Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae008d7d25634cef7d4668d00a40a1caa1c10dd7
breakpilot-compliance/backend-compliance/compliance/data/iso27001_annex_a.py
Benjamin Boenisch 4435e7ea0a Initial commit: breakpilot-compliance - Compliance SDK Platform 
Services: Admin-Compliance, Backend-Compliance,
AI-Compliance-SDK, Consent-SDK, Developer-Portal,
PCA-Platform, DSMS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 23:47:28 +01:00

987 lines
49 KiB
Python
Raw Blame History

"""
ISO 27001:2022 Annex A Controls Seed Data.
Contains all 93 controls from ISO/IEC 27001:2022 Annex A, organized into 4 themes:
- A.5: Organizational controls (37 controls)
- A.6: People controls (8 controls)
- A.7: Physical controls (14 controls)
- A.8: Technological controls (34 controls)
This data is used to populate the Statement of Applicability (SoA),
which is MANDATORY for ISO 27001 certification.
"""
from typing import List, Dict, Any, Optional
# ISO 27001:2022 Annex A Controls
ISO27001_ANNEX_A_CONTROLS: List[Dict[str, Any]] = [
# ==========================================================================
# A.5 ORGANIZATIONAL CONTROLS (37 controls)
# ==========================================================================
{
"control_id": "A.5.1",
"title": "Policies for information security",
"category": "organizational",
"description": "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.",
"iso_chapter": "5.2",
"breakpilot_controls": ["GOV-001", "GOV-002"],
"default_applicable": True,
"implementation_guidance": "Create and maintain an ISMS Master Policy and supporting policies for key topics (access control, cryptography, etc.)."
},
{
"control_id": "A.5.2",
"title": "Information security roles and responsibilities",
"category": "organizational",
"description": "Information security roles and responsibilities shall be defined and allocated according to the organization needs.",
"iso_chapter": "5.3",
"breakpilot_controls": ["GOV-003"],
"default_applicable": True,
"implementation_guidance": "Define RACI matrix for security responsibilities, appoint Information Security Officer."
},
{
"control_id": "A.5.3",
"title": "Segregation of duties",
"category": "organizational",
"description": "Conflicting duties and conflicting areas of responsibility shall be segregated.",
"iso_chapter": "5.3",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "Implement role-based access control, separate development/test/production environments."
},
{
"control_id": "A.5.4",
"title": "Management responsibilities",
"category": "organizational",
"description": "Management shall require all personnel to apply information security in accordance with the established information security policy and topic-specific policies and procedures of the organization.",
"iso_chapter": "5.1",
"breakpilot_controls": ["GOV-001"],
"default_applicable": True,
"implementation_guidance": "Management commitment documented in ISMS policy, security training mandatory."
},
{
"control_id": "A.5.5",
"title": "Contact with authorities",
"category": "organizational",
"description": "The organization shall establish and maintain contact with relevant authorities.",
"iso_chapter": "4.2",
"breakpilot_controls": ["GOV-004"],
"default_applicable": True,
"implementation_guidance": "Maintain contact list for BSI, Datenschutzbehörde, CERT-Bund, law enforcement."
},
{
"control_id": "A.5.6",
"title": "Contact with special interest groups",
"category": "organizational",
"description": "The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.",
"iso_chapter": "4.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Participate in ISACA, ISC2, industry security forums, BSI security advisories."
},
{
"control_id": "A.5.7",
"title": "Threat intelligence",
"category": "organizational",
"description": "Information relating to information security threats shall be collected and analysed to produce threat intelligence.",
"iso_chapter": "6.1",
"breakpilot_controls": ["OPS-006"],
"default_applicable": True,
"implementation_guidance": "Subscribe to threat feeds (BSI, MITRE ATT&CK), integrate with SIEM."
},
{
"control_id": "A.5.8",
"title": "Information security in project management",
"category": "organizational",
"description": "Information security shall be integrated into project management.",
"iso_chapter": "6.1",
"breakpilot_controls": ["SDLC-001"],
"default_applicable": True,
"implementation_guidance": "Security requirements in all project charters, security review gates."
