Automate Your ISO 27001 ISMS Certification
Map all 93 Annex A controls, generate your Statement of Applicability, and harvest evidence continuously from AWS, GitHub, and Jira — without audit-season chaos.
- Annex A Controls
- 93
- Compliance Reduction
- 60%
- Frameworks Cross-Mapped
- 6+
- Evidence Sources
- Auto
Full ISO 27001 Annex A Coverage
Every control domain mapped and evidenced — from access control and cryptography through supplier relationships and business continuity.
Information Security Policies
Establishes the governance foundation — security policy documentation, review cycles, and board-level accountability.
- A.5.1 – Management direction for information security
Organisation of Information Security
Defines roles, responsibilities, segregation of duties, and controls for remote and mobile work environments.
- A.6.1 – Internal organisation
- A.6.2 – Mobile devices and teleworking
Human Resource Security
Background checks, security awareness training, acceptable use agreements, and offboarding controls.
- A.7.1 – Prior to employment
- A.7.2 – During employment
- A.7.3 – Termination and change of employment
Asset Management
CATAAM auto-discovers cloud assets via AWS, Azure, and GCP integrations and maintains a continuously updated asset register.
- A.8.1 – Responsibility for assets
- A.8.2 – Information classification
- A.8.3 – Media handling
Access Control
Least-privilege IAM policies, privileged access reviews, MFA enforcement. CATAAM harvests AWS IAM evidence automatically.
- A.9.1 – Business requirements of access control
- A.9.2 – User access management
- A.9.3 – User responsibilities
- A.9.4 – System and application access control
Cryptography
Encryption key management, TLS cipher assessments, and KMS policy evidence collected by CATAAM's ASM scanner.
- A.10.1 – Cryptographic controls
Physical & Environmental Security
Physical access controls, clean desk policy, and equipment disposal — documented as linked evidence in CATAAM.
- A.11.1 – Secure areas
- A.11.2 – Equipment
Operations Security
CATAAM's BAS continuously validates malware defences, backup recoverability, and patch cadence against MITRE ATT&CK techniques.
- A.12.1 – Operational procedures
- A.12.2 – Protection from malware
- A.12.3 – Backup
- A.12.4 – Logging & monitoring
- A.12.5 – Control of operational software
- A.12.6 – Technical vulnerability management
Communications Security
Network segmentation, TLS enforcement, and secure data transfer controls — evidenced by CATAAM's ASM port scanning and cipher analysis.
- A.13.1 – Network security management
- A.13.2 – Information transfer
System Acquisition, Development & Maintenance
SAST/DAST integrations, GitHub code scanning alerts, and change control evidence harvested from Jira.
- A.14.1 – Security in development
- A.14.2 – Security in development and support processes
- A.14.3 – Test data
Supplier Relationships
Third-party risk assessments, vendor contracts, and supplier audit results linked as ISO 27001 evidence.
- A.15.1 – Information security in supplier relationships
- A.15.2 – Supplier service delivery management
Information Security Incident Management
Incident response procedures, SIEM alerts, and post-incident reviews — tracked in Jira and linked as control evidence.
- A.16.1 – Management of information security incidents and improvements
Business Continuity Management
BCP/DRP documentation, RTO/RPO targets, and failover test results stored as audit-ready evidence.
- A.17.1 – Information security continuity
- A.17.2 – Redundancies
Compliance
GDPR, regulatory, and contractual compliance cross-mapped with SOC 2 and HIPAA controls — single evidence collection satisfies all.
- A.18.1 – Compliance with legal and contractual requirements
- A.18.2 – Information security reviews
From Scope Definition to SoA in Weeks
CATAAM automates the most time-consuming parts of ISO 27001 certification — evidence collection, risk assessment, and SoA generation.
Import your ISMS scope
Define your Information Security Management System scope and applicable Annex A controls. CATAAM pre-populates the full 114-control library with guidance for each.
Auto-harvest evidence via integrations
AWS IAM, CloudTrail, GitHub, and Jira integrations pull evidence continuously. Harvest rules run on schedule — no manual uploads during audit season.
Run risk assessments and treatment plans
CATAAM's built-in risk register maps threats to Annex A controls, generates treatment plans, and tracks residual risk scores — all ISO 27001:2022 clause 6 compliant.
Export Statement of Applicability (SoA)
Generate a fully populated SoA document — the cornerstone of any ISO 27001 certification audit — with control justifications, implementation status, and evidence links.
Risk Assessments Powered by Real Attack Data
ISO 27001 Clause 6.1 requires a risk assessment methodology that produces comparable and reproducible results. CATAAM feeds live ASM and BAS findings directly into your risk register — replacing spreadsheet guesses with verified threat data.
- Asset inventory auto-populated from AWS, Azure, and GCP discovery
- Threat likelihood scores derived from BAS simulation results
- Annex A control treatment plans auto-generated per risk
- Residual risk tracked over time with trend charts
ISO 27001 Frequently Asked Questions
- What is ISO 27001 and who needs it?
- ISO 27001 is an international standard for Information Security Management Systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. Certification is required or strongly preferred by enterprise buyers across financial services, healthcare, government contracting, and any organisation handling sensitive data. The 2022 revision (ISO/IEC 27001:2022) restructured Annex A to 93 controls across four themes.
- What is the Statement of Applicability (SoA) and why does it matter?
- The Statement of Applicability (SoA) is a mandatory document for ISO 27001 certification. It lists all 93 Annex A controls, states whether each is applicable to your organisation, justifies inclusions and exclusions, and records the implementation status. Auditors review the SoA as the primary evidence document for certification. CATAAM generates a fully populated SoA automatically from your control implementations and evidence records.
- How does CATAAM handle ISO 27001 risk assessments?
- ISO 27001 Clause 6 requires a documented risk assessment and risk treatment process. CATAAM provides a built-in risk register where you define assets, threats, vulnerabilities, and likelihood/impact scores. The platform generates risk treatment plans that map to Annex A controls and tracks residual risk over time. ASM and BAS findings from CATAAM automatically surface as risk register inputs — turning active security data into ISO 27001 evidence.
- Can CATAAM support ISO 27001 certification alongside SOC 2 or HIPAA?
- Yes — cross-framework control mapping is one of CATAAM's core advantages. Access control evidence for ISO 27001 A.9 simultaneously satisfies SOC 2 CC6.1 and HIPAA §164.312(a). You implement each control once and CATAAM propagates the evidence across every applicable framework. Organisations pursuing ISO 27001 and SOC 2 simultaneously reduce compliance effort by up to 60%.
- What is the difference between ISO 27001:2013 and ISO 27001:2022?
- ISO 27001:2022 restructured Annex A from 114 controls across 14 domains to 93 controls across four themes (Organisational, People, Physical, Technological). Eleven new controls were added covering threat intelligence, ICT supply chain security, cloud security, and data masking. Organisations certified under the 2013 version must transition to the 2022 standard by October 2025. CATAAM supports both versions and guides the transition mapping.
Ready to Automate Your ISO 27001 Certification?
14-day free trial. No credit card. SoA-ready in weeks, not quarters.