ISO 27001 Overview
This guide is part of the documentation available in SecBoard. It explains what ISO/IEC 27001 is, how it is structured, and how SecBoard modules help you implement and demonstrate compliance with an information security management system (ISMS) and Annex A controls. Use SecBoard Framework Compliance to create an ISO 27001 framework, map controls, attach evidence, and track status; use Risk Assessment for risk assessment and treatment; and use other SecBoard modules for assets, access, logging, incidents, policies, training, suppliers, and data protection.
What is ISO 27001?
ISO/IEC 27001 is the international standard for an information security management system (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS to protect the confidentiality, integrity, and availability of information. Certification is awarded by accredited bodies after a successful audit. The standard uses a risk-based approach: you identify risks to information assets and apply controls (from Annex A or elsewhere) to treat those risks.
ISO 27001 is often used together with ISO/IEC 27002, which provides implementation guidance for Annex A controls. The 2022 edition of ISO 27001 includes Annex A with 93 controls grouped into four themes: Organizational, People, Physical, and Technological. Your ISMS scope (e.g. which processes, sites, and systems are in scope) and Statement of Applicability (SoA) define which controls apply and how they are implemented.
Structure: clauses and Annex A themes
The main body of ISO 27001 (Clauses 4–10) covers context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A lists controls you select and justify in your SoA. The four themes give a high-level map for assigning ownership and evidence in SecBoard.
Policies, roles, segregation of duties, management of assets, access control, cryptography, secure development, supplier relationships, incident management, business continuity, compliance. Many of these map to SecBoard Document Register, Cabinet, Asset, KeyCert, TPRM, Incident, Framework Compliance.
Screening, terms of employment, awareness, education and training, disciplinary process, remote working, information security event reporting. Map to SecBoard Cabinet (HR/roles), Study, Gophish (awareness), Incident (reporting), Document Register (policies).
Physical security perimeters, offices, storage, supporting utilities, cabling, equipment, secure disposal, clear desk/screen, unattended equipment. Map to SecBoard Asset (facilities, equipment), Document Register (procedures), Framework Compliance (evidence).
User endpoint devices, privileged access, information transfer, secure development, vulnerability management, logging and monitoring, configuration, change management, testing, audit. Map to SecBoard Cabinet, Access, SOC, KeyCert, Document Register, Incident, Framework Compliance.
How SecBoard modules support ISO 27001
SecBoard does not replace technical or physical controls, but it helps you manage the ISMS: risk assessment, control mapping, evidence, and status. Use the modules below in line with your scope and certification objectives.
| SecBoard module | ISO 27001 area | How it helps |
|---|---|---|
| Framework Compliance | Clauses 4–10, Annex A (all controls) | Create an ISO 27001 framework (framework_type = ISO 27001), define control categories and controls aligned to Annex A (or your SoA). Attach evidence (documents, links), assign owners and review dates. Use for gap analysis, SoA support, audit preparation, and tracking implementation. Dashboard and Cabinet traffic light show compliance status. |
| Risk Assessment (app_risk) | Clause 6.1.2 (risk assessment), 6.1.3 (risk treatment) | Perform and document information security risk assessments. Link risks to ISO 27001 requirements (iso27001_requirement field). Use for risk identification, analysis, evaluation, and treatment plans. Evidence can be linked to Framework Compliance controls. Supports risk-based approach required by ISO 27001. |
| Incident Register (app_incident) | A.5.24 (incident management) | Record and manage information security incidents and events. Document response, escalation, and lessons learned. Use for A.5.24 evidence and for Clause 7.4 (communication) and 8.1 (operational planning). Link to Framework Compliance controls. |
| Asset management (app_asset) | A.5.9 (inventory), A.5.10 (classification) | Maintain inventory of information and other assets; support classification and handling. Use for scope and SoA evidence. Asset Guide available. Supports organizational controls on asset management. |
| Keys & Certificates (app_keycert) | A.5.35 (cryptography), A.8.24 | Manage cryptographic keys and certificates. Track lifecycle and usage. Use for controls related to use of cryptography. Key/Cert Guide available. |
| Document Register / Legislative docs (app_doc) | A.5.1 (policies), A.5.2 (roles), procedures | Store and version ISMS policies, procedures, and role definitions. Link to Framework Compliance evidence. Mandatory Processes support recurring control activities. Essential for documented information (Clause 7.5). |
| Cabinet (app_cabinet) | A.5.15 (access control), A.5.16 (identity), A.5.18 (access rights) | Manage users, groups, and permissions; support need-to-know and least privilege. Use for access control and identity management evidence. Cabinet Users Guide and Org Structure Guide support documentation. |
