This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Controls and Annex A

What are the main areas of overlap between ISO 27001:2022 controls and ISAE 3402 controls?

• ISO 27001 and ISAE 3402 cover many of the same core control areas related to security, governance, and operational reliability. The main areas of overlap include:

  Governance and risk management – security policies, management oversight, risk assessment, and internal control monitoring.

  Access control and identity management – user provisioning and removal, least-privilege access, authentication, and privileged account controls.

  Change management and system development – controlled system changes, approvals, testing, and separation of environments.

  Operations and monitoring – logging, monitoring, incident detection, escalation, and response procedures.

  Data protection and confidentiality – data classification, secure handling, encryption, and protection of sensitive information.

  Physical and environmental security – restricted facility access, data center controls, and protection of infrastructure.

  Business continuity and disaster recovery – backups, recovery procedures, availability controls, and continuity planning.

  Vendor and third-party management – oversight of outsourced providers, security requirements in contracts, and monitoring of subservice organizations.

  In practice, many IT general controls used for ISAE 3402 can be supported by controls already implemented under an ISO 27001 Information Security Management System, although ISAE 3402 focuses more narrowly on controls relevant to service delivery and financial reporting.

What does the 'Website support page' test relate to in ISO 27001 or ISO 42001, and why is it included if the mapped controls (e.g., COM-05, COM-02-2) don’t mention a support page?

• The 'Website support page' test in Secureframe is designed to help confirm that your organization publicly provides contact information for reporting security concerns or AI-related issues, especially for users or external stakeholders.

  While controls like COM-05 (Communications) or COM-02-2 (Responsibilities for communicating with external parties) may not explicitly mention a “support page,” they imply the need for clear, accessible communication channels for external inquiries.

  This test helps meet the intent of those controls by checking whether there is:

  A visible and accessible page where customers or the public can reach out regarding security, privacy, or AI-related issues

  A dedicated email or contact form for responsible disclosure or incident reporting

  This is especially relevant for ISO 42001, which adds emphasis on transparency around AI systems and accountability to external stakeholders.

  If you provide this info elsewhere (e.g., a Trust Center or legal page), that can still fulfill the requirement — the goal is simply to ensure the contact path exists and is discoverable.

ISO 27001 program and evidence

am I right in thinking that for ISO27001, 'Annual Performance Reviews' can be any kind of notes from 1 to 1s, feedback sessions etc?

• Yes, you're right in principle! ISO 27001 doesn't prescribe exactly how Annual Performance Reviews should be conducted—it’s more about demonstrating that you have a process in place to ensure employee performance is reviewed regularly and appropriately in the context of information security.

  So yes, notes from 1:1s, documented feedback sessions, or even informal performance evaluations can qualify—as long as:

  They’re documented.

  They include relevant content to show performance is being monitored and aligned with information security goals.

  The process is consistent and repeatable (i.e., not ad hoc).

  It's good practice to reference these in your HR or ISMS documentation and show how they tie into broader goals like competency, awareness, and continual improvement.

Are the ISO 27001 mappings for ORG-14 and GOV-07 correct, and can they be adjusted if needed?

• ORG-14 is appropriately mapped to ISO 27001. For GOV-07, mapping to Clause 10.2 (Nonconformity and corrective action) is more accurate, as the control focuses on documenting, tracking, and remediating nonconformities. While adjustments may be evaluated internally, customers currently cannot modify backend control mappings. If a customer disagrees with a mapping, they may choose to disable the control within their environment.

Can I get a summary of the ISO 27001:2022 requirements?

• Here is a high level list. To see the full list of requirements, controls, tests and other associated data, you can find this under the Framework section of your Secureframe Platform.

  Clauses
  5. General (ISO 27701)
  4. Context of the organization
  6. Planning
  6.1 Actions to address risks and opportunities
  Controls
  A.5 Information security policies
  A.5.1 Management direction for information security
  A.6 Organization of information security
  A.6.1 Internal organization
  A.6.2 Mobile devices and teleworking
  A.7 Human resource security
  A.7.2 During employment
  A.8 Asset management
  A.8.2 Information classification
  A.8.3 Media handling
  A.9 Access control
  A.9.2 User access management
  A.9.4 System and application access control
  A.10 Cryptography
  A.10.1 Cryptographic Controls
  A.11 Physical and environmental security
  A.11.2 Equipment
  A.12 Operations security
  A.12.3 Backup
  A.12.4 Logging and monitoring
  A.13 Communications security
  A.13.2 Information Transfer
  A.14 System acquisition, development and maintenance
  A.14.1 Security Requirements of Information Systems
  A.14.2 Security in Development and Support Processes
  A.14.3 Test Data
  A.15 Supplier relationships
  A.15.1 Information Security In Supplier Relationships
  A.16 Information security incident management
  A.16.1 Management of information security incidents and improvements
  A.18 Compliance
  A.18.1 Compliance with legal and contractual requirements
  A.18.2 Information security reviews
  Annex A Data Controller (ISO 27701)
  A.7.2 Conditions for collection and processing (ISO 27701)
  A.7.3 Obligations to PII principals (ISO 27701)
  A.7.4 Privacy by design and privacy by default (ISO 27701)
  A.7.5 PII sharing, transfer, and disclosure (ISO 27701)
  Annex B Data Processor (ISO 27701)
  B.8.2 Conditions for collection and processing (ISO 27701)
  B.8.3 Obligations to PII principals (ISO 27701)
  B.8.4 Privacy by design and privacy by default (ISO 27701)
  B.8.5 PII sharing, transfer, and disclosure (ISO 27701)

