Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Framework Explorer / ISO/IEC 27001

ISO/IEC 27001 in the AI Governance Framework Explorer

138 entries 60 cross-framework mappings 98 risk profiles Security standard Voluntary, certifiable

ISO/IEC 27001 is the international standard for information security management systems (ISMS). AI systems inherit its requirements: training data, model artifacts, and inference pipelines are information assets that need the same confidentiality, integrity, and availability controls.

Open the Interactive ExplorerJump to ISO/IEC 27001

Every ISO/IEC 27001 entry, explained

Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.

A.5 — Organizational Controls38 entries
A.5Organizational Controls

Organizational information security controls.

A.5.1Policies for information security

Information security policy and topic-specific policies shall be defined, approved and communicated.

A.5.2Information security roles and responsibilities

Information security roles and responsibilities shall be defined and allocated.

A.5.3Segregation of duties

Conflicting duties and conflicting areas of responsibility shall be segregated.

A.5.29Information security during disruption

The organization shall plan how to maintain information security at an appropriate level during disruption.

A.5.36Compliance with policies, rules and standards

Compliance with the organization information security policy, topic-specific policies, rules, and standards shall be regularly reviewed.

A.5.4Management Responsibilities

Management shall require all personnel to apply information security in accordance with the established policies and procedures.

A.5.5Contact with Authorities

The organization shall establish and maintain contact with relevant authorities regarding information security matters.

A.5.6Contact with Special Interest Groups

The organization shall establish and maintain contact with special interest groups, forums, and professional associations related to security.

A.5.7Threat Intelligence

Information about security threats shall be collected and analyzed to produce actionable threat intelligence.

A.5.8Information Security in Project Management

Information security shall be integrated into project management regardless of the project type.

A.5.9Inventory of Information and Other Associated Assets

An inventory of information and other associated assets, including their owners, shall be developed and maintained.

A.5.10Acceptable Use of Information and Other Associated Assets

Rules for the acceptable use of information and associated assets shall be identified, documented, and implemented.

A.5.11Return of Assets

Personnel and other interested parties shall return all organizational assets in their possession upon change or termination of their employment or agreement.

A.5.12Classification of Information

Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability, and relevant interested party requirements.

A.5.13Labelling of Information

An appropriate set of procedures for labeling information shall be developed and implemented in accordance with the adopted classification scheme.

A.5.14Information Transfer

Rules, procedures, or agreements for information transfer shall be in place for all types of transfer facilities within and outside the organization.

A.5.15Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and security requirements.

A.5.16Identity Management

The full lifecycle of identities shall be managed, covering creation, verification, provisioning, suspension, and removal.

A.5.17Authentication Information

Allocation and management of authentication information shall be controlled by a management process including advising personnel on appropriate handling.

A.5.18Access Rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified, and removed in accordance with established policies.

A.5.19Information Security in Supplier Relationships

Processes and procedures shall be defined and implemented to manage information security risks associated with the use of supplier products or services.

A.5.20Addressing Information Security Within Supplier Agreements

Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

A.5.21Managing Information Security in the ICT Supply Chain

Processes and procedures shall be defined and implemented for managing information security risks associated with the ICT products and services supply chain.

A.5.22Monitoring, Review and Change Management of Supplier Services

The organization shall regularly monitor, review, evaluate, and manage change in supplier information security practices and service delivery.

A.5.23Information Security for Use of Cloud Services

Processes for acquisition, use, management, and exit from cloud services shall be established in accordance with the organization’s information security requirements.

A.5.24Information Security Incident Management Planning and Preparation

The organization shall plan and prepare for managing information security incidents by defining, establishing, and communicating incident management processes, roles, and responsibilities.

A.5.25Assessment and Decision on Information Security Events

The organization shall assess information security events and decide whether they should be categorized as information security incidents.

A.5.26Response to Information Security Incidents

Information security incidents shall be responded to in accordance with the documented procedures.

A.5.27Learning from Information Security Incidents

Knowledge gained from information security incidents shall be used to strengthen and improve information security controls.