| SOC / Wazuh (app_soc) | A.8.15 (logging), A.8.16 (monitoring), A.8.32 (change) | Centralise logs, monitor access and changes (e.g. FIM). Use for logging and monitoring controls and for change/configuration evidence. FIM Dashboard Guide available. Attach reports/screenshots in Framework Compliance. |
| Gophish (app_gophish) | A.6.3 (awareness) | Run phishing simulations and awareness campaigns. Use for security awareness programme evidence. Gophish Guide available. Supports people controls. |
| Study / Training (app_study) | A.6.3 (awareness, training) | Deliver and track security awareness and training. Use for training records and A.6.3 evidence. Supports people controls. |
| Access (app_access) | A.5.15, A.5.18 (access control) | Manage application and resource access. Use with Cabinet for access control and privilege management evidence. |
| TPRM (app_tprm) | A.5.19 (supplier agreements), A.5.23 (cloud) | Manage suppliers and third parties. Use Vendor inventory, VendorAssessment, VendorQuestionnaire, and VendorDocument for supplier security and contract evidence. Supports organizational controls on external parties. |
| GDPR (app_gdpr) | A.5.34 (privacy), data protection | Where personal data is in scope, use Data Processing Activities, Data Retention Policy, DataBreachIncident, and DPIA for privacy and protection evidence. Overlaps with ISO 27001 where PII is an asset. Link to Framework Compliance. |
| Configuration (app_conf) | Scope, companies | Define companies and configuration. Use to scope the ISMS by entity and to align Framework Compliance instances to the right organisation. |
Quick mapping: Annex A theme → SecBoard
| Annex A theme | SecBoard modules to use |
|---|---|
| Organizational (A.5) | Framework Compliance, Risk Assessment, Incident Register, Asset, KeyCert, Document Register, Cabinet, Access, SOC, TPRM, GDPR, Mandatory Processes. |
| People (A.6) | Framework Compliance, Cabinet, Study, Gophish, Incident Register (reporting), Document Register (policies). |
| Physical (A.7) | Framework Compliance, Asset (facilities, equipment), Document Register (procedures). |
| Technological (A.8) | Framework Compliance, Cabinet, Access, SOC, KeyCert, Document Register, Incident Register. |
Getting started with ISO 27001 in SecBoard
- Define scope: Use Configuration and Asset management to document in-scope processes, systems, and sites. Create an ISO 27001 framework in Framework Compliance (framework_type = ISO 27001).
- Risk assessment: Use Risk Assessment (app_risk) for risk identification and treatment; link risks to iso27001_requirement where applicable. Document risk treatment plans and map to Annex A controls in Framework Compliance.
- Map controls and SoA: In Framework Compliance, create control categories and controls aligned to Annex A (or your SoA). Attach evidence from Document Register, Asset, KeyCert, SOC, Incident, TPRM, GDPR as needed.
- Policies and procedures: Store ISMS policies and procedures in Document Register; link to controls. Use Mandatory Processes for recurring activities. Ensure roles (Cabinet) and access (Access) are documented.
- Awareness and incidents: Use Study and Gophish for awareness and training evidence; use Incident Register for incident management (A.5.24).
- Review: Use Framework Compliance dashboard and Cabinet traffic light to track status. Schedule internal audits and management reviews; update evidence and SoA as the ISMS evolves.
ISO 27001 and SecBoard
This guide is part of the documentation available in SecBoard. Use SecBoard Framework Compliance to map ISO 27001 and Annex A controls and evidence; use Risk Assessment for risk assessment and treatment (Clause 6.1); and use Asset, Keys & Certificates, Document Register, Cabinet, SOC, Incident Register, Gophish, Study, TPRM, and GDPR to support the four Annex A themes. The Framework Compliance dashboard and Cabinet compliance traffic light (e.g. ISO 27002) help you track status towards certification.
Align scope, risk assessment, and control evidence with your Statement of Applicability and auditor expectations for a sustainable ISMS.
Frequently asked questions
What is ISO 27001? — The international standard for an information security management system (ISMS). It specifies requirements for implementing and maintaining an ISMS using a risk-based approach; Annex A lists 93 controls in four themes (Organizational, People, Physical, Technological).
Where do I map ISO 27001 controls in SecBoard? — In SecBoard Framework Compliance, create a framework with type ISO 27001, then add control categories and controls aligned to Annex A (or your SoA). Attach evidence and assign owners. Use the dashboard to track status.
How does Risk Assessment support ISO 27001? — Clause 6.1.2 requires a risk assessment. Use Risk Assessment (app_risk) to perform and document it; link risks to iso27001_requirement. Risk treatment plans can map to Annex A controls in Framework Compliance.
Which modules support Annex A people controls? — Cabinet (roles, access), Study and Gophish (awareness, training), Incident Register (event reporting), Document Register (policies). Attach evidence to the relevant controls in Framework Compliance.
How do TPRM and GDPR fit? — TPRM supports A.5.19 (supplier agreements) and A.5.23 (cloud): vendor list, assessments, contracts. GDPR supports A.5.34 (privacy) and data protection where personal data is in scope; use processing activities, retention, and breach management as evidence.