Framework Explorer / ISO/IEC 27001
ISO/IEC 27001 in the AI Governance Framework Explorer
ISO/IEC 27001 is the international standard for information security management systems (ISMS). AI systems inherit its requirements: training data, model artifacts, and inference pipelines are information assets that need the same confidentiality, integrity, and availability controls.
Open the Interactive ExplorerJump to ISO/IEC 27001
Every ISO/IEC 27001 entry, explained
Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.
A.5 — Organizational Controls38 entries
Information security policy and topic-specific policies shall be defined, approved and communicated.
Information security roles and responsibilities shall be defined and allocated.
Conflicting duties and conflicting areas of responsibility shall be segregated.
The organization shall plan how to maintain information security at an appropriate level during disruption.
Compliance with the organization information security policy, topic-specific policies, rules, and standards shall be regularly reviewed.
Management shall require all personnel to apply information security in accordance with the established policies and procedures.
The organization shall establish and maintain contact with relevant authorities regarding information security matters.
The organization shall establish and maintain contact with special interest groups, forums, and professional associations related to security.
Information about security threats shall be collected and analyzed to produce actionable threat intelligence.
Information security shall be integrated into project management regardless of the project type.
An inventory of information and other associated assets, including their owners, shall be developed and maintained.
Rules for the acceptable use of information and associated assets shall be identified, documented, and implemented.
Personnel and other interested parties shall return all organizational assets in their possession upon change or termination of their employment or agreement.
Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability, and relevant interested party requirements.
An appropriate set of procedures for labeling information shall be developed and implemented in accordance with the adopted classification scheme.
Rules, procedures, or agreements for information transfer shall be in place for all types of transfer facilities within and outside the organization.
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and security requirements.
The full lifecycle of identities shall be managed, covering creation, verification, provisioning, suspension, and removal.
Allocation and management of authentication information shall be controlled by a management process including advising personnel on appropriate handling.
Access rights to information and other associated assets shall be provisioned, reviewed, modified, and removed in accordance with established policies.
Processes and procedures shall be defined and implemented to manage information security risks associated with the use of supplier products or services.
Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Processes and procedures shall be defined and implemented for managing information security risks associated with the ICT products and services supply chain.
The organization shall regularly monitor, review, evaluate, and manage change in supplier information security practices and service delivery.
Processes for acquisition, use, management, and exit from cloud services shall be established in accordance with the organization’s information security requirements.
The organization shall plan and prepare for managing information security incidents by defining, establishing, and communicating incident management processes, roles, and responsibilities.
The organization shall assess information security events and decide whether they should be categorized as information security incidents.
Information security incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from information security incidents shall be used to strengthen and improve information security controls.
The organization shall establish and implement procedures for the identification, collection, acquisition, and preservation of evidence related to information security events.
ICT readiness shall be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
Legal, statutory, regulatory, and contractual requirements relevant to information security and the approach to meeting them shall be identified, documented, and kept current.
The organization shall implement appropriate procedures to protect intellectual property rights.
Records shall be protected from loss, destruction, falsification, unauthorized access, and unauthorized release.
The organization shall identify and meet the requirements regarding the preservation of privacy and protection of personally identifiable information as applicable.
The organization’s approach to managing information security and its implementation shall be reviewed independently at planned intervals or when significant changes occur.
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
A.8 — Technological Controls35 entries
Information about technical vulnerabilities of information systems shall be obtained, evaluated and managed.
Rules for the secure development of software and systems shall be established and applied.
Information stored on, processed by, or accessible via user endpoint devices shall be protected.
The allocation and use of privileged access rights shall be restricted and managed.
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
Read and write access to source code, development tools, and software libraries shall be appropriately managed.
Secure authentication technologies and procedures shall be established and implemented based on information access restrictions and the topic-specific policy on access control.
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Protection against malware shall be implemented and supported by appropriate user awareness.
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Data masking shall be used in accordance with the topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
Groups of information services, users and information systems shall be segregated in the networks of the organization.
Access to external websites shall be managed to reduce exposure to malicious content.
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activity.
Security testing processes shall be defined and implemented in the development lifecycle.
The organization shall direct, monitor and review the activities related to outsourced system development.
Development, testing and production environments shall be separated and secured.
Changes to information processing facilities and information systems shall be subject to change management procedures.
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.
4 — Context of the Organization5 entries
Defines the organizational landscape and boundaries for information security management.
Identify the internal and external factors that shape the organization’s information security posture.
Recognize stakeholders and determine which of their needs and expectations apply to the ISMS.
Set the boundaries and applicability of the information security management system.
Build, operate, maintain, and continuously evolve the ISMS in line with the standard’s requirements.