Can we ignore the “Elastic Block Store (EBS) volume encryption at rest (AWS)” test for ISO 27001 if our EBS volumes are not encrypted?

• Generally, no. If EBS volumes are in scope and store in-scope data, encryption at rest is an expected control under ISO 27001 and the test should not simply be ignored.
  That said, there is practical leeway for situations where enabling encryption immediately is not feasible, such as when a legacy database cannot be restarted without risking data loss.
  Practical paths forward:
  Enable EBS encryption at rest (recommended long-term): This is the cleanest approach, but worth noting that EBS encryption requires taking down the existing volume and spinning up a new encrypted one. For legacy systems, this is not always a simple one-time fix and may need to be phased.
  Phase the remediation with a risk register entry: If immediate encryption is not possible due to legacy constraints, document the unencrypted volumes in your risk register with a remediation plan and target timeline. Auditors generally respond better to a documented, time-bound plan than to an unaddressed gap.
  Demonstrate EBS is out of scope: If the volumes do not store any in-scope data, document this clearly in your Statement of Applicability (SoA) and scoping documentation.
  Formally accept the risk: Risk acceptance is an option, but carries audit risk and may be challenged by the auditor.
  Bottom line: If EBS is in scope and stores in-scope data, encryption at rest is required. For legacy systems where immediate remediation is not feasible, the recommended approach is to add it to the risk register with a phased remediation plan. Discuss this approach with your auditor upfront so expectations are aligned.

Can you share your ISO 27001 standard or SOC 2 report with us?

• Yes, certifications or reports like SOC, ISO can be requested directly from our Trust Center at [https://trust.secureframe.com/](https://trust.secureframe.com/)

  Scroll down to Compliance section and you may request access to SOC, ISO, TX-Ramp and more.

  Please also note that if you are a Secureframe customer we offer a free version of our Trust Center for all customers and we recommend you set up yours today.

For ISO 27001, how do we determine which vendors are in scope? Is it similar to SOC 2?

• Yes — vendor scoping for ISO 27001 is very similar to SOC 2. A vendor is considered in scope if they have access to, store, transmit, or process information covered by your Information Security Management System (ISMS).

For ISO 27001, what's expected around DR/BCP configuration and documentation — and is regional redundancy within the same AWS region sufficient?

• The key is that your implemented controls need to match what your policies say — documented intent alone isn't enough. For evidence, a tabletop exercise covering your BC/DR scenarios is typically what auditors look for. On regional redundancy: yes, staying within the same geographic region is generally sufficient as long as it's risk-assessed and documented.

For our current frameworks (SOC 2, ISO 27001, GDPR, CCPA), does Secureframe provide BSA, AML, or OFAC-related policies, procedures, or documents?

• No. BSA (Bank Secrecy Act), AML (Anti-Money Laundering), and OFAC (Office of Foreign Assets Control) are banking and financial regulatory requirements. Secureframe focuses on security, privacy, and compliance frameworks such as SOC 2, ISO 27001, GDPR, CCPA, HIPAA, and PCI DSS. These frameworks do not include BSA, AML, or OFAC requirements, so Secureframe does not provide related policies or documentation within the platform.

For vulnerability management, do all High severity findings need to be remediated before ISO 27001 certification?

• Not necessarily. The expectation is that Highs are actively being prioritized and worked toward remediation — not that everything is resolved before certification. For findings that take longer, auditors will generally accept a clear explanation of why and a plan to address them. Tracking and remediation workflows (e.g., ticketing records) are sufficient evidence of a structured, risk-based approach.

How can I integrate ISO 27001 and ISO 27701 Statements of Applicability (SoA)?

• The Statement of Applicability (SoA) is a required document for both ISO 27001 (information security) and ISO 27701 (privacy information management). To integrate them, you can align both frameworks in Secureframe and export a combined or cross-referenced SoA.

