ISO/IEC 27001:2022 · ISMS · Amendment 1:2024
ISO 27001:2022 on AWS — ISMS to Certification in 6 Months
ISO 27001:2022 transition closed in October 2025 — every certificate is now on the 2022 baseline with the 2024 climate amendment. We build the ISMS, deploy AWS-native controls for Annex A.5–A.8, and prepare the notified-body audit package.
Framework
ISO/IEC 27001 — Information Security Management Systems
Version
ISO/IEC 27001:2022 with Amendment 1:2024 (climate change considerations) — IAF transition closed October 2025
Regulator
International Organization for Standardization (ISO) — certified by accredited certification bodies (notified bodies in EU)
Assessor type
Accredited certification body (ANAB, UKAS, IAF members). Certification audit is two-stage: Stage 1 (documentation review) + Stage 2 (implementation audit). Surveillance audits annually; recertification every 3 years.
Scope: Any organization seeking objective signal of information security maturity — common for enterprise SaaS expanding to EU/APAC, B2B vendors, and platforms in regulated supply chains.
Part of the AWS Security & Compliance hub .
Who needs this
Teams that typically engage on ISO 27001:2022 on AWS
B2B platforms in regulated supply chains (defense, finance, healthcare partners)
Companies layering ISO 27001 on top of an existing SOC 2 — most controls overlap
EU operators preparing for NIS2 or DORA where ISO 27001 is the baseline expectation
Shared Responsibility
AWS Shared Responsibility for ISO 27001:2022 on AWS
What AWS does, what you do, and where the line moves under this specific framework.
AWS owns
- AWS holds ISO 27001:2022, ISO 27017:2015 (cloud-specific controls), and ISO 27018:2019 (PII in public clouds) certifications — current attestations on AWS Artifact
- AWS infrastructure controls inherit into your ISMS via the Statement of Applicability
- AWS publishes the ISO 27001:2022 → AWS Service Catalog mapping for Annex A controls
Joint
- A.6 People controls (awareness, training, screening) — AWS provides the training platform options; you operate the program
- A.8 Technological controls implementation — AWS provides the services; you configure them
- Internal audit and management review — your responsibility, but AWS Config and Security Hub generate the inputs
You own
- Clauses 4–10: ISMS scope, leadership, planning, support, operation, performance evaluation, improvement
- A.5 Organizational controls (37 controls) — policies, roles, threat intelligence, vendor management
- A.6 People controls (8 controls) — screening, awareness, disciplinary process, NDA
- A.7 Physical controls (14 controls) — mostly inherited from AWS for cloud workloads
- A.8 Technological controls (34 controls) — IAM, encryption, logging, change management, capacity management
- Risk treatment plan, Statement of Applicability (SoA), internal audit program
Control-by-control AWS implementation
Each control mapped to the AWS service that satisfies it
Excerpts from the full control matrix we deliver in the engagement. Not exhaustive — your audit scope drives the final mapping.
Annex A.5 — Organizational Controls
A.5 is the largest control category in ISO 27001:2022 (37 controls). Most are policy and process — but each requires a technical signal that proves it operates.
A.5.7
Threat intelligence
AWS services
GuardDuty (threat detection feed) AWS Shield Threat Intelligence Inspector v2 + KEV catalog
Threat intelligence integrated into vulnerability prioritization; documented in the ISMS as the threat intelligence source.
A.5.15
Access control
AWS services
IAM Identity Center IAM Access Analyzer Service Control Policies
Centralized access control via Identity Center; Access Analyzer findings feed the access review cadence.
A.5.23
Information security for use of cloud services
AWS services
AWS Config Security Hub AWS Control Tower
Cloud security baseline enforced via Control Tower; drift detection via Config.
A.5.30
ICT readiness for business continuity
AWS services
AWS Backup AWS Elastic Disaster Recovery Multi-AZ + Multi-Region patterns
Documented recovery procedures; quarterly DR tests with results in the ISMS.
Annex A.8 — Technological Controls
A.8 (34 controls) is the heaviest mapping to AWS-native services — most controls have a 1:1 service correspondence.
A.8.2
Privileged access rights
AWS services
IAM Identity Center break-glass roles AWS Organizations SCPs CloudTrail privileged action alerting
Break-glass procedure documented; privileged action alerts sent to security team within 5 minutes.
