy covering algorithms, key lengths, and approved use cases. Configuring and auditing KMS key rotation schedules. Maintaining key access policies and reviewing them during internal audits per Clause 9.2.
  • Logging and Monitoring: Defining log retention periods per A.8.15. Implementing centralized log review processes and alerting thresholds. Conducting periodic reviews of log data to satisfy A.8.16 monitoring requirements.
  • Network Exposure: Maintaining network architecture diagrams (A.8.20). Documenting and reviewing firewall rules, security groups, and NACLs. Performing risk-based security testing (for example, penetration testing) where required by your ISMS and risk treatment plan, rather than as a blanket Clause 8.1 mandate.
  • Backup and Recovery: Defining and documenting RTO/RPO targets. Testing recovery procedures at planned intervals based on risk and business requirements, consistent with A.5.30. Maintaining business continuity plans and reporting results to management review (Clause 9.3).
  • Account Governance: Establishing the ISMS governance structure (Clauses 5.1 through 5.3). Defining roles and responsibilities per A.5.2. Conducting management reviews and maintaining records of decisions.
  • Certificate Lifecycle: Maintaining a certificate inventory. Defining renewal procedures and ownership. Integrating certificate monitoring into incident management processes per A.5.24.

Controls by Category

Cryptographic Controls (A.8.24) (2 controls)

A.8.24 (Use of cryptography) requires a documented cryptographic policy specifying algorithms, key lengths, and key management procedures. Auditors verify encryption at rest across data stores, caches, and backups, and check certificate lifecycle management. Expired or nearly expired ACM certificates are a consistent finding and signal weak operational controls. Be prepared to show KMS key policies and rotation schedules.

API Gateway stages should have cache encryption at rest enabledAthena workgroups should be encrypted at rest

Logging, Monitoring, and Accountability (A.8.15, A.8.16) (3 controls)

The core evidence request here is proof that logging is enabled across all in-scope services, directly supporting A.8.15 (Logging) and A.8.16 (Monitoring activities). Assessors want to see centralized log aggregation, documented retention periods, and evidence of regular review. Field-level logging for APIs like AppSync and invocation logging for Bedrock are where gaps appear most often, particularly for services added after initial certification.

API Gateway stages should have logging enabledAppSync GraphQL APIs should have field-level logging enabledcompliance.tf moduleAthena workgroups should have logging enabled

Network Security and Access Restriction (A.8.20, A.8.21, A.8.22) (1 control)

Publicly exposed API endpoints and AppStream fleets with default internet access enabled are the most common non-conformities in this category, mapped to A.8.20 (Networks security), A.8.21 (Security of network services), and A.8.22 (Segregation of networks). Expect to produce network diagrams showing segmentation, evidence of private endpoint usage, and written justification for any public-facing resource.

AppStream fleets should have default internet access disabled
Additional Controls (140)

AWS CloudTrail (4)

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS CodeBuild (3)

CodeBuild projects should have logging enabledCodeBuild projects should have S3 logs encryptedCodeBuild report group exports should be encrypted at rest

AWS Database Migration Service (1)

DMS endpoints for Redis OSS should have TLS enabled

AWS IAM (9)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurationsIAM password policies should expire passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (3)

Lambda functions CORS configuration should not allow all originscompliance.tf moduleLambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

AWS Step Functions (1)

Step Functions state machines should have logging enabledcompliance.tf module

AWS WAF (1)

WAFv2 rules should have CloudWatch metrics enabled

Amazon CloudFront (3)

CloudFront distributions should require encryption in transitcompliance.tf moduleCloudFront distributions should have field level encryption enabledcompliance.tf moduleCloudFront distributions access logs should be enabledcompliance.tf module

Amazon CloudWatch (1)

CloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DocumentDB (2)

DocumentDB clusters should have encryption at rest enabledDocumentDB instance logging should be enabled

Amazon DynamoDB (2)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf module

Amazon DynamoDB Accelerator (2)

