> For the complete documentation index, see [llms.txt](https://docs.linuxguard.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.linuxguard.io/audit-and-comply/audit-comply/iso-27001.md). # ISO/IEC 27001:2022 > **Note**: This page maps LinuxGuard against **ISO/IEC 27001:2022** (published 2022-10-25). Last verified against the framework on 2026-05-31. Canonical framework document: [ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements](https://www.iso.org/standard/27001). For the vocabulary contract used here, see [Audit & Comply](/audit-and-comply/audit-comply.md). > **Important — :2013 to :2022 transition**: ISO/IEC 27001:2013 (114 controls organized in 14 domains across Annex A.5–A.18) was replaced by ISO/IEC 27001:2022 (93 controls reorganized into 4 themes: Organizational, People, Physical, Technological). The IAF transition period required certification bodies to migrate active certifications to the :2022 standard by **2025-10-31** — certifications still on :2013 after that date are not recognized. This mapping references :2022 Annex A control IDs only. Customers maintaining historical :2013 mappings should use the ISO/IEC 27001:2022 Annex B mapping table (in the standard itself) for crosswalking — A.12.4.1 (Event logging) maps to A.8.15 (Logging), A.9.4.2 (Secure log-on procedures) maps to A.8.5 (Secure authentication), and so on. The control count reduction reflects consolidation, not removed coverage — :2022 introduces 11 new controls (most notably A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.8.9 Configuration management, A.8.10 Information deletion, A.8.16 Monitoring activities, A.8.28 Secure coding). ## Scope This page maps LinuxGuard's agent and console capabilities against ISO/IEC 27001:2022. The mapping is scoped to Annex A Technological controls (theme A.8 — 37 controls covering technology-level security) that LinuxGuard's telemetry, baselines, drift detection, and audit features address. Controls in the Organizational theme (A.5 — 37 controls covering policies, roles, ISMS administration, supplier and asset management programs), the People theme (A.6 — 8 controls covering screening, training, and HR practices), the Physical theme (A.7 — 14 controls covering physical access, equipment security, and clear desk/screen practices), and the broader Information Security Management System (ISMS) requirements in clauses 4–10 of the standard's main body are out of scope for this product and are listed in the mapping table as `Out of scope` rather than omitted. This mapping is informational and not a substitute for an independent audit by a qualified ISO/IEC 27001 lead auditor or certification body. Customers remain responsible for the ISMS itself — context establishment, leadership commitment, planning (including the risk assessment and risk treatment plan that drives Statement of Applicability), support resources, operational planning and control, performance evaluation, and continual improvement under clauses 4–10. The mapping below addresses Annex A technological controls only and is not a substitute for the customer's ISMS scope definition, Statement of Applicability, or certification audit. ## Shared responsibility > LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor. The shared-responsibility framing for ISO/IEC 27001:2022: * **LinuxGuard responsibility.** Produce continuous telemetry, configuration baselines, drift detection, authentication event capture, file integrity monitoring, behavioral signals, and audit trails on Linux systems that map to specific Annex A Technological controls. Maintain the framework version pin and per-control evidence pointers. * **Customer responsibility.** Establish and operate the ISMS per clauses 4–10 of ISO/IEC 27001:2022, conduct the risk assessment and risk treatment plan, draft and maintain the Statement of Applicability (SoA) declaring which Annex A controls apply and how they are addressed, implement Annex A Organizational, People, and Physical theme controls, engage a qualified certification body for the certification audit, and complete the surveillance and recertification cycles. * **Out-of-scope domains for this framework.