Dashboard Academy Control templates ISO/IEC 27001:2022
Public Beta. Reference implementation only — not a compliance certification, attestation, or audit outcome. Read the full beta disclaimer →

Control template: ISO/IEC 27001:2022

Status: Public Beta · Version: iso-27001-2022/v0.1.0-beta

A bundle of CALM control snippets covering the architecturally enforceable subset of ISO/IEC 27001:2022 and the related ISO/IEC 27002:2022 Annex A controls. You copy these into your *.calm.json files on the nodes within your Information Security Management System (ISMS) scope.

Who ISO 27001 applies to

Voluntary international standard widely required for: - Enterprise procurement — many large customers require ISO 27001 certification from SaaS / cloud / service providers - International deals — ISO 27001 is the global counterpart to SOC 2 (US-centric); many EU / APAC procurement teams require it - Government tenders — common requirement for IT services to public-sector buyers - B2B SaaS — increasingly table stakes alongside SOC 2

The certification is voluntary but commercially essential in many segments. Certificates are issued by accredited bodies (BSI, DNV, Bureau Veritas, TÜV, etc.) and typically valid for 3 years with annual surveillance audits.

What this template covers

ISO 27001:2022 has 10 clauses (4–10 are auditable Plan-Do-Check-Act requirements) plus Annex A (93 controls across 4 themes). The architectural surface concentrates in Annex A.8 Technological Controls.

ISO 27001:2022 Annex A Architectural surface Control alias
A.5.9 — Inventory of information assets Asset inventory iso27001-asset-inventory
A.5.12 — Classification of information Data classification iso27001-classification
A.5.15 — Access control Access policy + RBAC iso27001-access-control
A.5.30 — ICT readiness for BC BCDR architecture iso27001-bcdr
A.6.3 — Awareness, education + training Training program (graph-level) iso27001-training
A.8.2 — Privileged access rights PAM / JIT iso27001-privileged-access
A.8.5 — Secure authentication Authentication mechanism iso27001-secure-authentication
A.8.13 — Information backup Backup architecture iso27001-backup
A.8.15 — Logging Logging architecture iso27001-logging
A.8.16 — Monitoring activities Monitoring + anomaly detection iso27001-monitoring
A.8.24 — Cryptography Cryptographic policy iso27001-cryptography
A.8.28 — Secure coding Secure-coding practices iso27001-secure-coding
A.8.32 — Change management Change management process iso27001-change-management

13 architectural controls covering the most-tested A.8 surfaces plus selected A.5 / A.6 items. The full ISMS — clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) — is governance + process, not architectural. Document those in your ISMS documentation.

The "ISMS-in-scope" pattern

A node is ISMS-in-scope if it's covered by your ISO 27001 scope statement. Tag those nodes:

{
  "unique-id": "saas-platform",
  "node-type": "service",
  "name": "SaaS Platform",
  "metadata": {
    "iso27001-in-scope": true,
    "iso27001-soa-reference": "SOA-2025-v1.2",
    "data-classification": "confidential"
  }
}

The Statement of Applicability (SoA) records which Annex A controls the firm has selected as applicable, with justifications. This template's controls map to specific A.* references for SoA traceability.

Control snippets

Copy each block under the controls key of the node it applies to.

A.5.9 — Asset inventory (iso27001-asset-inventory)

Graph-level.

"metadata": {
  "controls": {
    "iso27001-asset-inventory": {
      "description": "ISO 27001:2022 A.5.9 — inventory of information and other associated assets including owners.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/asset-inventory",
          "config": {
            "control-id": "iso27001-asset-inventory",
            "inventory-source": "calm-graph-plus-cmdb",
            "tracked-attributes": ["owner", "classification", "criticality", "location"],
            "review-frequency": "at-least-annual"
          }
        }
      ]
    }
  }
}

A.5.12 — Classification (iso27001-classification)

Per-node.

