Compliance
Your trusted partner in security and compliance.
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is the internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The 2022 update reinforces requirements around risk-based security controls, identity-centric access for both human and machine identities, strong credential governance, and continuous monitoring of privileged activity.
The revised standard introduces heightened expectations for managing ephemeral or short-lived credentials, enforcing consistent identity and access governance, securing privileged accounts, and ensuring unified, traceable auditability across hybrid and cloud-based infrastructures. These changes increase the need for modern solutions that can support dynamic, distributed IT environments.
This mapping summarizes where and how Devolutions products can help organizations address the technical aspects of ISO/IEC 27001:2022 controls—particularly those related to secure remote access, privileged credential management, identity governance, and comprehensive auditability. It is not a replacement for implementing a full ISMS, but it provides guidance on how Devolutions tools can support your compliance efforts.
5. Organizational Controls
ISO27001 Controls
Devolutions Feature
Associated products
5.3 Segregation of duties
“Conflicting duties and conflicting areas of responsibility shall be segregated.”
Role segregation, RBAC
5.9 Inventory of information and other associated assets
“An inventory of information and other associated assets, including owners, shall be developed and maintained.”
Inventory of access, identities, and sessions
5.15 Access control
“Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.”
Logical access control, PAM, fine-grained permissions
5.16 Identity management
“The full life cycle of identities shall be managed.”
Integration with AD, Azure AD, SCIM, SSO
5.17 Authentication information
“Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.”
Encrypted vault, password rotation, MFA
5.18 Access rights
“Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.”
Access lifecycle management
5.23 Information security for use of cloud services
“Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.”
Cloud access management, secrets management, secure tunneling
5.24 Information security incident management planning and preparation
“The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.”
Audit trail, logging, incident readiness
5.25 Assessment and decision on information security events
“The organization shall assess information security events and decide if they are to be categorized as information security incidents.”
Detection/analysis via logs
5.26 Response to information security incidents
“Information security incidents shall be responded to in accordance with the documented procedures.”
Remediation actions (secret rotation), incident management
5.27 Learning from information security incidents
“Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.”
Audit history to drive improvements
5.28 Collection of evidence
“The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.”
Session recording, timestamped logs
6. People Controls
ISO27001 Controls
Devolutions Feature
Associated products
6.7 Remote working
“Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.”
Secure remote access, MFA, secure tunnels
7. Physical Controls
ISO27001 Controls
Devolutions Feature
Associated products
7.10 Storage media
“Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.”
Replace local storage with an encrypted central vault
8. Technological controls
ISO27001 Controls
Devolutions Feature
Associated products
8.1 User end point devices
“Information stored on, processed by or accessible via user end point devices shall be protected.”
No local secrets; credential injection
8.2 Privileged access rights
“The allocation and use of privileged access rights shall be restricted and managed.”
Full PAM, session recording
8.3 Information access restriction
“Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.”
RBAC, segmentation
8.4 Access to source code
“Read and write access to source code, development tools and software libraries shall be appropriately managed.”
Secure storage of DevOps and CI/CD secrets
8.5 Secure authentication
“Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.”
MFA, FIDO2, OTP, push
8.7 Protection against malware
“Protection against malware shall be implemented and supported by appropriate user awareness.”
Reduced phishing via credential injection
8.9 Configuration management
“Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.”
Standardization of connections and access
8.11 Data masking
“Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.”
Credential injection (secret never revealed), RBAC
8.12 Data leakage prevention
“Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.”
Vault + session proxy, RBAC
8.13 Information backup
“Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.”
Encrypted DVLS/Hub backups
8.15 Logging
“Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.”
Full audit trail
8.16 Monitoring activities
“Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.”
Monitoring + session recording
8.18 Use of privileged utility programs
“The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.”
PAM, admin tool restrictions
8.22 Segregation of networks
“Groups of information services, users and information systems shall be segregated in the organization’s networks.”
Segmentation via Gateway
8.24 Use of cryptography
“Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.”
AES-256 encryption, TLS 1.2+
8.25 Secure development life cycle
“Rules for the secure development of software and systems shall be established and applied.”
Dev/test/prod secrets management
8.29 Security testing in development and acceptance
“Security testing processes shall be defined and implemented in the development life cycle.”
Secured test secrets
8.31 Separation of development, test and production environments
“Development, testing and production environments shall be separated and secured.”
Logical separation via vaults / RBAC
8.32 Change management
“Changes to information processing facilities and information systems shall be subject to change management procedures.”
Audit and change traceability
8.33 Test information
“Test information shall be appropriately selected, protected and managed.”
Protection of test secrets
Resources
Explore more insights and tools to help you stay on top of your IT security game.
Understanding CVEs: A key element in protecting your organization
Read now
Closing IT security gaps with IT-led PAM
Watch on demand
Join our Newsletter
Join our mailing lists to receive industry news, product updates, quick tips, special offers, and more.