** ISMS administration (clauses 4–10), Annex A Organizational theme (A.5 — 37 controls), Annex A People theme (A.6 — 8 controls), Annex A Physical theme (A.7 — 14 controls), and the certification body engagement workflow. ## Control mapping The Tier column uses one of three labels and only those three: `Satisfies`, `Supports`, `Out of scope`. The Evidence column points to a row of the canonical [Evidence Location](/concepts/concepts/console/compliance-expansion.md#evidence-location) table or to a specific console page. See [Audit & Comply](/audit-and-comply/audit-comply.md) for the three-tier vocabulary contract. Annex A control IDs reference ISO/IEC 27001:2022 numbering. | Control ID | Description | Tier | Evidence | Notes | | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `A.5` | Organizational theme (37 controls — policies, ISMS administration, supplier and asset management) | `Out of scope` | n/a | Organizational controls (information security policies, roles, segregation of duties, contact with authorities, threat intelligence program, asset register, classification, supplier security programs, ISMS administration) are not addressed by LinuxGuard. | | `A.6` | People theme (8 controls — screening, training, awareness, disciplinary, remote working, NDA) | `Out of scope` | n/a | People controls are HR and program responsibilities not addressed by LinuxGuard. | | `A.7` | Physical theme (14 controls — physical security perimeters, entry controls, equipment security, clear desk/screen, secure disposal) | `Out of scope` | n/a | Physical controls are not addressed by LinuxGuard. | | `A.8.2` | Privileged access rights — the allocation and use of privileged access rights are restricted and managed | `Supports` | Console Baselines → SUDO rules, SUDO aliases, SUDO defaults; Console Audit pillar → Authorizations audit; Agent log (raw events) with `loginUID` attribute | SUDO rule baselines, SUDO defaults baseline, SUDO aliases baseline, authorization audit, and `loginUID` capture surviving privilege escalation produce evidence of privileged access posture. Customer responsible for the privileged access policy, role definition, and access review workflow. | | `A.8.3` | Information access restriction — access to information and other associated assets is restricted in accordance with the established topic-specific policy on access control | `Supports` | Console Baselines → SSH config, SSHD config, accounts, groups; Console Audit pillar → Authorizations audit | SSH/SSHD baselines, account/group inventories, and authorization audit surface OS-layer access-restriction evidence. Customer responsible for the access control policy, application-layer access restriction, and IAM platform. | | `A.8.5` | Secure authentication — secure authentication technologies and procedures are implemented based on information access restrictions and topic-specific policy on access control | `Supports` | Agent log (raw events) with `auth.event` attribute; Console Identity Intelligence | Authentication event capture records every login (success and failure) with user, source IP, method (password, publickey, keyboard-interactive), and outcome. Customer responsible for MFA enforcement at the IdP or PAM layer, password policy administration, and the broader authentication architecture. | | `A.8.7` | Protection against malware — protection against malware is implemented and supported by appropriate user awareness | `Out of scope` | n/a | Anti-malware deployment, signature management, and user awareness programs are not addressed by LinuxGuard. LinuxGuard is not an anti-malware product. | | `A.8.8` | Management of technical vulnerabilities — information about technical vulnerabilities of information systems in use is obtained, the organization's exposure to such vulnerabilities is evaluated, and appropriate measures are taken | `Supports` | `linuxguard-agent probe` command; Console Compliance Expansion → History | The probe command tests kernel, BPF, fanotify, netlink, audit, and capability prerequisites at deployment time. Compliance history surfaces posture trends. Customer responsible for the vulnerability management program, scanning cadence, and remediation tracking. | | `A.8.9` | Configuration management — configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed | `Satisfies` | Console Baselines → SSH config, SSHD config, SUDO aliases, SUDO defaults, SUDO rules, accounts, groups; Console Zero Trust Enforcement → Config Drift; Agent log (raw events) | Baselines capture the expected configuration state for SSH client, SSHD daemon, SUDO aliases, SUDO defaults, SUDO rules, accounts, and groups; drift detection surfaces deviations on each scan cycle. See [Baselines](/concepts/concepts/console/baselines.md). This is the load-bearing control for LinuxGuard's baseline pillar. | | `A.8.10` | Information deletion — information stored in information systems, devices or in any other storage media is deleted when no longer required | `Out of scope` | n/a | Information deletion policies and execution