ISO 27001:2022 Controls

Note

Controls not covered below are controls which cannot be fulfilled by Welkin. These include requirements such as:

• Your management team needs to regularly perform various risk analysis.
• You need to do background checks when recruiting.
• You need to activate multi-factor authentication in your Identity Provider.
• You need to have a policy on how to safely use USB sticks.
• Requirements which fall under the scope of the application.

ISO/IEC 27001:2022 is the latest version of the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.

ISO/IEC 27001:2022 is structured around a risk-based approach, where organizations must identify and mitigate security risks through a set of well-defined controls. These controls are detailed in Annex A and includes 93 controls categorized into four key themes:

1. Organizational Controls (37 controls) – Covering governance, policies, roles, and responsibilities, such as information security roles, supplier relationships, and threat intelligence.
2. People Controls (8 controls) – Focused on human factors, including security awareness training, screening, and disciplinary processes.
3. Physical Controls (14 controls) – Addressing physical security measures like access controls, equipment security, and environmental protections.
4. Technological Controls (34 controls) – Covering cybersecurity measures such as encryption, identity management, and network security.

Welkin can help your organization implement some of these control.

Important

Many ISO 27001:2022 controls apply to your organization. Being a product, Welkin cannot help you implement all of them. For example, "Annex A 6 People Controls" is something your HR department should be tasked with and is outside the scope of Welkin. Controls which are not mentioned below are outside the scope of Welkin as an application platform.

Click on the links below to navigate the documentation by control.

ISO 27001 Annex A 5.1 Policies for Information Security

• Mission and Vision

ISO 27001 Annex A 5.3 Segregation of Duties

• Demarcation

ISO 27001 Annex A 5.15 Access Control

• Access Control
• How to Delegate

ISO 27001 Annex A 5.16 Identity Management

• Prepare Your Identity Provider (IdP)

ISO 27001 Annex A 5.19 Information Security in Supplier Relationships

• Provider Audit

ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements

• Provider Audit

ISO 27001 Annex A 5.21 Managing Information Security in the ICT Supply Chain

• Provider Audit

ISO 27001 Annex A 5.24 Information Security Incident Management Planning and Preparation

• Troubleshooting
• Metric Alerts
• Log-based Alerts
• Troubleshooting

ISO 27001 Annex A 5.30 ICT Readiness for Business Continuity

• We believe in community-driven open source
• Disaster Recovery
• Go-live Checklist

ISO 27001 Annex A 5.32 Intellectual Property Rights

• FAQ

ISO 27001 Annex A 5.34 Privacy and Protection of PII

• GDPR (EU)

ISO 27001 Annex A 5.36 Compliance With Policies, Rules and Standards for Information Security

• Policy-as-Code Dashboard

ISO 27001 Annex A 7 Physical Controls

• Provider Audit

ISO 27001 Annex A 8.2 Privileged Access Rights

• Demarcation

ISO 27001 Annex A 8.5 Secure Authentication

• Prepare Your Identity Provider (IdP)

ISO 27001 Annex A 8.6 Capacity Management

• Capacity Management (Kubernetes Status) Dashboard
• Capacity Management
• Cluster API
• Enforce Resources

ISO 27001 Annex A 8.7 Protection Against Malware

• Intrusion Detection Dashboard
• Enforce Trusted Registries

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

• Vulnerability Dashboard

ISO 27001 Annex A 8.9 Configuration Management

• Understand Welkin

ISO 27001 Annex A 8.10 Information Deletion

• How do I comply with GDPR Art. 17 Right to erasure ("right to be forgotten")?

ISO 27001 Annex A 8.12 Data Leakage Prevention

• Network Security Dashboard
• Network Model
• Enforce NetworkPolicies

ISO 27001 Annex A 8.13 Information Backup

• Disaster Recovery
• Backups

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

• Default Pod Topology Spread Constraints
• Enforce Minimum Replicas

ISO 27001 Annex A 8.15 Logging

• Logs

ISO 27001 Annex A 8.16 Monitoring Activities

• Audit Logs
• Intrusion Detection Dashboard

ISO 27001 Annex A 8.17 Clock Synchronization

• Clock Synchronization

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

• Enforce No Root

ISO 27001 Annex A 8.20 Networks Security

• Network Security Dashboard
• Network Model
• Enforce NetworkPolicies

ISO 27001 Annex A 8.21 Security of Network Services

• Network Security Dashboard
• Network Model
• Enforce NetworkPolicies

ISO 27001 Annex A 8.22 Segregation of Networks

• Network Security Dashboard
• Network Model
• Enforce NetworkPolicies

ISO 27001 Annex A 8.23 Web filtering

• Network Model

ISO 27001 Annex A 8.24 Use of Cryptography

• Cryptography Dashboard
• Use of Cryptography
• Network Model

ISO 27001 Annex A 8.25 Secure Development Life Cycle

• Overview
• Argo CD (preview)

ISO 27001 Annex A 8.27 Secure System Architecture and Engineering Principles

• Mission and Vision
• Architectural Decision Log
• Namespaces

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

• Quality Criteria

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

• How many environments?
• Namespaces

ISO 27001 Annex A 8.32 Change Management

• Understand Welkin
• Argo CD (preview)
• Enforce No Latest Tag

ISO 27001 Annex A 5.37 Documented Operating Procedures

The whole Welkin documentation contributes to this control.