ISO/IEC 27001:2022
ISO/IEC 27001:2022 control mapping — LinuxGuard agent and console capabilities aligned to Annex A Technological controls (A.8.x) with :2013 transition note and Satisfies / Supports / Out of scope tier
Note: This page maps LinuxGuard against ISO/IEC 27001:2022 (published 2022-10-25). Last verified against the framework on 2026-05-31. Canonical framework document: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. For the vocabulary contract used here, see Audit & Comply.
Important — :2013 to :2022 transition: ISO/IEC 27001:2013 (114 controls organized in 14 domains across Annex A.5–A.18) was replaced by ISO/IEC 27001:2022 (93 controls reorganized into 4 themes: Organizational, People, Physical, Technological). The IAF transition period required certification bodies to migrate active certifications to the :2022 standard by 2025-10-31 — certifications still on :2013 after that date are not recognized. This mapping references :2022 Annex A control IDs only. Customers maintaining historical :2013 mappings should use the ISO/IEC 27001:2022 Annex B mapping table (in the standard itself) for crosswalking — A.12.4.1 (Event logging) maps to A.8.15 (Logging), A.9.4.2 (Secure log-on procedures) maps to A.8.5 (Secure authentication), and so on. The control count reduction reflects consolidation, not removed coverage — :2022 introduces 11 new controls (most notably A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.8.9 Configuration management, A.8.10 Information deletion, A.8.16 Monitoring activities, A.8.28 Secure coding).
Scope
This page maps LinuxGuard's agent and console capabilities against ISO/IEC 27001:2022. The mapping is scoped to Annex A Technological controls (theme A.8 — 37 controls covering technology-level security) that LinuxGuard's telemetry, baselines, drift detection, and audit features address. Controls in the Organizational theme (A.5 — 37 controls covering policies, roles, ISMS administration, supplier and asset management programs), the People theme (A.6 — 8 controls covering screening, training, and HR practices), the Physical theme (A.7 — 14 controls covering physical access, equipment security, and clear desk/screen practices), and the broader Information Security Management System (ISMS) requirements in clauses 4–10 of the standard's main body are out of scope for this product and are listed in the mapping table as Out of scope rather than omitted. This mapping is informational and not a substitute for an independent audit by a qualified ISO/IEC 27001 lead auditor or certification body.
Customers remain responsible for the ISMS itself — context establishment, leadership commitment, planning (including the risk assessment and risk treatment plan that drives Statement of Applicability), support resources, operational planning and control, performance evaluation, and continual improvement under clauses 4–10. The mapping below addresses Annex A technological controls only and is not a substitute for the customer's ISMS scope definition, Statement of Applicability, or certification audit.
Shared responsibility
LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor.
The shared-responsibility framing for ISO/IEC 27001:2022:
LinuxGuard responsibility. Produce continuous telemetry, configuration baselines, drift detection, authentication event capture, file integrity monitoring, behavioral signals, and audit trails on Linux systems that map to specific Annex A Technological controls. Maintain the framework version pin and per-control evidence pointers.
Customer responsibility. Establish and operate the ISMS per clauses 4–10 of ISO/IEC 27001:2022, conduct the risk assessment and risk treatment plan, draft and maintain the Statement of Applicability (SoA) declaring which Annex A controls apply and how they are addressed, implement Annex A Organizational, People, and Physical theme controls, engage a qualified certification body for the certification audit, and complete the surveillance and recertification cycles.
Out-of-scope domains for this framework. ISMS administration (clauses 4–10), Annex A Organizational theme (A.5 — 37 controls), Annex A People theme (A.6 — 8 controls), Annex A Physical theme (A.7 — 14 controls), and the certification body engagement workflow.
Control mapping
The Tier column uses one of three labels and only those three: Satisfies, Supports, Out of scope. The Evidence column points to a row of the canonical Evidence Location table or to a specific console page. See Audit & Comply for the three-tier vocabulary contract. Annex A control IDs reference ISO/IEC 27001:2022 numbering.
A.5
Organizational theme (37 controls — policies, ISMS administration, supplier and asset management)
Out of scope
n/a
Organizational controls (information security policies, roles, segregation of duties, contact with authorities, threat intelligence program, asset register, classification, supplier security programs, ISMS administration) are not addressed by LinuxGuard.
A.6
People theme (8 controls — screening, training, awareness, disciplinary, remote working, NDA)
Out of scope
n/a
People controls are HR and program responsibilities not addressed by LinuxGuard.