are not addressed by LinuxGuard. | | `A.8.11` | Data masking — data masking is used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration | `Out of scope` | n/a | Data masking is an application-layer or database-layer responsibility not addressed by LinuxGuard. | | `A.8.12` | Data leakage prevention — data leakage prevention measures are applied to systems, networks and any other devices that process, store or transmit sensitive information | `Out of scope` | n/a | DLP enforcement is not addressed by LinuxGuard. | | `A.8.13` | Information backup — backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific policy on backup | `Out of scope` | n/a | Backup management and testing are not addressed by LinuxGuard. | | `A.8.15` | Logging — logs that record activities, exceptions, faults and other relevant events are produced, stored, protected and analysed | `Satisfies` | Agent log (raw events) at `/var/log/linuxguard/agent.log`; Support bundle; Console Compliance Expansion → History | The LinuxGuard agent generates structured audit logs continuously on every enrolled host with timestamps, event categories, and identity attribution. Default retention: 50 MB per file, 14-day retention, 5 backups, gzip compression. See [Log Management](/operate/operate/log-management.md). | | `A.8.16` | Monitoring activities — networks, systems and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents | `Satisfies` | Agent log (raw events); Console Zero Trust Enforcement → Signals; Console Zero Trust Enforcement → Config Drift | Continuous agent telemetry, behavioral signal records, and drift detection produce continuous monitoring of enrolled hosts. See [Security Architecture](/concepts/concepts/security-architecture.md). | | `A.8.17` | Clock synchronization — the clocks of information processing systems used by the organization are synchronized to approved time sources | `Out of scope` | n/a | Clock synchronization (NTP / chronyd) is an OS-administration responsibility not addressed by LinuxGuard. LinuxGuard reads the system clock for event timestamps but does not enforce time-sync configuration. | | `A.8.20` | Networks security — networks and network devices are secured, managed and controlled to protect information in systems and applications | `Out of scope` | n/a | Network device security is not addressed by LinuxGuard. | | `A.8.21` | Security of network services — security mechanisms, service levels and service requirements of network services are identified, implemented and monitored | `Out of scope` | n/a | Network service security architecture is not addressed by LinuxGuard. | | `A.8.22` | Segregation of networks — groups of information services, users and information systems are segregated in the organization's networks | `Out of scope` | n/a | Network segmentation is not addressed by LinuxGuard. | | `A.8.24` | Use of cryptography — rules for the effective use of cryptography, including cryptographic key management, are defined and implemented | `Out of scope` | n/a | Cryptography policy and key management are not addressed by LinuxGuard at the framework-mapping layer. LinuxGuard uses TLS in transit to the console — the customer's cryptography program covers application-layer encryption choices. | | `A.8.25` | Secure development life cycle — rules for the secure development of software and systems are established and applied | `Out of scope` | n/a | Secure development lifecycle policies are not addressed by LinuxGuard. | | `A.8.28` | Secure coding — secure coding principles are applied to software development | `Out of scope` | n/a | Secure coding practices are a development-program responsibility not addressed by LinuxGuard. | | `A.8.32` | Change management — changes to information processing facilities and information systems are subject to change management procedures | `Supports` | Console Zero Trust Enforcement → Config Drift; Console Baselines | Drift detection surfaces unauthorized or out-of-band changes to OS-layer configuration. Customer responsible for the change management procedure, approval workflow, and change advisory board process. | | `A.8.34` | Protection of information systems during audit testing — audit tests and other assurance activities involving assessment of operational systems are planned and agreed between the tester and appropriate management | `Out of scope` | n/a | Audit planning and coordination are an organizational responsibility not addressed by LinuxGuard. | > **Important**: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim. ## Statement of Applicability considerations ISO/IEC 27001:2022 clause 6.1.3 requires the customer to produce a Statement of Applicability (SoA) declaring which Annex A controls apply, how they are implemented, and the justification for any exclusions. The SoA is the load-bearing document for an :2022 certification audit and is the place where the mapping above feeds the customer's broader documentation. Practical SoA implications of this mapping: * **Annex A.8.9, A.8.15, and A.8.16 are the three Satisfies rows.