A.5.28Collection of Evidence

The organization shall establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events.

A.5.30ICT Readiness for Business Continuity

ICT readiness shall be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

A.5.31Legal, Statutory, Regulatory and Contractual Requirements

Legal, statutory, regulatory, and contractual requirements relevant to information security and the approach to meeting them shall be identified, documented, and kept current.

A.5.32Intellectual Property Rights

The organization shall implement appropriate procedures to protect intellectual property rights.

A.5.33Protection of Records

Records shall be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.

A.5.34Privacy and Protection of PII

The organization shall identify and meet the requirements regarding the preservation of privacy and protection of personally identifiable information as applicable.

A.5.35Independent Review of Information Security

The organization’s approach to managing information security and its implementation shall be reviewed independently at planned intervals or when significant changes occur.

A.5.37Documented Operating Procedures

Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

A.8 — Technological Controls35 entries
A.8Technological Controls

Technological information security controls.

A.8.8Management of technical vulnerabilities

Information about technical vulnerabilities of information systems shall be obtained, evaluated and managed.

A.8.25Secure development lifecycle

Rules for the secure development of software and systems shall be established and applied.

A.8.1User endpoint devices

Information stored on, processed by, or accessible via user endpoint devices shall be protected.

A.8.2Privileged access rights

The allocation and use of privileged access rights shall be restricted and managed.

A.8.3Information access restriction

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

A.8.4Access to source code

Read and write access to source code, development tools, and software libraries shall be appropriately managed.

A.8.5Secure authentication

Secure authentication technologies and procedures shall be established and implemented based on information access restrictions and the topic-specific policy on access control.

A.8.6Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

A.8.7Protection against malware

Protection against malware shall be implemented and supported by appropriate user awareness.

A.8.9Configuration management

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

A.8.10Information deletion

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

A.8.11Data masking

Data masking shall be used in accordance with the topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

A.8.12Data leakage prevention

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

A.8.13Information backup

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

A.8.14Redundancy of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

A.8.15Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

A.8.16Monitoring activities

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

A.8.17Clock synchronization

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

A.8.18Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

A.8.19Installation of software on operational systems

Procedures and measures shall be implemented to securely manage software installation on operational systems.

A.8.20Networks security

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

A.8.21Security of network services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

A.8.22Segregation of networks

Groups of information services, users and information systems shall be segregated in the networks of the organization.

A.8.23Web filtering

Access to external websites shall be managed to reduce exposure to malicious content.

A.8.24Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

A.8.26Application security requirements

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

A.8.27Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activity.

A.8.28Secure coding

Secure coding principles shall be applied to software development.

A.8.29Security testing in development and acceptance

Security testing processes shall be defined and implemented in the development lifecycle.

A.8.30Outsourced development

The organization shall direct, monitor and review the activities related to outsourced system development.

A.8.31Separation of development, test and production environments

Development, testing and production environments shall be separated and secured.

A.8.32Change management

Changes to information processing facilities and information systems shall be subject to change management procedures.

A.8.33Test information

Test information shall be appropriately selected, protected and managed.

A.8.34Protection of information systems during audit testing

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

4 — Context of the Organization5 entries
4Context of the Organization

Defines the organizational landscape and boundaries for information security management.

4.1Understanding the Organization and Its Context

Identify the internal and external factors that shape the organization’s information security posture.

4.2Understanding the Needs and Expectations of Interested Parties

Recognize stakeholders and determine which of their needs and expectations apply to the ISMS.

4.3Determining the Scope of the ISMS

Set the boundaries and applicability of the information security management system.

4.4Information Security Management System

Build, operate, maintain, and continuously evolve the ISMS in line with the standard’s requirements.

5 — Leadership4 entries
5Leadership

Establishes top management accountability for information security governance.

5.1Leadership and Commitment

Senior leaders must actively champion and resource the ISMS.

5.2Policy

Formalize an information security policy aligned with organizational purpose and objectives.

