ISO 27001 Controls Mapping for SOC Operations¶
Map SOC operational processes to ISO/IEC 27001:2022 Annex A controls.
Use this document to demonstrate compliance during audits and identify coverage gaps.
1. Overview¶
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). This mapping shows how SOC Standard Operating Procedures align with the 93 Annex A controls grouped into 4 themes.
Compliance Score¶
pie title ISO 27001 Annex A Coverage
"Fully Covered" : 34
"Partially Covered" : 18
"Not SOC Scope" : 4152 of 93 Annex A controls are directly or partially addressed by SOC operations.
2. Organizational Controls (A.5)¶
| Control | Title | SOC Coverage | SOC Document |
|---|---|---|---|
| A.5.1 | Policies for information security | ✅ Full | Access Control |
| A.5.2 | Information security roles | ✅ Full | SOC Team Structure |
| A.5.4 | Management responsibilities | ✅ Full | SOC Metrics & KPIs |
| A.5.5 | Contact with authorities | ✅ Full | Escalation Matrix |
| A.5.7 | Threat intelligence | ✅ Full | TI Lifecycle |
| A.5.8 | Information security in project management | 🟡 Partial | Change Management |
| A.5.23 | Information security for cloud services | ✅ Full | Cloud Security Monitoring |
| A.5.24 | Incident management planning | ✅ Full | IR Framework |
| A.5.25 | Assessment and decision on events | ✅ Full | Severity Matrix, Incident Classification |
| A.5.26 | Response to incidents | ✅ Full | 50 Playbooks, Tier Runbooks |
| A.5.27 | Learning from incidents | ✅ Full | Lessons Learned |
| A.5.28 | Collection of evidence | ✅ Full | Evidence Collection, Forensic Investigation |
| A.5.29 | Information security during disruption | ✅ Full | Disaster Recovery / BCP |
| A.5.30 | ICT readiness for business continuity | 🟡 Partial | DR/BCP |
| A.5.35 | Independent review of information security | ✅ Full | SOC Maturity Assessment, SOC Assessment Checklist |
| A.5.36 | Compliance with policies | 🟡 Partial | Compliance Gap Analysis |
| A.5.37 | Documented operating procedures | ✅ Full | This entire repository |
3. People Controls (A.6)¶
| Control | Title | SOC Coverage | SOC Document |
|---|---|---|---|
| A.6.1 | Screening | 🟡 Partial | SOC Team Structure (interview guide) |
| A.6.2 | Terms and conditions of employment | ⬜ Not SOC scope | — |
| A.6.3 | Information security awareness & training | ✅ Full | Training Checklist, Analyst Onboarding |
| A.6.4 | Disciplinary process | 🟡 Partial | Insider Threat Program |
| A.6.7 | Remote working | 🟡 Partial | VPN Abuse Playbook |
4. Physical Controls (A.7)¶
| Control | Title | SOC Coverage | SOC Document |
|---|---|---|---|
| A.7.9 | Security of assets off-premises | ✅ Full | Lost Device Playbook, Mobile Compromise |
| A.7.10 | Storage media | 🟡 Partial | USB Removable Media Playbook |
5. Technological Controls (A.8)¶
| Control | Title | SOC Coverage | SOC Document |
|---|---|---|---|
| A.8.1 | User endpoint devices | ✅ Full | Malware Playbook, EDR monitoring |
| A.8.2 | Privileged access rights | ✅ Full | Privilege Escalation PB, Access Control |
| A.8.3 | Information access restriction | ✅ Full | Access Control |
| A.8.5 | Secure authentication | ✅ Full | Brute Force PB, MFA Bypass PB |
| A.8.7 | Protection against malware | ✅ Full | Malware PB, Ransomware PB |
| A.8.8 | Management of technical vulnerabilities | ✅ Full | Vulnerability Management |
| A.8.15 | Logging | ✅ Full | Log Source Matrix, Log Source Onboarding |
| A.8.16 | Monitoring activities | ✅ Full | Network Security Monitoring, Alert Tuning |
| A.8.17 | Clock synchronization | 🟡 Partial | Log Source Matrix |
| A.8.20 | Network security | ✅ Full | Network Security Monitoring |
| A.8.21 | Security of network services | 🟡 Partial | DDoS PB |
| A.8.22 | Segregation of networks | 🟡 Partial | Lateral Movement PB |
| A.8.23 | Web filtering | 🟡 Partial | Web Attack PB |
| A.8.25 | Secure development life cycle | 🟡 Partial | Detection Rule Testing |
| A.8.26 | Application security requirements | 🟡 Partial | SQL Injection PB, API Abuse PB |
| A.8.28 | Secure coding | 🟡 Partial | SQL Injection PB |
6. Gap Analysis Summary¶
Areas with Strong Coverage (✅)¶
- Incident Management (A.5.24–A.5.28) — Full lifecycle covered by IR Framework + 50 Playbooks
- Threat Intelligence (A.5.7) — Dedicated TI Lifecycle + TI Feeds Integration
- Logging & Monitoring (A.8.15–A.8.16) — Log Source Matrix + Network/Cloud Monitoring
- Vulnerability Management (A.8.8) — Dedicated SOP
- Business Continuity (A.5.29) — DR/BCP plan
Areas Needing Attention (🟡)¶
- A.5.8 Project Management — Add security review checklist for SOC tool deployments
- A.8.17 Clock Sync — Add NTP configuration guide to Log Source Onboarding
- A.8.22 Network Segregation — Add network zone documentation
Out of SOC Scope (⬜)¶
- Physical security controls (A.7.1–A.7.8) — Facility management responsibility
- HR controls (A.6.2, A.6.5, A.6.6) — HR department responsibility
- Cryptography (A.8.24) — Development team responsibility