** Customers documenting LinuxGuard in their SoA list these three controls with LinuxGuard as the implementation surface, and reference this page as the supporting evidence pointer. * **Annex A.8.2, A.8.3, A.8.5, A.8.8, and A.8.32 are the Supports rows.** Customers documenting LinuxGuard in their SoA list these controls with LinuxGuard as one input and the customer-side control (IAM platform, vulnerability management program, change management procedure) as the complementary surface. * **Out-of-scope rows.** The SoA may include or exclude these controls based on the customer's ISMS scope; if included, LinuxGuard is not part of the implementation surface for them. The SoA template itself is the customer's responsibility — LinuxGuard does not produce or maintain an SoA artifact. The console's [Compliance Expansion](/concepts/concepts/console/compliance-expansion.md) reports provide the per-control evidence the SoA references. ## Annex A theme summary ISO/IEC 27001:2022 reorganizes Annex A into four themes. The summary below restates LinuxGuard coverage per theme. | Theme | Controls | LinuxGuard coverage | | ------------------ | -------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | A.5 Organizational | 37 | Out of scope — policies, ISMS administration, supplier and asset management programs. | | A.6 People | 8 | Out of scope — HR practices, training, awareness, NDA. | | A.7 Physical | 14 | Out of scope — physical security, equipment security, clear desk/screen. | | A.8 Technological | 37 | Substantial — Satisfies A.8.9, A.8.15, A.8.16; Supports A.8.2, A.8.3, A.8.5, A.8.8, A.8.32; balance Out of scope at the LinuxGuard layer. | The theme summary is descriptive; the per-control mapping table above is the authoritative content. ## How to share with auditor Three export paths are available, depending on the certification body's or internal auditor's evidence preference: * **Console Compliance Expansion reports.** Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per [Compliance Expansion](/concepts/concepts/console/compliance-expansion.md#reports). Each report includes the framework version (ISO/IEC 27001:2022), last-verified date, per-control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification. * **Support bundles for host-level evidence.** `support-bundle collect` on each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see [Support Bundles](/operate/operate/support-bundles.md). Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report. * **Console CSV / JSON export per control.** Compliance Expansion → ISO/IEC 27001:2022 → control detail → Evidence tab exports per-control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling. > **Security Note**: Support bundles include the raw `agent.log` and rotated segments. Attribute-key redaction (api\_key / \*\_token / \*\_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Review every evidence package before sharing externally. See [Support Bundles](/operate/operate/support-bundles.md) for the per-file redaction status table. ## Cross-references * [**Audit & Comply**](/audit-and-comply/audit-comply.md) — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template. * [**Compliance Expansion**](/concepts/concepts/console/compliance-expansion.md) — console pillar; canonical Evidence Location pointer set. * [**Audit**](/concepts/concepts/console/audit.md) — authorizations and SUDO execution audit feeding compliance evidence. * [**Baselines**](/concepts/concepts/console/baselines.md) — configuration baselines and drift detection that A.8.9 satisfies. * [**Support Bundles**](/operate/operate/support-bundles.md) — per-file redaction status table; pre-share PII warning. * [**Log Management**](/operate/operate/log-management.md) — log retention and rotation relevant to A.8.15 logging. * [**Glossary**](/reference/reference/glossary.md) — framework acronyms and compliance vocabulary definitions. *** *Last reviewed: 2026-05-31 against ISO/IEC 27001:2022 published 2022-10-25.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.linuxguard.io/audit-and-comply/audit-comply/iso-27001.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.