compliance.tf
Sign inStart Free Trial

ISO 27001 Compliant Terraform Modules
Enforced Before terraform apply

Annex A technological controls require encryption, logging, access management, and network security on every resource. These modules enforce those controls before terraform apply.

ISO 27001 is the international standard for information security management. Enterprise procurement teams in Europe and Asia-Pacific treat certification as a gate — no certificate, no signed contract. If your customers ask for an ISO 27001 certificate, this is where you start.

333

Controls

37

Clauses

34

AWS Modules

Start Free TrialView All Controls

No credit card or AWS account needed to start.

From the team behind terraform-aws-modules. 2B+ provisions worldwide.

VPC · IAM · RDS · EC2 · CloudWatch Logs · S3SOC 2 Type II CertifiedAvailable on AWS Marketplace

Three Steps to ISO 27001 Compliant Infrastructure

For terraform-aws-modules users, migration is a one-line change. Same workflow, same interface. Bringing your own modules? We can make those compliant too. Join the beta.

1

Change One Line

main.tf
module "s3" {
- source = "registry.terraform.io/..."
+ source = "iso27001.compliance.tf/..."
 
  bucket = "awesome-docs"
}
2

Run Terraform Commands

terminal
$ terraform init
Initializing modules...
- module.s3 in iso27001.compliance.tf/...
Terraform has been successfully initialized!
$ terraform apply
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
3

Compliance Enforced

A.8.24 · Default Encryption
A.8.24 · KMS Encryption
A.8.15 · Logging Enabled
A.8.11 · Public Access Blocked
A.8.1 · Block Public Read
A.8.1 · Block Public Write
A.8.20 · SSL Requests Only
A.8.13 · Versioning Enabled

Every compliance requirement you define is enforced automatically. Nothing to scan, nothing to remediate.

Controls Enforced for ISO 27001

333 controls across 37 clauses

Enforced (146)Detected (187)
  • AWS Security Hub should be enabled for an AWS Account
  • AWS Well-Architected Tool workload has no high or medium risks

View full control documentation with implementation details

View ISO 27001 reference documentation

ISO 27001 Scope: What We Handle vs. What You Own

compliance.tf handles the infrastructure configuration layer for ISO 27001. Here is what it covers and what stays with your team.

compliance.tf Enforces for ISO 27001

  • Annex A technological controls (A.8 family: cryptography, logging, access, network)
  • ISO 27001:2022 control mapping with specific Annex A clause IDs
  • Deployment-time evidence generation via AWS-native tools
  • Upstream module updates (terraform-aws-modules kept in sync)
  • Exception management with audit trail
  • Control documentation and Annex A mapping matrices

See which modules are covered

View ISO 27001 reference documentation

Your Team Still Handles for ISO 27001

  • Information Security Management System (ISMS) documentation
  • Risk assessment and treatment plans (Clauses 6.1, 8.2)
  • Management reviews and internal audits (Clauses 9.2, 9.3)
  • Competence, awareness, and training programs (Clause 7.2)
  • Incident management procedures (A.5.24–A.5.28)
  • Supplier relationship security (A.5.19–A.5.23)
  • Physical security controls (A.7 family)

compliance.tf handles the Annex A technological controls (A.8 family) that map to AWS resource configuration. Your ISMS documentation, risk assessments, and organizational controls remain your team's responsibility.

ISO 27001 Audit Evidence — Built Into Your Workflow

Your auditor does not need to trust compliance.tf. Evidence comes from AWS-native tools they already accept.

Evidence your auditor already trusts

Every compliance.tf module enforces controls at deploy time. When AWS Config, Security Hub, or Audit Manager evaluates your resources, they report clean findings because the controls are built into the modules, not bolted on after the fact.