DynamoDB Accelerator (DAX) clusters should be encrypted at restDynamoDB Accelerator clusters should be encrypted in transit

Amazon EBS (3)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS snapshots should be encryptedEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (10)

EC2 Client VPN endpoints should have client connection logging enabledEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should not use multiple ENIscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should use IAM instance roles for AWS resource accesscompliance.tf moduleEC2 instances should not use paravirtual instance typescompliance.tf moduleEC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)compliance.tf moduleEC2 launch templates should not assign public IPs to network interfacescompliance.tf moduleEC2 transit gateways should have auto accept shared attachments disabled

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EKS (4)

EKS clusters should have control plane audit logging enabledcompliance.tf moduleEKS clusters endpoint public access should be restrictedcompliance.tf moduleEKS clusters endpoint should restrict public accesscompliance.tf moduleEKS clusters should be configured to have kubernetes secrets encrypted using KMScompliance.tf module

Amazon ElastiCache (4)

ElastiCache for Redis replication groups should have automatic failover enabledcompliance.tf moduleElastiCache for Redis replication groups should be encrypted at restcompliance.tf moduleElastiCache for Redis replication groups should be encrypted with CMKcompliance.tf moduleElastiCache for Redis replication groups should be encrypted in transitcompliance.tf module

Amazon Kinesis (3)

Kinesis firehose delivery streams should have server side encryption enabledKinesis streams should be encrypted with CMKKinesis streams should have server side encryption enabled

Amazon MQ (1)

MQ brokers should have audit log streaming to CloudWatch enabled

Amazon MSK (1)

MSK clusters should be encrypted in transit among broker nodescompliance.tf module

Amazon Neptune (3)

Neptune DB clusters should publish audit logs to CloudWatch LogsNeptune DB clusters should be configured to copy tags to snapshotsNeptune DB clusters should be encrypted at rest

Amazon OpenSearch Service (7)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have at least three data nodescompliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains internal user database should be disabledcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (15)

Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logscompliance.tf moduleRDS DB clusters should be configured to copy tags to snapshotscompliance.tf moduleRDS DB clusters should be encrypted with CMKcompliance.tf moduleRDS DB clusters should be encrypted at restcompliance.tf moduleRDS DB clusters should be configured for multiple Availability Zonescompliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS instances should be deployed in a VPCcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (7)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have Multi-AZ deployments enabledcompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (13)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SQS (2)

SQS queues should have encryption at rest enabledcompliance.tf moduleSQS queues should be encrypted with KMS CMKcompliance.tf module

Amazon SageMaker (6)

SageMaker endpoint production variants should have an initial instance count greater than 1SageMaker models should be in a VPCSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabledSageMaker notebook instances should be in a VPC

Amazon VPC (2)

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888compliance.tf moduleVPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (3)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB load balancers should prohibit public accesscompliance.tf moduleELB classic load balancers should span multiple availability zonescompliance.tf module

Other (19)

DataSync tasks should have logging enabledElasticsearch domains should have audit logging enabledElasticsearch domains should have at least three data nodesElasticsearch domains should be configured with at least three dedicated master nodesES domain encryption at rest should be enabledElasticsearch domains should have internal user database enabledElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabledFSx for OpenZFS file systems should be configured to copy tags to backups and volumescompliance.tf moduleFSx for Lustre file systems should be configured to copy tags to backupscompliance.tf moduleFSx for Windows File Server file systems should be configured for Multi-AZ deploymentcompliance.tf moduleAPI Gateway V2 stages should have access logging configuredcompliance.tf moduleGlue data catalog metadata encryption should be enabledGlue data catalog connection password encryption should be enabledGlue jobs bookmarks encryption should be enabledGlue jobs CloudWatch logs encryption should be enabledGlue jobs S3 encryption should be enabledMSK Connect connectors should be encrypted in transitRedshift Serverless workgroups should have enhanced VPC routing enabled

Related Frameworks

NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (72%)

NIST SP 800-53 Rev 5 maps extensively to ISO 27001:2022 Annex A controls. ISO 27001 Annex A.8 (Technological controls) aligns closely with NIST families like SC (System and Communications Protection) and AU (Audit and Accountability). The key difference is that NIST 800-53 is prescriptive with specific parameter requirements, while ISO 27001 is risk-based and leaves implementation details to the organization.

