> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ISO 27001:2022

> CaseBender's ISO 27001:2022 compliance support including ISMS controls, risk management, internal audit, and Statement of Applicability.

## Overview

CaseBender provides comprehensive ISO 27001:2022 Information Security Management System (ISMS) support. The platform maps its security controls to the ISO 27001 Annex A control set and provides tools for risk management, internal audit, and continuous improvement.

## Annex A Control Coverage

### Organizational Controls (A.5)

| Control    | Description                                | CaseBender Implementation                                    |
| ---------- | ------------------------------------------ | ------------------------------------------------------------ |
| **A.5.1**  | Policies for information security          | Policy management, version control, acknowledgment tracking  |
| **A.5.2**  | Information security roles                 | RBAC with defined security responsibilities per role         |
| **A.5.3**  | Segregation of duties                      | Role separation, PAM for privileged operations               |
| **A.5.7**  | Threat intelligence                        | MITRE ATT\&CK integration, MISP threat feeds, IOC enrichment |
| **A.5.23** | Information security for cloud services    | On-premise deployment, cloud hardening guides                |
| **A.5.24** | Incident management planning               | Case templates, playbook automation, SLA management          |
| **A.5.25** | Assessment of information security events  | Alert triage workflows, severity scoring, correlation engine |
| **A.5.26** | Response to information security incidents | Case management workflows, task assignment, escalation       |
| **A.5.28** | Collection of evidence                     | Evidence management, chain of custody, legal hold            |

### People Controls (A.6)

| Control   | Description                        | CaseBender Implementation                                         |
| --------- | ---------------------------------- | ----------------------------------------------------------------- |
| **A.6.1** | Screening                          | Integration with HR systems for background check tracking         |
| **A.6.3** | Information security awareness     | Compliance training module, campaign management                   |
| **A.6.5** | Responsibilities after termination | SCIM deprovisioning, access revocation, insider threat monitoring |

### Technological Controls (A.8)

| Control    | Description                    | CaseBender Implementation                                      |
| ---------- | ------------------------------ | -------------------------------------------------------------- |
| **A.8.1**  | User endpoint devices          | Device trust assessment, security posture evaluation           |
| **A.8.2**  | Privileged access rights       | PAM with just-in-time elevation, session recording             |
| **A.8.3**  | Information access restriction | TLP-based access control, data classification enforcement      |
| **A.8.5**  | Secure authentication          | MFA (TOTP + WebAuthn), SSO (SAML 2.0), account lockout         |
| **A.8.9**  | Configuration management       | Immutable container images, infrastructure as code             |
| **A.8.10** | Information deletion           | Data retention policies, secure erasure, legal hold exemptions |
| **A.8.11** | Data masking                   | PII redaction in logs, privacy-aware logging                   |
| **A.8.12** | Data leakage prevention        | Data classification, export controls, UEBA monitoring          |
| **A.8.15** | Logging                        | Unified audit trail, tamper-evident integrity, SIEM forwarding |
| **A.8.16** | Monitoring activities          | UEBA, security monitoring, anomaly detection                   |
| **A.8.24** | Use of cryptography            | AES-256 encryption, TLS 1.3, key rotation, secrets management  |

## Risk Management

CaseBender includes a dedicated ISO 27001 risk management module:

### Risk Register

* **Risk Identification**: Catalog information security risks with threat and vulnerability mapping
* **Risk Assessment**: Likelihood and impact scoring using configurable risk matrices
* **Risk Treatment**: Define treatment plans with milestones, owners, and deadlines
* **Risk Acceptance**: Formal risk acceptance workflow with management approval and documentation
* **Risk Monitoring**: Track risk levels over time with trend analysis

### Risk Matrix

Risks are evaluated on a 5x5 matrix:

|                    | Negligible | Minor  | Moderate | Major    | Catastrophic |
| ------------------ | ---------- | ------ | -------- | -------- | ------------ |
| **Almost Certain** | Medium     | High   | High     | Critical | Critical     |
| **Likely**         | Low        | Medium | High     | High     | Critical     |
| **Possible**       | Low        | Medium | Medium   | High     | High         |
| **Unlikely**       | Low        | Low    | Medium   | Medium   | High         |
| **Rare**           | Low        | Low    | Low      | Medium   | Medium       |

### Treatment Plans

Each risk treatment plan includes:

* Treatment strategy (mitigate, transfer, accept, avoid)
* Specific actions with owners and deadlines
* Milestones for tracking progress
* Residual risk assessment after treatment
* Review schedule for ongoing monitoring

## Statement of Applicability (SoA)

The SoA documents which Annex A controls are applicable to your deployment:

* **Applicable Controls**: Controls that are relevant and implemented
* **Not Applicable Controls**: Controls excluded with documented justification
* **Implementation Status**: Current implementation level per control
* **Evidence Links**: Direct links to evidence artifacts for each control
* **Approval Workflow**: SoA changes require management approval

## Internal Audit

### Audit Cycle Management

* **Audit Planning**: Define audit scope, schedule, and team assignments
* **Audit Execution**: Guided audit procedures with evidence collection
* **Finding Management**: Track findings by severity (major nonconformity, minor nonconformity, observation, opportunity for improvement)
* **Corrective Actions**: Assign and track corrective actions with deadlines
* **Verification**: Verify corrective action effectiveness before closure
* **Management Review**: Aggregate audit results for management review meetings

### Evidence Collection

Automated collectors gather ISO 27001-specific evidence:

* Access control configurations and reviews
* Security event logs and incident records
* Change management records
* Training and awareness records
* Risk assessment documentation
* Business continuity test results

## Reporting

* **Compliance Dashboard**: Real-time view of ISO 27001 control implementation status
* **Gap Analysis Report**: Identify unimplemented or partially implemented controls
* **Risk Report**: Current risk landscape with treatment status
* **Audit Report**: Internal audit findings and corrective action status
* **Management Review Package**: Aggregated data for management review meetings

## Related Documentation

* [Compliance Overview](/en/security/compliance-overview) — All supported frameworks
* [Data Protection](/en/security/data-protection) — Encryption and data handling controls
* [Threat Detection](/en/security/behavioral-analytics) — Monitoring and detection capabilities
