What is ISO/IEC 27001?Using this framework More ISO/IEC 27001:2013 Annex A resources

ISO/IEC 27001:2013 Annex A

AWS Audit Manager provides a prebuilt standard framework that structures and automates assessments for ISO/IEC 27001:2013 Annex A.

Topics

What is ISO/IEC 27001:2013 Annex A?
Using this framework to support your audit preparation
More ISO/IEC 27001:2013 Annex A resources

What is ISO/IEC 27001:2013 Annex A?

The International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO) are both independent, non-governmental, not-for-profit organizations that develop and publish fully consensus-based international standards.

ISO/IEC 27001:2013 Annex A is a security management standard that specifies security management best practices and comprehensive security controls that follow the ISO/IEC 27002 best practice guidance. This international standard specifies the requirements on how to establish, implement, maintain, and continually improve an information security management system at your organization. Included among these standards are requirements on the assessment and treatment of information security risks that are tailored to the needs of your organization. The requirements in this international standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Using this framework to support your audit preparation

You can use the AWS Audit Manager framework for ISO/IEC 27001:2013 Annex A to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to ISO/IEC 27001:2013 Annex A requirements. You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for an ISO/IEC 27001:2013 Annex A audit. In your assessment, you can specify the AWS accounts and services that you want to include in the scope of your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the ISO/IEC 27001:2013 Annex A framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager	Number of automated controls	Number of manual controls	Number of control sets	AWS services in scope
ISO-IEC 27001:2013 Annex A	50	64	35	Amazon CloudWatch Amazon Elastic Compute Cloud AWS CloudTrail AWS Config AWS Identity and Access Management AWS Security Hub

Tip

To review the AWS Config rules that are used as data source mappings in this standard framework, download the AuditManager_ConfigDataSourceMappings_ISO-IEC-27001-2013-Annex-A.zip file.

The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with this international standard. Moreover, they can't guarantee that you'll pass an ISO/IEC audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find the ISO/IEC 27001:2013 Annex A framework under the Standard frameworks tab of the Framework library in Audit Manager.

When you use the Audit Manager console to create an assessment from this standard framework, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the ISO-IEC 27001:2013 Annex A framework. If you need to edit the list of services in scope for this framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

For instructions on how to create an assessment using this framework, see Creating an assessment. For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

More ISO/IEC 27001:2013 Annex A resources

For more information about this international standard, see ISO/IEC 27001:2013 on the ANSI Webstore.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

HIPAA Final Omnibus Security Rule 2013

NIST 800-53 (Rev. 5)