Reference · ISO/IEC 27001:2022
ISO 27001 coverage map
Every clause and Annex A control family below links to where in Security Flare it lives. Useful when a certifier asks "where is your management review?" or when you're onboarding a new customer and need to point them at the right register. 39 clause entries mapped.
Headings are factual references to the standard; full normative text is licensed by ISO/IEC and is not reproduced here.
Clauses 4–6 · Context, leadership, planning
Scope, leadership commitment, and the planning machinery (risk assessment + treatment, SoA). The first place an auditor lands.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| 4.1 | Understanding the organisation and its context |
|
| 4.2 | Understanding the needs and expectations of interested parties |
|
| 4.3 | Determining the scope of the ISMS |
|
| 5.1 | Leadership and commitment |
|
| 5.2 | Information security policy |
|
| 6.1.1 | Actions to address risks and opportunities | |
| 6.1.2 | Information security risk assessment | |
| 6.1.3 | Information security risk treatment |
|
| 6.2 | Information security objectives + planning to achieve them |
|
Clause 7 · Support
Resources, competence, awareness, communication, and documented information — the operational backbone of the ISMS.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| 7.2 | Competence | |
| 7.3 | Awareness |
|
| 7.5 | Documented information |
|
Clause 8 · Operation
Operational planning + execution of the risk treatment plan.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| 8.1 | Operational planning and control |
|
| 8.2 | Information security risk assessment (operational) | |
| 8.3 | Information security risk treatment (operational) |
Clause 9 · Performance evaluation
Monitoring, measurement, internal audit, and management review.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| 9.1 | Monitoring, measurement, analysis, evaluation |
|
| 9.2 | Internal audit |
|
| 9.3 | Management review |
|
Clause 10 · Improvement
Continual improvement and the corrective-action loop for nonconformities — the §10.1/§10.2 surface.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| 10.1 | Continual improvement |
|
| 10.2 | Nonconformity and corrective action |
|
Annex A.5 · Organisational controls
The 37 organisational controls. Most live in policies, risks, the asset register, or the supplier / incident registers.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| A.5.1 | Policies for information security | |
| A.5.2 / A.5.4 | Information security roles + management responsibilities | |
| A.5.9 | Inventory of information and other associated assets | |
| A.5.10 | Acceptable use of information and other associated assets |
|
| A.5.12 | Classification of information |
|
| A.5.15 | Access control |
|
| A.5.19 – A.5.23 | Supplier relationships + the ICT supply chain + cloud services |
|
| A.5.24 – A.5.27 | Information security incident management |
|
| A.5.29 / A.5.30 | ICT continuity, BC, recovery |
|
| A.5.36 | Compliance with policies, rules and standards |
|
| A.5.37 | Documented operating procedures |
Annex A.6 · People controls
The 8 people-related controls. Most flow through the training + team surfaces.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| A.6.1 / A.6.2 | Screening + terms and conditions of employment |
|
| A.6.3 | Information security awareness, education and training |
|
| A.6.8 | Information security event reporting |
Annex A.7 · Physical controls
The 14 physical controls (perimeter, entry, equipment). Mostly site-level; the asset register tracks them as type = "site".
| Clause | Topic | Where in Security Flare |
|---|---|---|
| A.7.x (all) | Physical perimeter, entry, equipment |
|
Annex A.8 · Technological controls
The 34 technological controls. Most map to control state + evidence; some have dedicated surfaces.
| Clause | Topic | Where in Security Flare |
|---|---|---|
| A.8.1 – A.8.34 (all) | Technological controls |
|
| A.8.13 | Information backup |
|
| A.8.15 | Logging |
|
| A.8.16 | Monitoring activities |