ISO 27001 compliance for AWS — automated gap analysis
Map your AWS security controls to ISO 27001 Annex A requirements. See your compliance rate, identify gaps, and generate evidence for certification — automatically.
Run Free ISO 27001 Gap AnalysisFree tier includes compliance mapping. No credit card required.
ISO 27001 certification on AWS shouldn't take months
Building an ISMS that covers your AWS infrastructure means mapping hundreds of controls to Annex A requirements. Most teams do this manually — spreadsheets, screenshots, and hope. Secure Compass automates the AWS security side so you can focus on the organisational controls.
Annex A controls in ISO 27001:2022 — many map directly to AWS security configurations
ISO 27001 requires ongoing monitoring, not point-in-time snapshots
International standard recognised by customers, partners, and regulators worldwide
Annex A controls mapped to AWS
Secure Compass maps your AWS Security Pillar findings to the ISO 27001:2022 Annex A control categories. Each category shows your compliance rate and specific failing controls.
Organisational Controls
IAM policies, account governance, security responsibilities, and acceptable use of AWS resources.
People Controls
IAM user management, access provisioning/deprovisioning, and role-based access control.
Physical Controls
AWS shared responsibility model — AWS handles physical security; you handle logical access controls.
Technological Controls
Encryption, network security, logging, monitoring, vulnerability management, and secure configuration across all AWS services.
How the ISO 27001 gap analysis works
Automated security scan
228 controls run against your AWS account and automatically mapped to the relevant ISO 27001 Annex A requirements.
See your compliance rate
Each Annex A category shows a compliance percentage with specific passing and failing controls. Prioritised by risk, not alphabetical order.
Evidence for certification
Export compliance reports as PDF evidence for your certification body. Historical trends prove continuous improvement — critical for surveillance audits.
One assessment, multiple frameworks
ISO 27001 shares significant control overlap with other compliance frameworks. Secure Compass maps your assessment to all of them simultaneously — so the work you do for ISO 27001 counts towards SOC 2, PCI-DSS, and more.
SOC 2
~80% overlapUS-focused audit standard. Most ISO 27001 controls satisfy SOC 2 Trust Services Criteria directly.
NIST CSF
~70% overlapUS government cybersecurity framework. Strong alignment in identify, protect, and detect functions.
HIPAA
~45% overlapHealthcare data protection. Shared controls around encryption, access management, and audit logging.
of ISO 27001 Annex A controls that apply to cloud infrastructure can be verified through automated AWS security checks.
Frequently asked questions
Does Secure Compass certify us for ISO 27001?
No. ISO 27001 certification requires an accredited certification body. Secure Compass provides the automated gap analysis and evidence for the technical controls in your AWS environment — a significant portion of the work required for certification.
Does this cover the full ISMS?
Secure Compass covers the technical AWS controls that map to Annex A. An ISMS also requires organisational policies, risk assessments, management reviews, and human processes that exist outside of AWS. We cover the infrastructure side.
Which version of ISO 27001 do you map to?
ISO 27001:2022, which consolidated the Annex A controls from 114 down to 93 across 4 categories (organisational, people, physical, technological). The technological controls have the most direct AWS mapping.
How does this help with surveillance audits?
ISO 27001 requires annual surveillance audits after initial certification. Secure Compass provides continuous monitoring with historical trends — showing your certification body that your ISMS is actively maintained, not just a point-in-time snapshot.
Do I need a paid plan for ISO 27001 mapping?
The free tier includes the full Security Pillar assessment. ISO 27001 compliance mapping with PDF export is available on paid plans.
We already have SOC 2. How much extra work is ISO 27001?
Approximately 80% of your SOC 2 controls map directly to ISO 27001 requirements. Secure Compass shows you the overlap and highlights the gaps — so you only focus on what is new.