Overview
CaseBender provides comprehensive ISO 27001:2022 Information Security Management System (ISMS) support. The platform maps its security controls to the ISO 27001 Annex A control set and provides tools for risk management, internal audit, and continuous improvement.Annex A Control Coverage
Organizational Controls (A.5)
| Control | Description | CaseBender Implementation |
|---|---|---|
| A.5.1 | Policies for information security | Policy management, version control, acknowledgment tracking |
| A.5.2 | Information security roles | RBAC with defined security responsibilities per role |
| A.5.3 | Segregation of duties | Role separation, PAM for privileged operations |
| A.5.7 | Threat intelligence | MITRE ATT&CK integration, MISP threat feeds, IOC enrichment |
| A.5.23 | Information security for cloud services | On-premise deployment, cloud hardening guides |
| A.5.24 | Incident management planning | Case templates, playbook automation, SLA management |
| A.5.25 | Assessment of information security events | Alert triage workflows, severity scoring, correlation engine |
| A.5.26 | Response to information security incidents | Case management workflows, task assignment, escalation |
| A.5.28 | Collection of evidence | Evidence management, chain of custody, legal hold |
People Controls (A.6)
| Control | Description | CaseBender Implementation |
|---|---|---|
| A.6.1 | Screening | Integration with HR systems for background check tracking |
| A.6.3 | Information security awareness | Compliance training module, campaign management |
| A.6.5 | Responsibilities after termination | SCIM deprovisioning, access revocation, insider threat monitoring |
Technological Controls (A.8)
| Control | Description | CaseBender Implementation |
|---|---|---|
| A.8.1 | User endpoint devices | Device trust assessment, security posture evaluation |
| A.8.2 | Privileged access rights | PAM with just-in-time elevation, session recording |
| A.8.3 | Information access restriction | TLP-based access control, data classification enforcement |
| A.8.5 | Secure authentication | MFA (TOTP + WebAuthn), SSO (SAML 2.0), account lockout |
| A.8.9 | Configuration management | Immutable container images, infrastructure as code |
| A.8.10 | Information deletion | Data retention policies, secure erasure, legal hold exemptions |
| A.8.11 | Data masking | PII redaction in logs, privacy-aware logging |
| A.8.12 | Data leakage prevention | Data classification, export controls, UEBA monitoring |
| A.8.15 | Logging | Unified audit trail, tamper-evident integrity, SIEM forwarding |
| A.8.16 | Monitoring activities | UEBA, security monitoring, anomaly detection |
| A.8.24 | Use of cryptography | AES-256 encryption, TLS 1.3, key rotation, secrets management |
Risk Management
CaseBender includes a dedicated ISO 27001 risk management module:Risk Register
- Risk Identification: Catalog information security risks with threat and vulnerability mapping
- Risk Assessment: Likelihood and impact scoring using configurable risk matrices
- Risk Treatment: Define treatment plans with milestones, owners, and deadlines
- Risk Acceptance: Formal risk acceptance workflow with management approval and documentation
- Risk Monitoring: Track risk levels over time with trend analysis
Risk Matrix
Risks are evaluated on a 5x5 matrix:| Negligible | Minor | Moderate | Major | Catastrophic | |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | High | Critical | Critical |
| Likely | Low | Medium | High | High | Critical |
| Possible | Low | Medium | Medium | High | High |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
Treatment Plans
Each risk treatment plan includes:- Treatment strategy (mitigate, transfer, accept, avoid)
- Specific actions with owners and deadlines
- Milestones for tracking progress
- Residual risk assessment after treatment
- Review schedule for ongoing monitoring
Statement of Applicability (SoA)
The SoA documents which Annex A controls are applicable to your deployment:- Applicable Controls: Controls that are relevant and implemented
- Not Applicable Controls: Controls excluded with documented justification
- Implementation Status: Current implementation level per control
- Evidence Links: Direct links to evidence artifacts for each control
- Approval Workflow: SoA changes require management approval
Internal Audit
Audit Cycle Management
- Audit Planning: Define audit scope, schedule, and team assignments
- Audit Execution: Guided audit procedures with evidence collection
- Finding Management: Track findings by severity (major nonconformity, minor nonconformity, observation, opportunity for improvement)
- Corrective Actions: Assign and track corrective actions with deadlines
- Verification: Verify corrective action effectiveness before closure
- Management Review: Aggregate audit results for management review meetings
Evidence Collection
Automated collectors gather ISO 27001-specific evidence:- Access control configurations and reviews
- Security event logs and incident records
- Change management records
- Training and awareness records
- Risk assessment documentation
- Business continuity test results
Reporting
- Compliance Dashboard: Real-time view of ISO 27001 control implementation status
- Gap Analysis Report: Identify unimplemented or partially implemented controls
- Risk Report: Current risk landscape with treatment status
- Audit Report: Internal audit findings and corrective action status
- Management Review Package: Aggregated data for management review meetings
Related Documentation
- Compliance Overview — All supported frameworks
- Data Protection — Encryption and data handling controls
- Threat Detection — Monitoring and detection capabilities