  How to pass this Statement of Applicability test:

  1 - Go to the Frameworks page on the left navigation panel
  2 - Go to the relevant ISO framework (e.g., ISO 27001:2022) and select View details
  3 - On the top right corner, select Export
  4 - Check the Statement of Applicability option
  5 - Select Export
  6 - Open the SOA exported document
  7 - Fill out the Date/version/reviewer fields
  8 - Review the SOA document to ensure it aligns with both ISO requirements and your organization’s objectives
  9 - If changes in applicability need to be made (e.g., marking Annex requirements as not applicable), first make the changes directly in the framework page (refer to step #2), and then re-export the SOA to reflect the changes (repeat steps #1–#7)
  10 - Upload the exported SOA document to this test

How can one gain access to the Trust Center to download specific compliance reports such as SOC2 Type 2 and ISO 27001?

• If the organization has a Secureframe Trust Center, you can access their compliance documents by requesting them directly through the Resources section.

How do I exclude physical security from ISO 27001 scope?

• If your physical locations do not store/process sensitive data, disable controls under the 'Physical Controls' section.

How do I mark my Azure tests as only in scope for ISO 27001 and not for SOC2?

• Currently, Secureframe does not allow you to mark individual tests as in-scope for one framework and out-of-scope for another when those tests are authored and mapped by Secureframe. If a test is linked to multiple frameworks (e.g., ISO 27001 and SOC 2), that mapping is maintained platform-wide and cannot be modified or unlinked.

  If you need more granular control, you can create and manage your own custom controls and tests. With custom content, you're able to map or unmap frameworks as needed to fit your specific compliance needs.

How do I scope ISO 27017 in Secureframe?

• Identify if you're a cloud service provider, customer, or both. Provide evidence from the appropriate perspective and ensure internal audits cover both ISO 27001 and 27017 controls.

How does Secureframe help meet ISO 27001 clause 7.5.2 requirements for policy documentation?

• Secureframe’s Policies tab provides visibility into required ISO 27001 documentation metadata, including:

  Policy title and description

  Version history and publication date

  Document owner and approvers (if provided)

  Revision history (shown via edit history or attached metadata)

  If using custom-uploaded policies or templates, make sure key details like Document ID, Owner, and Revision History are included within the document itself or manually entered before publishing.

How often does ISO 27001 need to be renewed?

• ISO 27001 is renewed every 3 years, with surveillance audits conducted in between.

Is ISO 27001 certification recognized for compliance in Mexico?

• Yes — ISO 27001 is an internationally recognized information security standard and is generally accepted in Mexico for organizations seeking to demonstrate strong security controls and risk management. It is often used in place of country-specific frameworks in regions where no direct equivalent to SOC 2 exists.

Is it mandatory to link assets to personnel for ISO27001 compliance?

• While ISO 27001 does not specifically say "you must link assets to personnel," doing so is the most effective way to meet the intent of the standard — especially when assigning ownership, managing risk, and revoking access. Most auditors will expect to see this linkage in practice during a certification audit.

  This can be done in Secureframe by assigning personnel/owners to assets/resources.

Is there an official NYDFS certification report like SOC 2 or ISO 27001?

• No. NYDFS requires an annual self-certification submitted to the regulator, but it does not provide a formal report. To meet vendor due diligence requests, many organizations compile an internal compliance package with their policies, risk assessments, and security testing results. Some also obtain a third-party attestation letter for additional assurance.

ISO 27001, ISO 27017, and ISO 27018—are these interlinked/subset or are these totally different?

• ISO 27017 (cloud security controls) and ISO 27018 (PII controls) complement and enhance ISO 27001 requirements.

One question, in terms of our Audit Start and End dates. We started ISO 27001 Stage 1 audit back in March and now are starting Stage 2 today, 7/7/25 which will end on 7/10/25. Based on this would our audit start date be March or today?

• In this case, we would recommend March start.

We are a company who are fully on-prem, with no cloud subscriptions or infrastructure at all (we build and run on-prem data centers). What constraints would this place on us in using Secureframe for ISO27001_2022 and how would it work in terms of integrations, tests etc?

• You can still use Secureframe to become ISO 27001:2022 compliant even without cloud infrastructure.

  Here's how it would work:

  Custom Data Platform (CDP): You can leverage Secureframe’s Custom Data Integration feature to provide evidence from on-prem or legacy systems. This allows you to ingest data from non-cloud environments, including:

  Configuration files, logs, or system outputs

  CSV or JSON data exports from internal tools

  Scripts that push data to Secureframe via API

  Manual Upload Tests: If you prefer not to use CDP or need a simpler setup, we can enable standard upload-based tests. You’ll manually upload required evidence for controls instead of using automated integrations.

