ISO 27001 Compliance Skill

Purpose

Ensures systems and processes comply with ISO 27001:2022 Information Security Management System (ISMS) requirements.

Rules

Key Controls for Web Applications

A.8.24 Use of Cryptography:

• TLS 1.2+ for all communications

• AES-256 for data at rest

• Secure key management

A.8.25 Secure Development Life Cycle:

• Security requirements in design

• Code review processes

• Security testing (SAST/DAST)

A.8.26 Application Security Requirements:

• Input validation

• Output encoding

• Authentication and authorization

• Session management

A.8.16 Monitoring Activities:

• Security event logging

• Log retention (90 days minimum)

• Monitoring for anomalies

A.5.7 Threat Intelligence:

• Vulnerability scanning

• Threat intelligence feeds

• Incident tracking

Documentation Requirements

MUST MAINTAIN:

• Information Security Policy

• Risk Assessment and Treatment Plan

• Statement of Applicability (SoA)

• Access Control Policy

• Cryptographic Controls Policy

• Incident Response Plan

• Business Continuity Plan

• Acceptable Use Policy

• Data Classification Policy

Audit Preparation

MUST PROVIDE:

• Evidence of control implementation

• Logs and monitoring records

• Incident records

• Change management records

• Risk assessments

• Management review minutes

Related Policies

All ISMS policies at: https://github.com/Hack23/ISMS-PUBLIC