A.7
Physical theme (14 controls — physical security perimeters, entry controls, equipment security, clear desk/screen, secure disposal)
Out of scope
n/a
Physical controls are not addressed by LinuxGuard.
A.8.2
Privileged access rights — the allocation and use of privileged access rights are restricted and managed
Supports
Console Baselines → SUDO rules, SUDO aliases, SUDO defaults; Console Audit pillar → Authorizations audit; Agent log (raw events) with loginUID attribute
SUDO rule baselines, SUDO defaults baseline, SUDO aliases baseline, authorization audit, and loginUID capture surviving privilege escalation produce evidence of privileged access posture. Customer responsible for the privileged access policy, role definition, and access review workflow.
A.8.3
Information access restriction — access to information and other associated assets is restricted in accordance with the established topic-specific policy on access control
Supports
Console Baselines → SSH config, SSHD config, accounts, groups; Console Audit pillar → Authorizations audit
SSH/SSHD baselines, account/group inventories, and authorization audit surface OS-layer access-restriction evidence. Customer responsible for the access control policy, application-layer access restriction, and IAM platform.
A.8.5
Secure authentication — secure authentication technologies and procedures are implemented based on information access restrictions and topic-specific policy on access control
Supports
Agent log (raw events) with auth.event attribute; Console Identity Intelligence
Authentication event capture records every login (success and failure) with user, source IP, method (password, publickey, keyboard-interactive), and outcome. Customer responsible for MFA enforcement at the IdP or PAM layer, password policy administration, and the broader authentication architecture.
A.8.7
Protection against malware — protection against malware is implemented and supported by appropriate user awareness
Out of scope
n/a
Anti-malware deployment, signature management, and user awareness programs are not addressed by LinuxGuard. LinuxGuard is not an anti-malware product.
A.8.8
Management of technical vulnerabilities — information about technical vulnerabilities of information systems in use is obtained, the organization's exposure to such vulnerabilities is evaluated, and appropriate measures are taken
Supports
linuxguard-agent probe command; Console Compliance Expansion → History
The probe command tests kernel, BPF, fanotify, netlink, audit, and capability prerequisites at deployment time. Compliance history surfaces posture trends. Customer responsible for the vulnerability management program, scanning cadence, and remediation tracking.
A.8.9
Configuration management — configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed
Satisfies
Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules, accounts, groups; Console Zero Trust Enforcement → Config Drift; Agent log (raw events)
Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See Baselines. This is the load-bearing control for LinuxGuard's baseline pillar.
A.8.10
Information deletion — information stored in information systems, devices or in any other storage media is deleted when no longer required
Out of scope
n/a
Information deletion policies and execution are not addressed by LinuxGuard.
A.8.11
Data masking — data masking is used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration
Out of scope
n/a
Data masking is an application-layer or database-layer responsibility not addressed by LinuxGuard.
A.8.12
Data leakage prevention — data leakage prevention measures are applied to systems, networks and any other devices that process, store or transmit sensitive information
Out of scope
n/a
DLP enforcement is not addressed by LinuxGuard.
A.8.13
Information backup — backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific policy on backup
Out of scope
n/a
Backup management and testing are not addressed by LinuxGuard.
A.8.15
Logging — logs that record activities, exceptions, faults and other relevant events are produced, stored, protected and analysed
Satisfies
Agent log (raw events) at /var/log/linuxguard/agent.log; Support bundle; Console Compliance Expansion → History
The LinuxGuard agent generates structured audit logs continuously on every enrolled host with timestamps, event categories, and identity attribution. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See Log Management.
A.8.16
Monitoring activities — networks, systems and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents
Satisfies
Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Zero Trust Enforcement → Config Drift
Continuous agent telemetry, behavioral signal records, and drift detection produce continuous monitoring of enrolled hosts. See Security Architecture.
A.8.17
Clock synchronization — the clocks of information processing systems used by the organization are synchronized to approved time sources
Out of scope
n/a
Clock synchronization (NTP / chronyd) is an OS-administration responsibility not addressed by LinuxGuard. LinuxGuard reads the system clock for event timestamps but does not enforce time-sync configuration.
A.8.20
Networks security — networks and network devices are secured, managed and controlled to protect information in systems and applications
Out of scope
n/a
Network device security is not addressed by LinuxGuard.
A.8.21
Security of network services — security mechanisms, service levels and service requirements of network services are identified, implemented and monitored
Out of scope
n/a
Network service security architecture is not addressed by LinuxGuard.