  • AWS Config rules validate resource configuration continuously
  • Security Hub aggregates findings across accounts and regions
  • Audit Manager generates assessment reports mapped to ISO 27001
  • Downloadable control mapping matrices for your auditor
evidence.json
{
  "framework": "ISO 27001",
  "clause": "A.8.24",
  "control": "s3_bucket_default_encryption_enabled",
  "status": "COMPLIANT",
  "source": "AWS Config",
  "resource": "arn:aws:s3:::awesome-docs",
  "evaluated": "2026-03-04T10:30:00Z"
}

Prevention vs. Detection for ISO 27001

compliance.tf prevents non-compliant deployments. Scanning tools detect them after the fact. Most mature programs use both.

DimensionIaC Scanning
Checkov / Trivy / Prowler		Compliance.tf
Prevents non-compliant configs before terraform applyNo (post-plan scan)Yes
Maps controls to framework clause IDsPartialYes
Produces auditor-accepted evidence (AWS-native)Scan reports onlyYes
Exception management with audit trailSuppression rulesYes
Same interface as terraform-aws-modulesN/AYes
Keeps pace with upstream module updatesN/AYes
Catches runtime drift / console changesYesNo
Covers non-Terraform resourcesYesNo
Internal engineering timeMediumLow

We recommend keeping scanning tools active alongside compliance.tf for defense in depth. The scanner validates what compliance.tf already enforces.

ISO 27001 Compliance Questions

Is this ISO 27001:2013 or 2022?

compliance.tf maps controls to ISO 27001:2022, the current version. The 2022 revision restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological). Our modules focus on the Technological theme (A.8), which maps directly to AWS resource configuration.

Which Annex A controls does this cover?

compliance.tf enforces controls from Annex A.8 (Technological controls): cryptography (A.8.24), logging and monitoring (A.8.15–A.8.16), access control (A.8.1–A.8.5), network security (A.8.20–A.8.22), data masking (A.8.11), and information backup (A.8.13). These are the Annex A controls that translate directly to infrastructure configuration.

Does compliance.tf help with ISO 27001 certification?

compliance.tf ensures your AWS infrastructure meets the Annex A technological controls your auditor will assess. It does not replace the certification process — you still need an ISMS, risk assessments, internal audits, and a certification body audit. What it does is ensure the infrastructure controls are enforced before deployment, reducing findings during your Stage 2 audit.

How is this different from Checkov, Trivy, or Prowler?

Those tools are detective controls. They scan infrastructure after you write it and report findings you fix manually. compliance.tf is a preventive control. The modules themselves cannot produce non-compliant resources. There is nothing to scan, nothing to remediate. Most teams keep their scanners running alongside compliance.tf for defense in depth.

Can I adopt this gradually, or is it all-or-nothing?

Fully incremental. Start with one module in one environment. Your existing modules continue working untouched. If you use Terragrunt or Terramate to orchestrate your runs, nothing changes — you’re only swapping the module source line. There is no global policy agent to deploy, no wrapper binary, no sidecar. Each module source line is independent.

Will my auditor accept this as evidence?

Your auditor does not need to trust compliance.tf directly. Evidence comes from AWS-native tools they already accept: AWS Config, Security Hub, and Audit Manager. We enforce controls at deploy time so those AWS tools always report clean findings.

What if I want to switch back or compliance.tf shuts down?

Our modules are standard Terraform. They work with Terraform, OpenTofu, Terragrunt, Terramate, and any tool that speaks the Terraform module protocol. Every module is a drop-in replacement for its upstream terraform-aws-modules equivalent with the same variables and outputs. Change your module source line back, run terraform init. Your infrastructure does not change. No lock-in, no proprietary state.

Start Deploying ISO 27001-Compliant Infrastructure

$100/year for all 34 modules, all frameworks. 30-day free trial.

Start Free TrialContact Sales

No credit card required. Switch back at any time.

Stay Informed About New Features

Join the mailing list for releases, new modules, and roadmap updates. No spam. Unsubscribe anytime.

Not convinced yet or dying for a feature we don't have? Send us an email — we really want to hear your feedback!