"iso27001-classification": {
  "description": "ISO 27001:2022 A.5.12 — information classified according to information security needs based on confidentiality, integrity, availability, and relevant interested party requirements.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/classification",
      "config": {
        "control-id": "iso27001-classification",
        "classification-scheme": "public-internal-confidential-restricted",
        "applied-classification": "confidential",
        "labeling-mechanism": "metadata-tags-and-data-loss-prevention"
      }
    }
  ]
}

A.5.15 — Access control (iso27001-access-control)

Per-node.

"iso27001-access-control": {
  "description": "ISO 27001:2022 A.5.15 — access control rules implemented to control physical and logical access to information and other associated assets based on business and information security requirements.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/access-control",
      "config": {
        "control-id": "iso27001-access-control",
        "policy-document-url": "https://internal.example.com/iso27001/access-policy",
        "principle": "least-privilege-plus-need-to-know",
        "allowed-roles": ["read-only", "operator", "admin"],
        "review-frequency": "quarterly"
      }
    }
  ]
}

A.5.30 — ICT readiness for BC (iso27001-bcdr)

Per-node.

"iso27001-bcdr": {
  "description": "ISO 27001:2022 A.5.30 — ICT readiness planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/bcdr",
      "config": {
        "control-id": "iso27001-bcdr",
        "rpo-minutes": 60,
        "rto-minutes": 240,
        "test-frequency": "annual",
        "last-test-date": "2025-04-12",
        "bcdr-plan-document-url": "https://internal.example.com/iso27001/bcdr-plan"
      }
    }
  ]
}

A.6.3 — Training (iso27001-training)

Graph-level.

"metadata": {
  "controls": {
    "iso27001-training": {
      "description": "ISO 27001:2022 A.6.3 — personnel and relevant interested parties receive appropriate information security awareness, education, and training and regular updates of the organization's information security policy, topic-specific policies, and procedures as relevant for their job function.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/training",
          "config": {
            "control-id": "iso27001-training",
            "program-document-url": "https://internal.example.com/iso27001/training-program",
            "frequency": "annual-plus-onboarding",
            "completion-tracking-required": true,
            "phishing-simulation-included": true
          }
        }
      ]
    }
  }
}

A.8.2 — Privileged access (iso27001-privileged-access)

Per-node.

"iso27001-privileged-access": {
  "description": "ISO 27001:2022 A.8.2 — allocation and use of privileged access rights restricted and managed.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/privileged-access",
      "config": {
        "control-id": "iso27001-privileged-access",
        "pam-or-jit-required": true,
        "session-recording-required": true,
        "approval-workflow-required": true,
        "review-frequency": "monthly"
      }
    }
  ]
}

A.8.5 — Secure authentication (iso27001-secure-authentication)

Per-node.

"iso27001-secure-authentication": {
  "description": "ISO 27001:2022 A.8.5 — secure authentication technologies and procedures implemented based on information access restrictions and the topic-specific policy on access control.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/secure-authentication",
      "config": {
        "control-id": "iso27001-secure-authentication",
        "mechanism": "saml-sso-plus-mfa",
        "factor-count": 2,
        "factor-types": ["password", "totp-or-webauthn"],
        "service-to-service": "mtls-or-oauth2-client-credentials"
      }
    }
  ]
}

A.8.13 — Backup (iso27001-backup)

Per-node.

"iso27001-backup": {
  "description": "ISO 27001:2022 A.8.13 — backup copies of information, software, and systems maintained and regularly tested in accordance with the agreed topic-specific policy on backup.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/backup",
      "config": {
        "control-id": "iso27001-backup",
        "backup-frequency": "daily",
        "backup-encryption-at-rest": true,
        "backup-storage": "geographically-separate",
        "restoration-test-frequency": "semi-annual",
        "last-restoration-test-date": "2025-04-08"
      }
    }
  ]
}

A.8.15 — Logging (iso27001-logging)

Per-node.