  While you won’t benefit from out-of-the-box integrations designed for cloud platforms, you can still fully meet compliance requirements through manual uploads or by connecting your systems via CDP.

  https://support.secureframe.com/hc/en-us/articles/40263351779731-Create-Custom-Integrations-using-our-Custom-Data-Platform-CDP

We need to get both SOC 2 and ISO 27001 in the near future. Is it best practice to select an auditor that can do both (or at minimum SOC2 Type 1 and ISO Stage 1)? Are these done simultaneously?

• For SOC 2 and ISO 27001, it is best to discuss auditor selection with your team. Many audit firms can handle both, and whether the audits are done simultaneously or consecutively depends on the auditor's process.

What are the most significant differences between ISO 27001 and ISO 42001?

• Use ISO 27001 if you're managing sensitive information and want to ensure information security across your organization.

  Use ISO 42001 if you're building or using AI systems and want to ensure they are safe, ethical, explainable, and compliant.

  Scope:

  ISO 27001 → General information security

  ISO 42001 → AI systems and their governance

  Risk focus:

  ISO 27001 → Data protection and system security

  ISO 42001 → Ethical AI, bias, accountability, societal risks

  Control frameworks:

  ISO 27001 → Annex A / ISO 27002

  ISO 42001 → Domain-specific AI controls (still maturing)

  Ethical considerations:

  ISO 27001 → Minimal

  ISO 42001 → Core component

  Use case:

  ISO 27001 → Protecting information

  ISO 42001 → Managing AI safely and responsibly

What is the ISMS and how does it relate to ISO 27001?

• ISO 27001 provides guidance on developing the ISMS, which is a systematic approach to managing and protecting a company’s information. The ISMS encompasses policies, procedures, and controls that define an organization's information security rules.

What is the overlap between ISO 27001 2013 and 2022 versions? Also, are there any policy updates for 2022?

• The 2013 and 2022 versions largely overlap, with minor differences. Customers pursuing 2022 can filter tests by Framework > ISO 27001 2022. Policies remain the same as in 2013, and no updates are required for 2022.

What is the transition grace period to ISO 27001 2022 version?

• New ISO clients can still get certified on ISO 27001:2013 until April 30, 2024. Existing ISO 27001:2013 certification holders have until October 31, 2025, to transition to ISO 27001:2022 unless it is a recertification audit year.

What makes a contractor in scope for ISO 27001?

• Contractors who can push code to production or those who support the ISMS are in scope for ISO 27001 compliance.

What needs to be done for year 2 of the ISO 27001 audit?

• Year 2 requires a surveillance audit. Not all requirements may be tested, but customers should be prepared for everything to be tested. Internal audits will also be required.

What should I review when scoping ISO 27001 compliance?

• When scoping for ISO 27001, determine who will conduct your internal audit—internal team or third-party. Identify if you perform penetration tests or external vulnerability scans. Review if physical security is in scope (e.g., office handling sensitive data), and whether you outsource development, which may trigger vendor oversight controls.

What’s needed for ISO 27001 scoping?

• Define how you're handling the internal audit, physical security applicability, vulnerability scans, and whether development is outsourced.

When is a good time to start the internal audit process for ISO 27001? At what passing percentage do we recommend?

• Start when the ISMS is implemented, prior to the external audit. We recommend targeting as close to 100% as possible to capture non-obvious findings. If in a time crunch, 80% is acceptable.

Where to get started on ISO 27001 so that you can eventually show leadership priority milestones or meaningful results?

• Start with completing the risk assessment process and present the risk register. You can attach monetary estimates to the risks. Another immediate metric is policy review and training completion. Once internal readiness assessments are complete, you can show a gap assessment without additional costs.

Why does ISO 27001:2022 have so many fewer requirements than 2013?

• The 2022 version lists requirements more concisely. The 2013 version broke them down into sub-requirements, leading to a higher count.

Additional customer questions

For ISO Privacy counsel, 2a. “Is the document we uploaded sufficient?”

• Yes — the uploaded document is acceptable for ISO 27001 requirements.

When enabling ISO/IEC 27701 in Secureframe, what policies are added?

ISO/IEC 27701 introduces privacy-specific requirements on top of ISO/IEC 27001/27002.

In Secureframe, enabling this framework will add the PIMS Scope Document (Privacy Information Management System) and the Privacy and Data Protection Policy.

These are the two dedicated policies required for ISO 27701. Other existing ISO 27001/27002 policies already cover the additional controls, so no new policies beyond these two are introduced.

TISAX automotive information security

How do I scope TISAX?

Identify your assessment objective and level. TISAX scoping depends on your automotive partner’s requirements.

What are the TISAX audit requirements?

External audit required every 3 years to achieve and maintain certification. Independent internal reviews also need to be conducted regularly within those 3 years.