5.3Organizational Roles, Responsibilities and Authorities

Assign and communicate clear roles and authorities for information security functions.

6 — Planning7 entries
6Planning

Systematic planning for risk management, objectives, and change within the ISMS.

6.1Actions to Address Risks and Opportunities

Determine and plan responses to risks and opportunities relevant to the ISMS.

6.1.1General

Consider organizational context and stakeholder needs when identifying risks and opportunities for the ISMS.

6.1.2Information Security Risk Assessment

Establish a repeatable process for identifying, analyzing, and evaluating information security risks.

6.1.3Information Security Risk Treatment

Select appropriate treatment options and controls for assessed risks, producing a Statement of Applicability.

6.2Information Security Objectives and Planning to Achieve Them

Define measurable security objectives and create plans to reach them.

6.3Planning of Changes

When modifications to the ISMS are necessary, carry them out in a structured and deliberate manner.

7 — Support9 entries
7Support

Provision of resources, skills, awareness, communication, and documentation for the ISMS.

7.1Resources

Allocate the people, tools, and budget necessary to build and sustain the ISMS.

7.2Competence

Ensure personnel performing security-relevant work possess the appropriate skills and knowledge.

7.3Awareness

Make sure everyone in the organization understands the security policy and their role in upholding it.

7.4Communication

Define what, when, and how information security topics are communicated internally and externally.

7.5Documented Information

Manage the creation, updating, and control of all documentation the ISMS requires.

7.5.1General

The ISMS must include documentation demanded by the standard plus any additional records the organization deems necessary.

7.5.2Creating and Updating

Apply consistent identification, format, review, and approval practices when producing or revising documents.

7.5.3Control of Documented Information

Protect documents so they remain available, suitable for use, and adequately safeguarded against unauthorized changes.

8 — Operation4 entries
8Operation

Execution of planned security processes, risk assessments, and risk treatments.

8.1Operational Planning and Control

Plan, execute, and govern the processes needed to fulfill ISMS requirements and implement risk actions.

8.2Information Security Risk Assessment

Carry out risk assessments on a defined schedule or when significant changes arise.

8.3Information Security Risk Treatment

Put the risk treatment plan into action and document the outcomes.

9 — Performance Evaluation9 entries
9Performance Evaluation

Monitoring, auditing, and management review of the ISMS.

9.1Monitoring, Measurement, Analysis and Evaluation

Decide what to measure, how to measure it, and when to analyze and report on security performance.

9.2Internal Audit

Conduct periodic internal audits to verify the ISMS meets both organizational and standard requirements.

9.2.1General

Establish an internal audit function that evaluates ISMS conformity and effectiveness.

9.2.2Internal Audit Programme

Design an audit program covering frequency, methods, responsibilities, and reporting of findings.

9.3Management Review

Senior management must periodically assess the ISMS for ongoing suitability and effectiveness.

9.3.1General

Top management reviews the ISMS at scheduled intervals, considering all relevant inputs.

9.3.2Management Review Inputs

Gather status updates, performance data, audit results, and stakeholder feedback as inputs for the review.

9.3.3Management Review Results

Produce decisions and actions covering improvement opportunities and any needed ISMS changes.

10 — Improvement3 entries
10Improvement

Drive ongoing enhancement of the ISMS through corrective actions and continual improvement.

10.1Continual Improvement

Persistently enhance the fitness, adequacy, and effectiveness of the ISMS.

10.2Nonconformity and Corrective Action

Respond to nonconformities by containing immediate impact, investigating root causes, and implementing corrective actions.

A.6 — People Controls9 entries
A.6People Controls

Security controls focused on personnel throughout the employment lifecycle.

A.6.1Screening

Background verification checks on all candidates shall be performed before joining and on an ongoing basis.

A.6.2Terms and Conditions of Employment

Employment agreements shall state personnel and organizational information security responsibilities.

A.6.3Information Security Awareness, Education and Training

Personnel and relevant interested parties shall receive appropriate security awareness education and training.