},
{
"control_id": "A.5.9",
"title": "Inventory of information and other associated assets",
"category": "organizational",
"description": "An inventory of information and other associated assets, including owners, shall be developed and maintained.",
"iso_chapter": "7.5",
"breakpilot_controls": ["GOV-005"],
"default_applicable": True,
"implementation_guidance": "Maintain asset register with classification, owner, location for all IT assets."
},
{
"control_id": "A.5.10",
"title": "Acceptable use of information and other associated assets",
"category": "organizational",
"description": "Rules for the acceptable use of information and other associated assets shall be identified, documented and implemented.",
"iso_chapter": "5.2",
"breakpilot_controls": ["GOV-002"],
"default_applicable": True,
"implementation_guidance": "Create Acceptable Use Policy, communicate to all employees."
},
{
"control_id": "A.5.11",
"title": "Return of assets",
"category": "organizational",
"description": "Personnel and other interested parties as appropriate shall return all the organization's assets in their possession upon change or termination of their employment, contract or agreement.",
"iso_chapter": "7.3",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Offboarding checklist includes asset return, access revocation within 24h."
},
{
"control_id": "A.5.12",
"title": "Classification of information",
"category": "organizational",
"description": "Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Define classification levels: Public, Internal, Confidential, Strictly Confidential."
},
{
"control_id": "A.5.13",
"title": "Labelling of information",
"category": "organizational",
"description": "An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Document headers/footers with classification, email subject prefixes."
},
{
"control_id": "A.5.14",
"title": "Information transfer",
"category": "organizational",
"description": "Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-002"],
"default_applicable": True,
"implementation_guidance": "Encrypted file transfer, secure email, NDA for external transfers."
},
{
"control_id": "A.5.15",
"title": "Access control",
"category": "organizational",
"description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-002"],
"default_applicable": True,
"implementation_guidance": "Access Control Policy, least privilege principle, need-to-know basis."
},
{
"control_id": "A.5.16",
"title": "Identity management",
"category": "organizational",
"description": "The full life cycle of identities shall be managed.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001"],
"default_applicable": True,
"implementation_guidance": "Unique user IDs, no shared accounts, regular access reviews."
},
{
"control_id": "A.5.17",
"title": "Authentication information",
"category": "organizational",
"description": "Allocation and management of authentication information shall be controlled by a management process including advising personnel on appropriate handling of authentication information.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-002", "IAM-004"],
"default_applicable": True,
"implementation_guidance": "Password policy, MFA enrollment process, credential management."
},
{
"control_id": "A.5.18",
"title": "Access rights",
"category": "organizational",
"description": "Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-003"],
"default_applicable": True,
"implementation_guidance": "Access request workflow, quarterly access reviews, privileged access management."
},
{
"control_id": "A.5.19",
"title": "Information security in supplier relationships",
"category": "organizational",
"description": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products or services.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-005"],
"default_applicable": True,
"implementation_guidance": "Supplier security assessment, DPA for data processors, vendor risk management."
},
{
"control_id": "A.5.20",
"title": "Addressing information security within supplier agreements",
"category": "organizational",
"description": "Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-005"],
"default_applicable": True,
"implementation_guidance": "Security clauses in contracts, audit rights, incident notification requirements."
},
{
"control_id": "A.5.21",
"title": "Managing information security in the ICT supply chain",
"category": "organizational",
"description": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.",
"iso_chapter": "8.1",
"breakpilot_controls": ["CRA-001", "SDLC-005"],
"default_applicable": True,
"implementation_guidance": "SBOM management, dependency scanning, supply chain security assessment."
},
{
"control_id": "A.5.22",
"title": "Monitoring, review and change management of supplier services",
"category": "organizational",
"description": "The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Annual supplier security reviews, SLA monitoring, change notification process."
},
{
"control_id": "A.5.23",
"title": "Information security for use of cloud services",
"category": "organizational",
"description": "Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Cloud security policy, CSP due diligence, data residency requirements."
},
{
"control_id": "A.5.24",
"title": "Information security incident management planning and preparation",
"category": "organizational",
"description": "The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Incident Response Plan, IR team roles, communication templates."
},
{
"control_id": "A.5.25",
"title": "Assessment and decision on information security events",
"category": "organizational",
"description": "The organization shall assess information security events and decide if they are to be categorized as information security incidents.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Event triage procedure, severity classification matrix, escalation criteria."