SOC 2 โ€” ๐ŸŸข High overlap (65%)

SOC 2 Trust Services Criteria (especially CC6 and CC7) share requirements with ISO 27001 Annex A controls for access management, encryption, and monitoring. SOC 2 produces an attestation report rather than a certification, and its scope is service-organization focused. Organizations pursuing both can unify evidence collection for about two-thirds of the control set.

NIST CSF v2.0 โ€” ๐ŸŸข High overlap (60%)

NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) map to ISO 27001 Clauses 4 through 10 and Annex A. CSF is a voluntary framework without certification, often used as a maturity model. Organizations already certified to ISO 27001 can demonstrate CSF alignment with minimal additional effort.

Frequently Asked Questions

Does ISO 27001 apply to my organization if we only use cloud services and have no on-premises infrastructure?
Yes. ISO 27001 applies to information security regardless of where systems run. Cloud-only organizations define their ISMS scope around cloud accounts, SaaS tools, and remote workforce practices. The 2022 revision added control A.5.23 (Information security for use of cloud services) specifically for cloud environments. Your Clause 4.3 scope statement will reference AWS accounts, regions, and services rather than physical data centers.
How long does ISO 27001 certification take from scratch?
Expect 6 to 14 months for a first-time certification. Smaller organizations (under 50 employees) with a focused scope can finish in 6 to 8 months. Larger enterprises with multiple business units, regions, or complex supply chains commonly need 10 to 14 months. The time breaks down roughly as: ISMS design and documentation (2 to 4 months), implementation and evidence gathering (3 to 6 months), internal audit and management review (1 month), Stage 1 audit (1 to 2 weeks), remediation of findings (2 to 6 weeks), and Stage 2 audit (1 to 2 weeks).
What changed between ISO 27001:2013 and 2022, and do I need to recertify?
The management system clauses (4 through 10) had minor wording changes. The significant change was in Annex A: 114 controls across 14 domains were reorganized into 93 controls across 4 themes (Organizational, People, Physical, Technological). Eleven new controls were added, including A.5.7 (Threat intelligence), A.5.23 (Cloud services), A.8.11 (Data masking), and A.8.12 (Data leakage prevention). Organizations certified under the 2013 version had until October 31, 2025, to transition. If you have not transitioned, your certification has expired.
How much overlap can I expect if we are already SOC 2 Type II compliant?
Roughly 60 to 65 percent of evidence from a SOC 2 Type II engagement transfers to ISO 27001. Technical controls for encryption, logging, access management, and incident response overlap significantly. The gap is primarily in ISO 27001's management system requirements: you will need an ISMS scope statement (Clause 4.3), a formal risk assessment methodology and risk treatment plan (Clauses 6.1.2 and 6.1.3), a Statement of Applicability, an internal audit program (Clause 9.2), and management review minutes (Clause 9.3). None of these have direct SOC 2 equivalents.
What does the compliance.tf coverage for ISO 27001 actually prove to an auditor?
Automated checks prove that specific technical configurations existed at the time of the scan. An auditor may accept PowerPipe benchmark results as supporting evidence for Annex A.8 technological controls, specifically that encryption, logging, network restrictions, and backup configurations are in place. That said, compliance.tf produces no evidence for the management system (Clauses 4 through 10), people controls (A.6), or physical controls (A.7). You still need documented policies, risk assessments, training records, supplier agreements, and internal audit reports. Treat the automated checks as covering roughly 40 to 50 percent of total audit evidence.

HIPAA Omnibus Rule 2013

Previous Page

GDPR

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryCryptographic Controls (A.8.24) (2)Logging, Monitoring, and Accountability (A.8.15, A.8.16) (3)Network Security and Access Restriction (A.8.20, A.8.21, A.8.22) (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page