A.8.10
Information deletion
AWS services
S3 Lifecycle policies AWS Backup retention rules KMS key deletion
Data retention policy mapped to S3 lifecycle; cryptographic erasure via KMS key deletion for sensitive workloads.
A.8.16
Monitoring activities
AWS services
CloudWatch Security Hub GuardDuty Detective
Continuous monitoring across security and operational events; documented runbooks for response.
A.8.24
Use of cryptography
AWS services
KMS-CMK CloudHSM ACM Private CA AWS Signer
Cryptographic policy documented; key inventory maintained; ML-KEM hybrid TLS for long-lived data flows.
A.8.28
Secure coding
AWS services
CodeGuru Reviewer Inspector v2 code scanning CodePipeline approval gates
Secure SDLC enforced via pipeline; static analysis and dependency scanning on every PR.
Evidence pipeline
How ISO 27001:2022 on AWS evidence flows continuously
Audit Manager closed to new customers on 30 April 2026. Our pipeline is what we now ship.
AWS Config conformance pack — ISO 27001
AWS-published Operational Best Practices for ISO 27001 conformance pack, mapped to Annex A controls.
Security Hub Essentials
Continuous standards checks; findings tagged to Annex A control IDs feed the SoA.
ISMS document repository
Policies, procedures, SoA, risk treatment plan, internal audit reports — owned by your team, structured for the certification body.
GRC tool integration
Vanta, Drata, Secureframe, or Tugboat Logic with the ISO 27001:2022 framework template — control inventory and evidence dashboard.
Engagement timeline
What you get, week by week
Date-bound engagement, not an open-ended retainer. Deliverables are itemised in the SOW.
1
Weeks 1–4 — ISMS Foundation
Weeks 1–4
- ISMS scope statement (clauses 4.3) — what is in, what is out
- Risk assessment methodology (clause 6.1) and risk treatment plan
- Statement of Applicability (SoA) — every Annex A control with applicability and implementation status
- Information security policy and supporting topic-specific policies (clause 5.2)
2
Weeks 5–12 — Control Implementation
Weeks 5–12
- A.8 Technological controls deployed (IAM, encryption, logging, monitoring, change management)
- A.5 Organizational controls documented and operating (vendor management, threat intelligence, business continuity)
- A.6 People controls (awareness training, role-based screening, NDAs) operationalized
- Internal audit program established (clause 9.2) — first audit completed
3
Months 4–6 — Operating Period
4–6 months
- Continuous control operation — minimum 3 months for the certification body to assess effectiveness
- Management review (clause 9.3) — first review completed
- Corrective actions for findings from internal audit (clause 10.1)
4
Stage 1 + Stage 2 Audit
6–10 weeks
- Stage 1 — documentation review (typically 1 week of fieldwork)
- 4–6 weeks remediation window for any Stage 1 findings
- Stage 2 — implementation audit (typically 2 weeks of fieldwork)
- Certification decision and ISO 27001:2022 certificate issued (valid 3 years)
Related guides
Deep-dive guides on ISO 27001:2022 on AWS
From inside paid engagements — same patterns, more depth.
ISO 27001 Certification on AWS: ISMS Implementation Guide for 2026
SOC 2 closes North American deals. ISO 27001:2022 closes the European and Japanese ones. Building an ISMS that survives Stage 1 and Stage 2 audits, mapping the 93 Annex A controls to AWS services, and producing the evidence packages assessors actually request.
Learn more
How to Set Up AWS Control Tower for Multi-Account Governance
AWS Control Tower automates multi-account management — setting up guardrails, enforcing compliance policies, and centralizing billing. This guide covers setup, customization, and production governance patterns.
Learn more
AWS Multi-Account Strategy: Landing Zone Best Practices
A single AWS account is fine for week one. By month six, audit teams, security reviewers, and your CFO will all want their own boundary. How to structure AWS Organizations with Control Tower and a landing zone that doesn't have to be re-architected at scale.
Learn more
Related frameworks
Frameworks that overlap with this one
Multi-framework scope is the norm. Most teams certify on two or three at once.
SOC 2 Type II on AWS
CC1–CC9 trust services criteria mapped to AWS-native controls, evidence pipeline, and a CPA-firm-ready audit package — for SaaS founders facing enterprise procurement.