},
{
"control_id": "A.5.26",
"title": "Response to information security incidents",
"category": "organizational",
"description": "Information security incidents shall be responded to in accordance with the documented procedures.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Playbooks for common incidents, containment procedures, communication plan."
},
{
"control_id": "A.5.27",
"title": "Learning from information security incidents",
"category": "organizational",
"description": "Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Post-incident reviews, lessons learned documentation, control improvements."
},
{
"control_id": "A.5.28",
"title": "Collection of evidence",
"category": "organizational",
"description": "The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Chain of custody procedures, forensic imaging, log preservation."
},
{
"control_id": "A.5.29",
"title": "Information security during disruption",
"category": "organizational",
"description": "The organization shall plan how to maintain information security at an appropriate level during disruption.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "BCP/DRP with security considerations, alternate processing sites."
},
{
"control_id": "A.5.30",
"title": "ICT readiness for business continuity",
"category": "organizational",
"description": "ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "ICT continuity plan, RTO/RPO definitions, DR testing."
},
{
"control_id": "A.5.31",
"title": "Legal, statutory, regulatory and contractual requirements",
"category": "organizational",
"description": "Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.",
"iso_chapter": "4.2",
"breakpilot_controls": ["GOV-004"],
"default_applicable": True,
"implementation_guidance": "Compliance register (GDPR, AI Act, CRA, NIS2), legal requirements tracking."
},
{
"control_id": "A.5.32",
"title": "Intellectual property rights",
"category": "organizational",
"description": "The organization shall implement appropriate procedures to protect intellectual property rights.",
"iso_chapter": "4.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "License management, software inventory, OSS compliance."
},
{
"control_id": "A.5.33",
"title": "Protection of records",
"category": "organizational",
"description": "Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release in accordance with legal, statutory, regulatory and contractual requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Records retention policy, secure storage, access controls, audit trails."
},
{
"control_id": "A.5.34",
"title": "Privacy and protection of PII",
"category": "organizational",
"description": "The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.",
"iso_chapter": "4.2",
"breakpilot_controls": ["PRIV-001", "PRIV-003", "PRIV-006", "PRIV-007"],
"default_applicable": True,
"implementation_guidance": "GDPR compliance, privacy by design, DPIA, consent management."
},
{
"control_id": "A.5.35",
"title": "Independent review of information security",
"category": "organizational",
"description": "The organization's approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Annual internal audit, external penetration testing, ISO 27001 certification audit."
},
{
"control_id": "A.5.36",
"title": "Compliance with policies, rules and standards for information security",
"category": "organizational",
"description": "Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Policy compliance monitoring, automated configuration checks, exception management."
},
{
"control_id": "A.5.37",
"title": "Documented operating procedures",
"category": "organizational",
"description": "Operating procedures for information processing facilities shall be documented and made available to personnel who need them.",
"iso_chapter": "7.5",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Runbooks, SOPs, operational documentation in wiki/Confluence."
},
# ==========================================================================
# A.6 PEOPLE CONTROLS (8 controls)
# ==========================================================================
{
"control_id": "A.6.1",
"title": "Screening",
"category": "people",
"description": "Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Background checks for employees with access to sensitive data/systems."
},
{
"control_id": "A.6.2",
"title": "Terms and conditions of employment",
"category": "people",
"description": "The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Security clauses in employment contracts, NDA, acceptable use acknowledgment."
},
{
"control_id": "A.6.3",
"title": "Information security awareness, education and training",
"category": "people",
"description": "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.",
"iso_chapter": "7.2",
"breakpilot_controls": ["GOV-006"],
"default_applicable": True,
"implementation_guidance": "Annual security training, phishing simulations, role-specific training."
},
{
"control_id": "A.6.4",
"title": "Disciplinary process",
"category": "people",
"description": "A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Security policy violation consequences documented, HR process defined."
},
{
"control_id": "A.6.5",
"title": "Responsibilities after termination or change of employment",
"category": "people",
"description": "Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.",
"iso_chapter": "7.3",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Exit interview, NDA reminder, continued confidentiality obligations."