A.8.22
Segregation of networks — groups of information services, users and information systems are segregated in the organization's networks
Out of scope
n/a
Network segmentation is not addressed by LinuxGuard.
A.8.24
Use of cryptography — rules for the effective use of cryptography, including cryptographic key management, are defined and implemented
Out of scope
n/a
Cryptography policy and key management are not addressed by LinuxGuard at the framework-mapping layer. LinuxGuard uses TLS in transit to the console — the customer's cryptography program covers application-layer encryption choices.
A.8.25
Secure development life cycle — rules for the secure development of software and systems are established and applied
Out of scope
n/a
Secure development lifecycle policies are not addressed by LinuxGuard.
A.8.28
Secure coding — secure coding principles are applied to software development
Out of scope
n/a
Secure coding practices are a development-program responsibility not addressed by LinuxGuard.
A.8.32
Change management — changes to information processing facilities and information systems are subject to change management procedures
Supports
Console Zero Trust Enforcement → Config Drift; Console Baselines
Drift detection surfaces unauthorized or out-of-band changes to OS-layer configuration. Customer responsible for the change management procedure, approval workflow, and change advisory board process.
A.8.34
Protection of information systems during audit testing — audit tests and other assurance activities involving assessment of operational systems are planned and agreed between the tester and appropriate management
Out of scope
n/a
Audit planning and coordination are an organizational responsibility not addressed by LinuxGuard.
Important: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim.
Statement of Applicability considerations
ISO/IEC 27001:2022 clause 6.1.3 requires the customer to produce a Statement of Applicability (SoA) declaring which Annex A controls apply, how they are implemented, and the justification for any exclusions. The SoA is the load-bearing document for an :2022 certification audit and is the place where the mapping above feeds the customer's broader documentation.
Practical SoA implications of this mapping:
Annex A.8.9, A.8.15, and A.8.16 are the three Satisfies rows. Customers documenting LinuxGuard in their SoA list these three controls with LinuxGuard as the implementation surface, and reference this page as the supporting evidence pointer.
Annex A.8.2, A.8.3, A.8.5, A.8.8, and A.8.32 are the Supports rows. Customers documenting LinuxGuard in their SoA list these controls with LinuxGuard as one input and the customer-side control (IAM platform, vulnerability management program, change management procedure) as the complementary surface.
Out-of-scope rows. The SoA may include or exclude these controls based on the customer's ISMS scope; if included, LinuxGuard is not part of the implementation surface for them.
The SoA template itself is the customer's responsibility — LinuxGuard does not produce or maintain an SoA artifact. The console's Compliance Expansion reports provide the per-control evidence the SoA references.
Annex A theme summary
ISO/IEC 27001:2022 reorganizes Annex A into four themes. The summary below restates LinuxGuard coverage per theme.
A.5 Organizational
37
Out of scope — policies, ISMS administration, supplier and asset management programs.
A.6 People
8
Out of scope — HR practices, training, awareness, NDA.
A.7 Physical
14
Out of scope — physical security, equipment security, clear desk/screen.
A.8 Technological
37
Substantial — Satisfies A.8.9, A.8.15, A.8.16; Supports A.8.2, A.8.3, A.8.5, A.8.8, A.8.32; balance Out of scope at the LinuxGuard layer.
The theme summary is descriptive; the per-control mapping table above is the authoritative content.
How to share with auditor
Three export paths are available, depending on the certification body's or internal auditor's evidence preference:
Console Compliance Expansion reports. Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per Compliance Expansion. Each report includes the framework version (ISO/IEC 27001:2022), last-verified date, per-control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification.
Support bundles for host-level evidence.
support-bundle collecton each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see Support Bundles. Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report.Console CSV / JSON export per control. Compliance Expansion → ISO/IEC 27001:2022 → control detail → Evidence tab exports per-control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling.
Security Note: Support bundles include the raw
agent.logand rotated segments. Attribute-key redaction (api_key / *_token / *_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Review every evidence package before sharing externally. See Support Bundles for the per-file redaction status table.
Cross-references
Audit & Comply — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template.
Compliance Expansion — console pillar; canonical Evidence Location pointer set.
Audit — authorizations and SUDO execution audit feeding compliance evidence.
Baselines — configuration baselines and drift detection that A.8.9 satisfies.
Support Bundles — per-file redaction status table; pre-share PII warning.
Log Management — log retention and rotation relevant to A.8.15 logging.
Glossary — framework acronyms and compliance vocabulary definitions.
Last reviewed: 2026-05-31 against ISO/IEC 27001:2022 published 2022-10-25.
Last updated
Was this helpful?