Skip to main content

Reference · ISO/IEC 27001:2022

ISO 27001 coverage map

Every clause and Annex A control family below links to where in Security Flare it lives. Useful when a certifier asks "where is your management review?" or when you're onboarding a new customer and need to point them at the right register. 39 clause entries mapped.

Headings are factual references to the standard; full normative text is licensed by ISO/IEC and is not reproduced here.

Clauses 4–6 · Context, leadership, planning

Scope, leadership commitment, and the planning machinery (risk assessment + treatment, SoA). The first place an auditor lands.

ClauseTopicWhere in Security Flare
4.1Understanding the organisation and its context
4.2Understanding the needs and expectations of interested parties
4.3Determining the scope of the ISMS
5.1Leadership and commitment
5.2Information security policy
6.1.1Actions to address risks and opportunities
6.1.2Information security risk assessment
6.1.3Information security risk treatment
6.2Information security objectives + planning to achieve them
  • Objectives register

    Title + measurement (target) + owner + due date + lifecycle (planned → in_progress → achieved/missed/cancelled). Closed objectives stay on the books.

  • Tasks queue

    Break objectives down into trackable work items.

Clause 7 · Support

Resources, competence, awareness, communication, and documented information — the operational backbone of the ISMS.

ClauseTopicWhere in Security Flare
7.2Competence
7.3Awareness
7.5Documented information
  • Documents register

    Controlled documents with status, version, approval, review cadence.

  • Policies

    Policy-shaped documents with full markdown bodies + docx export.

Clause 8 · Operation

Operational planning + execution of the risk treatment plan.

ClauseTopicWhere in Security Flare
8.1Operational planning and control
  • Controls catalogue

    93 Annex A controls with per-org implementation status + evidence.

  • Tasks queue

    Break operational work into trackable items linked to controls + risks.

8.2Information security risk assessment (operational)
8.3Information security risk treatment (operational)

Clause 9 · Performance evaluation

Monitoring, measurement, internal audit, and management review.

ClauseTopicWhere in Security Flare
9.1Monitoring, measurement, analysis, evaluation
9.2Internal audit
9.3Management review

Clause 10 · Improvement

Continual improvement and the corrective-action loop for nonconformities — the §10.1/§10.2 surface.

ClauseTopicWhere in Security Flare
10.1Continual improvement
10.2Nonconformity and corrective action
  • Findings register

    Open → corrective_planned → in_progress → verified → closed; verifiedAt + verified_by_user_id pin the §10.2.g requirement.

Annex A.5 · Organisational controls

The 37 organisational controls. Most live in policies, risks, the asset register, or the supplier / incident registers.

ClauseTopicWhere in Security Flare
A.5.1Policies for information security
A.5.2 / A.5.4Information security roles + management responsibilities
A.5.9Inventory of information and other associated assets
A.5.10Acceptable use of information and other associated assets
A.5.12Classification of information
A.5.15Access control
  • Team

    Per-user invitations + role management (admin / member).

A.5.19 – A.5.23Supplier relationships + the ICT supply chain + cloud services
  • Supplier register

    Criticality, data classification, contract reference, review cadence.

A.5.24 – A.5.27Information security incident management
  • Incident register

    Severity, status transitions auto-stamp resolved/closed; resolutionNotes captures §A.5.27 learnings.

A.5.29 / A.5.30ICT continuity, BC, recovery
A.5.36Compliance with policies, rules and standards
A.5.37Documented operating procedures

Annex A.6 · People controls

The 8 people-related controls. Most flow through the training + team surfaces.

ClauseTopicWhere in Security Flare
A.6.1 / A.6.2Screening + terms and conditions of employment
A.6.3Information security awareness, education and training
A.6.8Information security event reporting

Annex A.7 · Physical controls

The 14 physical controls (perimeter, entry, equipment). Mostly site-level; the asset register tracks them as type = "site".

ClauseTopicWhere in Security Flare
A.7.x (all)Physical perimeter, entry, equipment

Annex A.8 · Technological controls

The 34 technological controls. Most map to control state + evidence; some have dedicated surfaces.

ClauseTopicWhere in Security Flare
A.8.1 – A.8.34 (all)Technological controls
A.8.13Information backup
A.8.15Logging
A.8.16Monitoring activities
Missing a clause or seeing a stale link? Email us and we'll update the map.