A.6.4Disciplinary Process

A disciplinary process shall be formalized and communicated for information security policy violations.

A.6.5Responsibilities After Termination or Change of Employment

Security responsibilities and duties that remain valid after termination or role change shall be defined, enforced, and communicated.

A.6.6Confidentiality or Non-Disclosure Agreements

Confidentiality or non-disclosure agreements reflecting information protection needs shall be identified, documented, and reviewed.

A.6.7Remote Working

Security measures shall be implemented when personnel work remotely to protect information accessed, processed, or stored outside the premises.

A.6.8Information Security Event Reporting

The organization shall provide a mechanism for personnel to report observed or suspected information security events in a timely manner.

A.7 — Physical Controls15 entries
A.7Physical Controls

Controls addressing physical and environmental security of facilities and equipment.

A.7.1Physical Security Perimeters

Security perimeters shall be defined and used to protect areas containing sensitive information and information processing facilities.

A.7.2Physical Entry

Secure areas shall be protected by appropriate entry controls and access points.

A.7.3Securing Offices, Rooms and Facilities

Physical security for offices, rooms, and facilities shall be designed and implemented.

A.7.4Physical Security Monitoring

Premises shall be continuously monitored for unauthorized physical access.

A.7.5Protecting Against Physical and Environmental Threats

Protection against physical and environmental threats such as natural disasters and deliberate damage shall be designed and implemented.

A.7.6Working in Secure Areas

Security measures for working in secure areas shall be designed and implemented.

A.7.7Clear Desk and Clear Screen

Clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities, shall be defined and enforced.

A.7.8Equipment Siting and Protection

Equipment shall be sited securely and protected to reduce risks from environmental threats, hazards, and unauthorized access.

A.7.9Security of Assets Off-Premises

Off-site assets shall be protected, considering the different risks of working outside the organization premises.

A.7.10Storage Media

Storage media shall be managed through their lifecycle of acquisition, use, transport, and disposal in accordance with the classification scheme.

A.7.11Supporting Utilities

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

A.7.12Cabling Security

Cables carrying power, data, or supporting information services shall be protected from interception, interference, or damage.

A.7.13Equipment Maintenance

Equipment shall be maintained correctly to ensure continued availability, integrity, and information security.

A.7.14Secure Disposal or Re-Use of Equipment

Items of equipment containing storage media shall be verified to ensure sensitive data and licensed software have been removed or securely overwritten before disposal or re-use.

How ISO/IEC 27001 maps to other frameworks

ISO/IEC 4200116 audited mappingsview framework →
NIST AI RMF15 audited mappingsview framework →
EU AI Act10 audited mappingsview framework →
OWASP LLM Top 107 audited mappingsview framework →
OWASP Agentic AI Top 105 audited mappingsview framework →
MITRE ATLAS7 audited mappingsview framework →

Sample audited mappings

High5.2A.5.1Policy frameworks align directly across AI and information security governance
High5.3A.5.2Role and responsibility definition across AI and information security governance
Medium6.1.2A.8.8Technical vulnerability management overlaps with AI-specific risk assessment
High9.2A.5.36Internal audit and compliance verification processes align directly
HighA.2.2A.5.1Policy framework alignment across AI governance and information security
HighA.3.2A.5.2Role definition across information security and AI governance domains

All 60 mappings are browsable in the interactive explorer and its knowledge graph.

Implementation templates for ISO/IEC 27001

Related guides

Frequently asked questions

How many ISO/IEC 27001 entries does the Framework Explorer cover?

138 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 98 entries carry source-grounded risk profiles.

How does ISO/IEC 27001 relate to the other AI governance frameworks?

The Framework Explorer documents 60 audited cross-framework mappings touching ISO/IEC 27001, connecting it to ISO/IEC 42001, NIST AI RMF, EU AI Act, OWASP LLM Top 10, OWASP Agentic AI Top 10, MITRE ATLAS. Every mapping was verified against the source documents.

Is this content the official ISO/IEC 27001 text?

No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.

Explore the other frameworks