},
{
"control_id": "A.6.6",
"title": "Confidentiality or non-disclosure agreements",
"category": "people",
"description": "Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "NDA for all employees and contractors, annual review."
},
{
"control_id": "A.6.7",
"title": "Remote working",
"category": "people",
"description": "Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-005"],
"default_applicable": True,
"implementation_guidance": "VPN, endpoint protection, secure home office guidelines."
},
{
"control_id": "A.6.8",
"title": "Information security event reporting",
"category": "people",
"description": "The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Security incident reporting portal, hotline, no-blame culture."
},
# ==========================================================================
# A.7 PHYSICAL CONTROLS (14 controls)
# ==========================================================================
{
"control_id": "A.7.1",
"title": "Physical security perimeters",
"category": "physical",
"description": "Security perimeters shall be defined and used to protect areas that contain information and other associated assets.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Define secure areas (server rooms, offices), physical barriers."
},
{
"control_id": "A.7.2",
"title": "Physical entry",
"category": "physical",
"description": "Secure areas shall be protected by appropriate entry controls and access points.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Access cards, visitor management, entry logs."
},
{
"control_id": "A.7.3",
"title": "Securing offices, rooms and facilities",
"category": "physical",
"description": "Physical security for offices, rooms and facilities shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure server rooms, locked cabinets, clean desk policy."
},
{
"control_id": "A.7.4",
"title": "Physical security monitoring",
"category": "physical",
"description": "Premises shall be continuously monitored for unauthorized physical access.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "CCTV, intrusion detection, security guards for sensitive areas."
},
{
"control_id": "A.7.5",
"title": "Protecting against physical and environmental threats",
"category": "physical",
"description": "Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Fire suppression, UPS, climate control, flood protection."
},
{
"control_id": "A.7.6",
"title": "Working in secure areas",
"category": "physical",
"description": "Security measures for working in secure areas shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Access restrictions, supervision requirements, no photography policy."
},
{
"control_id": "A.7.7",
"title": "Clear desk and clear screen",
"category": "physical",
"description": "Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Clear desk policy, screen lock after inactivity, secure document disposal."
},
{
"control_id": "A.7.8",
"title": "Equipment siting and protection",
"category": "physical",
"description": "Equipment shall be sited securely and protected.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure server room location, rack security, cable management."
},
{
"control_id": "A.7.9",
"title": "Security of assets off-premises",
"category": "physical",
"description": "Off-site assets shall be protected.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Laptop encryption, mobile device policy, asset tracking."
},
{
"control_id": "A.7.10",
"title": "Storage media",
"category": "physical",
"description": "Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-003"],
"default_applicable": True,
"implementation_guidance": "Media inventory, secure transport, cryptographic erasure."
},
{
"control_id": "A.7.11",
"title": "Supporting utilities",
"category": "physical",
"description": "Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "UPS, redundant power, generator backup for critical systems."
},
{
"control_id": "A.7.12",
"title": "Cabling security",
"category": "physical",
"description": "Cables carrying power and data or supporting information services shall be protected from interception, interference or damage.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure cable routing, conduits, labeled and documented cabling."
},
{
"control_id": "A.7.13",
"title": "Equipment maintenance",
"category": "physical",
"description": "Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Maintenance schedules, authorized service personnel, maintenance logs."
},
{
"control_id": "A.7.14",
"title": "Secure disposal or re-use of equipment",
"category": "physical",
"description": "Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-003"],
"default_applicable": True,
"implementation_guidance": "Secure data destruction, certificates of destruction, verified erasure."
},
# ==========================================================================
# A.8 TECHNOLOGICAL CONTROLS (34 controls)
# ==========================================================================
{
"control_id": "A.8.1",
"title": "User endpoint devices",
"category": "technological",
"description": "Information stored on, processed by or accessible via user endpoint devices shall be protected.",
"iso_chapter": "8.1",
"breakpilot_controls": ["IAM-005"],
"default_applicable": True,
"implementation_guidance": "MDM, endpoint protection, device encryption, remote wipe capability."
},
{
"control_id": "A.8.2",
"title": "Privileged access rights",
"category": "technological",
"description": "The allocation and use of privileged access rights shall be restricted and managed.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "PAM solution, just-in-time access, admin account monitoring."
