Framework · ISO 27001

ISO 27001 certification, enforced continuously.

Annex A of ISO 27001:2022 defines 93 controls across four themes. ZeroTB maps each one to the same five enforcement domains used by SOC 2 and HIPAA. Same engine. Different lens.

ISO 27001ISO/IEC 27001:2022
Scope

Annex A. 93 controls. Mapped to your stack.

ISO 27001:2022 organizes Annex A controls into four themes: Organizational, People, Physical, Technological. Each theme overlays the ZeroTB enforcement domains and inherits the same engine.

Certification requires both the ISMS and Annex A controls to be in place and working. ZeroTB provides the controls and the evidence. The ISMS is your governance layer; ZeroTB is the operational substrate underneath.

Surveillance audits each year and recertification on a three-year cycle. ZeroTB carries the evidence chain across each cycle without a quarter-end scramble.

ISO 27001 standard rendered as architectural draftsman work, with four interlocking geometric forms representing Organizational, People, Physical, and Technological themes

Scope at a glance

Standard
ISO/IEC 27001:2022
Annex A controls
93 across four themes
Themes
Organizational, People, Physical, Technological
Certification
Stage 1 + Stage 2 + Surveillance
Recert cycle
3 years
Domains used
All five
How Annex A maps

Four themes. Five enforcement domains.

ISO 27001:2022 Annex A controls map directly to the same enforcement domains. The integration substrate is the same. The lens is different.

01

Organizational controls (A.5)

Policies, governance, third-party management, supplier relationships.

  • Information security policies tracked per role
  • Access management policy enforced through Identity domain
  • Supplier and third-party due diligence orchestrated
  • Information classification carried into enforcement
  • Asset inventory continuous, not snapshot
02

People controls (A.6)

Awareness, training, screening, disciplinary processes.

  • Security awareness training tracked per role
  • Pre-employment screening evidenced
  • Acceptable use policy attestation enforced
  • Termination procedures tied to HRIS events
  • Access removal cascading across every system
03

Physical & Technological (A.7, A.8)

Endpoint, infrastructure, cryptography, vulnerability management.

  • Endpoint encryption, posture, and patch level enforced
  • Cryptography standards applied across the environment
  • Vulnerability management with SLA-tracked remediation
  • Configuration baselines on every cloud resource
  • Logging, monitoring, and audit trails continuous
What ZeroTB enforces specifically

Concrete actions, traced and timestamped.

01

Information security policy attestation per role and per material update

02

Access management with joiner-mover-leaver, periodic review, MFA, and privileged access controls

03

Cryptography policy applied to data at rest and in transit

04

Supplier security with due diligence cadence enforced

05

Asset inventory continuously reconciled across cloud, identity, and endpoint

06

Vulnerability detection with severity-tiered remediation and tracked SLAs

07

Configuration baselines on every cloud resource

08

Endpoint encryption, posture, and patch verified before SSO access

09

Audit logs preserved, signed, and retrievable by your certification body

10

ISMS-aligned evidence chain produced as a byproduct of enforcement

Run an ISO 27001 Blueprint review.

Book a call
See all frameworks