"iso27001-logging": {
  "description": "ISO 27001:2022 A.8.15 — logs that record activities, exceptions, faults, and other relevant events produced, stored, protected, and analyzed.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/logging",
      "config": {
        "control-id": "iso27001-logging",
        "events": ["auth-success", "auth-failure", "privilege-elevation", "config-change", "data-access", "policy-violation"],
        "destination": "centralized-siem",
        "immutable": true,
        "retention-days": 365,
        "clock-synchronization": "ntp-stratum-1-or-better"
      }
    }
  ]
}

A.8.16 — Monitoring (iso27001-monitoring)

Per-node.

"iso27001-monitoring": {
  "description": "ISO 27001:2022 A.8.16 — networks, systems, and applications monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/monitoring",
      "config": {
        "control-id": "iso27001-monitoring",
        "monitored-signals": ["auth-failure-rate", "config-drift", "anomalous-egress", "policy-violations"],
        "alerting-target": "security-soc@example.com",
        "runbook-url": "https://internal.example.com/iso27001/runbooks/monitoring"
      }
    }
  ]
}

A.8.24 — Cryptography (iso27001-cryptography)

Per-node.

"iso27001-cryptography": {
  "description": "ISO 27001:2022 A.8.24 — rules for effective use of cryptography, including cryptographic key management, defined and implemented.",
  "requirements": [
    {
      "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/cryptography",
      "config": {
        "control-id": "iso27001-cryptography",
        "at-rest-algorithm": "AES-256-GCM",
        "in-transit-minimum-tls": ["1.2", "1.3"],
        "key-management": "hsm-or-kms-cmk",
        "key-rotation-days": 365,
        "cryptographic-policy-url": "https://internal.example.com/iso27001/crypto-policy"
      }
    }
  ]
}

A.8.28 — Secure coding (iso27001-secure-coding)

Graph-level.

"metadata": {
  "controls": {
    "iso27001-secure-coding": {
      "description": "ISO 27001:2022 A.8.28 — secure coding principles applied to software development.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/secure-coding",
          "config": {
            "control-id": "iso27001-secure-coding",
            "policy-document-url": "https://internal.example.com/iso27001/secure-coding-policy",
            "review-required-before-merge": true,
            "sast-integrated-in-ci": true,
            "dependency-scanning-integrated": true,
            "developer-training-frequency": "annual"
          }
        }
      ]
    }
  }
}

A.8.32 — Change management (iso27001-change-management)

Graph-level.

"metadata": {
  "controls": {
    "iso27001-change-management": {
      "description": "ISO 27001:2022 A.8.32 — changes to information processing facilities and information systems subject to change management procedures.",
      "requirements": [
        {
          "requirement-url": "https://archrails.io/catalog/req/iso-27001-2022/change-management",
          "config": {
            "control-id": "iso27001-change-management",
            "policy-document-url": "https://internal.example.com/iso27001/change-mgmt",
            "protected-branches": ["main", "production"],
            "review-required": true,
            "deployment-approval-required": true,
            "post-implementation-review-required": true
          }
        }
      ]
    }
  }
}

What the engine enforces

Same constraint engine. Per-rule behavior:

All deterministic — pure function over your CALM JSON.

Statement of Applicability traceability

Each control's requirement-url contains the A.* reference. When your auditor asks "show me where you implement A.8.5," point at the node(s) attaching iso27001-secure-authentication — the engine's audit log records this directly. Useful for both Stage 1 (documented ISMS review) and Stage 2 (operational effectiveness) audits.

Auto-include during bootstrap (coming)

A future release will let archrails bootstrap detect repos pursuing ISO 27001 certification (by asking, or by detecting isms / 27001 strings) and offer to auto-include this template.

Versioning

This is iso-27001-2022/v0.1.0-beta. Pre-1.0 = beta. Bumps to v1.0.0 per the GA criteria above. When ISO publishes the next revision (typically every ~10 years; 2013 → 2022), we ship a new template path. Customers pinned to 2022 keep their version until they explicitly upgrade.

Out of scope for this template

For those surfaces, pair this template with your ISMS documentation and engage your accredited certification body for the audit.