Learn more
HIPAA on AWS
PHI architecture, BAA boundaries, HIPAA-eligible services, §164.312 technical safeguards, and audit-ready evidence — for healthcare platforms, telehealth, and digital-health startups.
Learn more
FAQ
Frequently asked questions about ISO 27001:2022 on AWS
The questions buyers ask before signing — assessor type, timeline, cost, and AWS-specific scope.
Did ISO 27001:2022 actually change again in 2024?
Yes — Amendment 1:2024 was published February 2024 and added climate-change considerations to clauses 4.1 (understanding the organization and its context) and 4.2 (understanding the needs and expectations of interested parties). The amendment is non-substantive in technical terms but auditors will check that your context-of-the-organization assessment includes climate-related risks (data-center power, regional flooding, supply chain disruption from extreme weather). The IAF transition window from ISO 27001:2013 to ISO 27001:2022 closed in October 2025 — every accredited certificate is now on the 2022 baseline with the 2024 amendment.
How much does ISO 27001 overlap with SOC 2?
High — typically 70–80% of controls overlap. ISO 27001:2022 has 93 Annex A controls; SOC 2 has the Common Criteria CC1–CC9 plus optional categories. Most platforms with SOC 2 Type II already operate the technical controls ISO 27001 expects. The gap is usually in the formal ISMS structure: ISO requires a documented Statement of Applicability, a risk treatment plan with residual risk acceptance, an internal audit program, and a management review cycle — all of which SOC 2 does not formally require. Layering ISO 27001 on top of SOC 2 is typically a 4–6 month effort, not a fresh build.
Do we need ISO 27017 and ISO 27018 too?
Depends on your customers. ISO 27017:2015 adds cloud-specific guidance (relationship between cloud service customer and provider, virtual machine isolation, customer monitoring). ISO 27018:2019 adds PII protection in public clouds. AWS holds both certifications, so the inherited controls flow through. For your own certification: most B2B SaaS only needs 27001 — but enterprise customers in EU and APAC increasingly ask for 27017 and 27018 in the SoA. We recommend including both as scope items in the initial certification rather than adding them as a separate engagement later.
Notified body vs certification body — what is the difference?
For ISO 27001 in non-EU jurisdictions, the term is "accredited certification body" — accredited by an IAF member (ANAB in US, UKAS in UK, JIPDEC in Japan, etc.). In EU regulatory contexts (e.g., NIS2), the term "notified body" may apply to specific certification schemes. For an ISO 27001:2022 certificate, the certification body must be IAF-accredited. Common choices: BSI, TÜV SÜD, DNV, Schellman, A-LIGN, Bureau Veritas. Pick a certification body whose accreditation matches your customer geography — a UKAS-accredited certificate carries weight in UK and EU; an ANAB-accredited certificate carries weight in US.
How long does first ISO 27001 certification take on AWS?
Realistic timeline: 6–9 months from start to certificate. Breakdown: 4 weeks ISMS foundation (scope, risk assessment, SoA, policies), 8 weeks control implementation, 3–4 months operating period (the certification body needs to see the ISMS operating, not just designed), 1 week Stage 1 audit, 4–6 weeks remediation, 2 weeks Stage 2 audit, 2–4 weeks certification decision. Renewals run on a 3-year cycle with annual surveillance audits. Companies with mature SOC 2 Type II tend to land at 4–5 months; companies starting from scratch land at 9–12 months.
Can we use Vanta or Drata for ISO 27001?
Yes — Vanta, Drata, Secureframe, and Tugboat Logic all ship ISO 27001:2022 framework templates with the 93 Annex A controls pre-mapped. The GRC tool serves the same role as in SOC 2: control inventory, evidence collection, and an auditor-facing dashboard. Your certification body will spend less time in fieldwork if the GRC tool is wired to AWS Config and Security Hub for live evidence. Note: GRC tools do not write your Statement of Applicability or risk treatment plan — those are bespoke documents that require human judgement on residual risk acceptance.
Book a Free ISO 27001 Readiness Assessment
2-week read-only assessment. We map your AWS environment to the 93 Annex A controls, gauge ISMS maturity, and quote the realistic certification timeline. No retainer commitment.