},
{
"control_id": "A.8.3",
"title": "Information access restriction",
"category": "technological",
"description": "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-002"],
"default_applicable": True,
"implementation_guidance": "RBAC implementation, need-to-know enforcement, data classification."
},
{
"control_id": "A.8.4",
"title": "Access to source code",
"category": "technological",
"description": "Read and write access to source code, development tools and software libraries shall be appropriately managed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-004"],
"default_applicable": True,
"implementation_guidance": "Git access controls, branch protection, code review requirements."
},
{
"control_id": "A.8.5",
"title": "Secure authentication",
"category": "technological",
"description": "Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-002", "IAM-004"],
"default_applicable": True,
"implementation_guidance": "MFA, SSO, OAuth 2.0/OIDC, password hashing (Argon2)."
},
{
"control_id": "A.8.6",
"title": "Capacity management",
"category": "technological",
"description": "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Resource monitoring, capacity planning, auto-scaling policies."
},
{
"control_id": "A.8.7",
"title": "Protection against malware",
"category": "technological",
"description": "Protection against malware shall be implemented and supported by appropriate user awareness.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-002"],
"default_applicable": True,
"implementation_guidance": "Antivirus/EDR, email filtering, sandboxing, user awareness training."
},
{
"control_id": "A.8.8",
"title": "Management of technical vulnerabilities",
"category": "technological",
"description": "Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-003", "OPS-005"],
"default_applicable": True,
"implementation_guidance": "Vulnerability scanning, patch management, CVE monitoring."
},
{
"control_id": "A.8.9",
"title": "Configuration management",
"category": "technological",
"description": "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "IaC, configuration baselines, drift detection, hardening guides."
},
{
"control_id": "A.8.10",
"title": "Information deletion",
"category": "technological",
"description": "Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-006"],
"default_applicable": True,
"implementation_guidance": "Data retention policies, automated deletion, right to erasure compliance."
},
{
"control_id": "A.8.11",
"title": "Data masking",
"category": "technological",
"description": "Data masking shall be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "PII masking in logs, test data anonymization, dynamic data masking."
},
{
"control_id": "A.8.12",
"title": "Data leakage prevention",
"category": "technological",
"description": "Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "DLP tools, email scanning, USB restrictions, cloud access security."
},
{
"control_id": "A.8.13",
"title": "Information backup",
"category": "technological",
"description": "Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "3-2-1 backup strategy, encrypted backups, regular restore testing."
},
{
"control_id": "A.8.14",
"title": "Redundancy of information processing facilities",
"category": "technological",
"description": "Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "High availability clusters, multi-region deployment, load balancing."
},
{
"control_id": "A.8.15",
"title": "Logging",
"category": "technological",
"description": "Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.",
"iso_chapter": "9.1",
"breakpilot_controls": ["OPS-002"],
"default_applicable": True,
"implementation_guidance": "Centralized logging, log retention, tamper protection, SIEM integration."
},
{
"control_id": "A.8.16",
"title": "Monitoring activities",
"category": "technological",
"description": "Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.",
"iso_chapter": "9.1",
"breakpilot_controls": ["OPS-002", "OPS-006"],
"default_applicable": True,
"implementation_guidance": "SIEM, IDS/IPS, application monitoring, alerting thresholds."
},
{
"control_id": "A.8.17",
"title": "Clock synchronization",
"category": "technological",
"description": "The clocks of information processing systems used by the organization shall be synchronized to approved time sources.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "NTP configuration, consistent timezone, GPS/atomic clock sources."
},
{
"control_id": "A.8.18",
"title": "Use of privileged utility programs",
"category": "technological",
"description": "The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.",
"iso_chapter": "8.1",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "Restricted admin tools, logging of privileged actions, approval workflow."
},
{
"control_id": "A.8.19",
"title": "Installation of software on operational systems",
"category": "technological",
"description": "Procedures and measures shall be implemented to securely manage software installation on operational systems.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002"],
"default_applicable": True,
"implementation_guidance": "Approved software list, installation controls, change management."
},
{
"control_id": "A.8.20",
"title": "Networks security",
"category": "technological",
"description": "Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Network segmentation, firewall rules, VPN, network monitoring."