5 — Leadership4 entries
Formalize an information security policy aligned with organizational purpose and objectives.
Assign and communicate clear roles and authorities for information security functions.
6 — Planning7 entries
Determine and plan responses to risks and opportunities relevant to the ISMS.
Consider organizational context and stakeholder needs when identifying risks and opportunities for the ISMS.
Establish a repeatable process for identifying, analyzing, and evaluating information security risks.
Select appropriate treatment options and controls for assessed risks, producing a Statement of Applicability.
Define measurable security objectives and create plans to reach them.
When modifications to the ISMS are necessary, carry them out in a structured and deliberate manner.
7 — Support9 entries
Ensure personnel performing security-relevant work possess the appropriate skills and knowledge.
Make sure everyone in the organization understands the security policy and their role in upholding it.
Define what, when, and how information security topics are communicated internally and externally.
Manage the creation, updating, and control of all documentation the ISMS requires.
The ISMS must include documentation demanded by the standard plus any additional records the organization deems necessary.
Apply consistent identification, format, review, and approval practices when producing or revising documents.
Protect documents so they remain available, suitable for use, and adequately safeguarded against unauthorized changes.
8 — Operation4 entries
Plan, execute, and govern the processes needed to fulfill ISMS requirements and implement risk actions.
Carry out risk assessments on a defined schedule or when significant changes arise.
Put the risk treatment plan into action and document the outcomes.
9 — Performance Evaluation9 entries
Decide what to measure, how to measure it, and when to analyze and report on security performance.
Conduct periodic internal audits to verify the ISMS meets both organizational and standard requirements.
Design an audit program covering frequency, methods, responsibilities, and reporting of findings.
Senior management must periodically assess the ISMS for ongoing suitability and effectiveness.
Top management reviews the ISMS at scheduled intervals, considering all relevant inputs.
Gather status updates, performance data, audit results, and stakeholder feedback as inputs for the review.
Produce decisions and actions covering improvement opportunities and any needed ISMS changes.
10 — Improvement3 entries
Drive ongoing enhancement of the ISMS through corrective actions and continual improvement.
Respond to nonconformities by containing immediate impact, investigating root causes, and implementing corrective actions.
A.6 — People Controls9 entries
Background verification checks on all candidates shall be performed before joining and on an ongoing basis.
Employment agreements shall state personnel and organizational information security responsibilities.
Personnel and relevant interested parties shall receive appropriate security awareness education and training.
A disciplinary process shall be formalized and communicated for information security policy violations.
Security responsibilities and duties that remain valid after termination or role change shall be defined, enforced, and communicated.
Confidentiality or non-disclosure agreements reflecting information protection needs shall be identified, documented, and reviewed.
Security measures shall be implemented when personnel work remotely to protect information accessed, processed, or stored outside the premises.
The organization shall provide a mechanism for personnel to report observed or suspected information security events in a timely manner.
A.7 — Physical Controls15 entries
Controls addressing physical and environmental security of facilities and equipment.
Security perimeters shall be defined and used to protect areas containing sensitive information and information processing facilities.
Physical security for offices, rooms, and facilities shall be designed and implemented.
Premises shall be continuously monitored for unauthorized physical access.
Protection against physical and environmental threats such as natural disasters and deliberate damage shall be designed and implemented.
Security measures for working in secure areas shall be designed and implemented.
Clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities, shall be defined and enforced.
Equipment shall be sited securely and protected to reduce risks from environmental threats, hazards, and unauthorized access.
Off-site assets shall be protected, considering the different risks of working outside the organization premises.
Storage media shall be managed through their lifecycle of acquisition, use, transport, and disposal in accordance with the classification scheme.
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Cables carrying power, data, or supporting information services shall be protected from interception, interference, or damage.
Equipment shall be maintained correctly to ensure continued availability, integrity, and information security.
Items of equipment containing storage media shall be verified to ensure sensitive data and licensed software have been removed or securely overwritten before disposal or re-use.
How ISO/IEC 27001 maps to other frameworks
Sample audited mappings
All 60 mappings are browsable in the interactive explorer and its knowledge graph.
Implementation templates for ISO/IEC 27001
Related guides
Frequently asked questions
How many ISO/IEC 27001 entries does the Framework Explorer cover?
138 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 98 entries carry source-grounded risk profiles.
How does ISO/IEC 27001 relate to the other AI governance frameworks?
The Framework Explorer documents 60 audited cross-framework mappings touching ISO/IEC 27001, connecting it to ISO/IEC 42001, NIST AI RMF, EU AI Act, OWASP LLM Top 10, OWASP Agentic AI Top 10, MITRE ATLAS. Every mapping was verified against the source documents.
Is this content the official ISO/IEC 27001 text?
No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.