},
{
"control_id": "A.8.21",
"title": "Security of network services",
"category": "technological",
"description": "Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "SLA monitoring, network service security assessments, DDoS protection."
},
{
"control_id": "A.8.22",
"title": "Segregation of networks",
"category": "technological",
"description": "Groups of information services, users and information systems shall be segregated in the organization's networks.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "VLANs, network zones, micro-segmentation, DMZ for public services."
},
{
"control_id": "A.8.23",
"title": "Web filtering",
"category": "technological",
"description": "Access to external websites shall be managed to reduce exposure to malicious content.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "URL filtering, category-based blocking, SSL inspection."
},
{
"control_id": "A.8.24",
"title": "Use of cryptography",
"category": "technological",
"description": "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.",
"iso_chapter": "8.1",
"breakpilot_controls": ["CRYPTO-001", "CRYPTO-002", "CRYPTO-004"],
"default_applicable": True,
"implementation_guidance": "Cryptography policy, approved algorithms, key management procedures."
},
{
"control_id": "A.8.25",
"title": "Secure development life cycle",
"category": "technological",
"description": "Rules for the secure development of software and systems shall be established and applied.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "SDLC-002"],
"default_applicable": True,
"implementation_guidance": "SSDLC policy, secure coding guidelines, security requirements."
},
{
"control_id": "A.8.26",
"title": "Application security requirements",
"category": "technological",
"description": "Information security requirements shall be identified, specified and approved when developing or acquiring applications.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001"],
"default_applicable": True,
"implementation_guidance": "Security requirements checklist, threat modeling, security acceptance criteria."
},
{
"control_id": "A.8.27",
"title": "Secure system architecture and engineering principles",
"category": "technological",
"description": "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "GOV-001"],
"default_applicable": True,
"implementation_guidance": "Security architecture principles, defense in depth, least privilege."
},
{
"control_id": "A.8.28",
"title": "Secure coding",
"category": "technological",
"description": "Secure coding principles shall be applied to software development.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "SDLC-006"],
"default_applicable": True,
"implementation_guidance": "OWASP guidelines, secure coding training, code review checklists."
},
{
"control_id": "A.8.29",
"title": "Security testing in development and acceptance",
"category": "technological",
"description": "Security testing processes shall be defined and implemented in the development life cycle.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002", "SDLC-003"],
"default_applicable": True,
"implementation_guidance": "SAST, DAST, penetration testing, security acceptance testing."
},
{
"control_id": "A.8.30",
"title": "Outsourced development",
"category": "technological",
"description": "The organization shall direct, monitor and review the activities related to outsourced system development.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Vendor security requirements, code review rights, security testing."
},
{
"control_id": "A.8.31",
"title": "Separation of development, test and production environments",
"category": "technological",
"description": "Development, testing and production environments shall be separated and secured.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002"],
"default_applicable": True,
"implementation_guidance": "Separate environments, access controls, data anonymization in test."
},
{
"control_id": "A.8.32",
"title": "Change management",
"category": "technological",
"description": "Changes to information processing facilities and information systems shall be subject to change management procedures.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Change advisory board, change request workflow, rollback procedures."
},
{
"control_id": "A.8.33",
"title": "Test information",
"category": "technological",
"description": "Test information shall be appropriately selected, protected and managed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "Synthetic test data, PII removal, test data management policy."
},
{
"control_id": "A.8.34",
"title": "Protection of information systems during audit testing",
"category": "technological",
"description": "Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Audit planning, system access controls during audits, audit trails."
},
]
def get_annex_a_by_category(category: str) -> List[Dict[str, Any]]:
"""Get Annex A controls filtered by category."""
return [c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == category]
def get_annex_a_control(control_id: str) -> Optional[Dict[str, Any]]:
"""Get a specific Annex A control by ID."""
for control in ISO27001_ANNEX_A_CONTROLS:
if control["control_id"] == control_id:
return control
return None
# Summary statistics
ANNEX_A_SUMMARY = {
"total_controls": len(ISO27001_ANNEX_A_CONTROLS),
"organizational_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "organizational"]),
"people_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "people"]),
"physical_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "physical"]),
"technological_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "technological"]),
}
Reference in New Issue View Git Blame Copy Permalink