ISO 27001 Annex A
technical control evidence.
ISO 27001:2022 streamlined Annex A from 114 to 93 controls across 4 themes. Roughly 35 of those are technical — vulnerability management, secure development, configuration. AuditCore produces audit-ready evidence for that subset so your ISMS internal audit takes hours, not weeks.
TL;DR
ISO 27001 certification has two pillars: (1) the ISMS itself (Clauses 4-10 — risk-based management system, leadership, policies) and (2) Annex A controls you select via Statement of Applicability. AuditCore doesn't help with the ISMS pillar — that's your QMS-style management work. We attack the technical controls in Annex A with automation.
The 2022 revision split Annex A into 4 themes: Organizational, People, Physical, Technological. Of those, Technological (A.8.x, 34 controls) is almost entirely automatable. Several A.5.x organizational controls (vendor risk, threat intelligence) have technical evidence we can produce too.
Requirement → AuditCore scanner coverage
Each requirement of the standard mapped to the AuditCore scanners that contribute evidence. Full = automated end-to-end; partial = covers part, manual review for rest; manual= AuditCore doesn't automate (process / paperwork / org-only).
| ID | Requirement | Coverage | Scanners |
|---|---|---|---|
| A.5.23 | Information security for use of cloud services Misconfigured cloud subdomains, exposed S3-style buckets, takeover candidates. | partial | SubdomainTakeoverScannerSsrfScanner |
| A.5.25 | Assessment and decision on information security events Continuous scanning produces the event stream your incident-decision process feeds on. | full | ZapScannerNucleiScanner |
| A.8.8 | Management of technical vulnerabilities The heart of A.8.x — continuous vulnerability identification, severity, remediation tracking. | full | NucleiScannerTrivyScannerNiktoScannerZapScannerSqlmapScannerSemgrepScanner |
| A.8.9 | Configuration management Secure-by-default header verification, exposed admin paths, default credentials checks. | full | HeaderAnalyzerCookieAnalyzerCorsCheckerSensitiveFilesScannerWordPressScanner |
| A.8.10 | Information deletion Detection of orphaned/leaked data via exposed paths or backup files (.bak, .swp, etc). | partial | SensitiveFilesScannerWordPressScanner |
| A.8.12 | Data leakage prevention Exposed credentials in JS, error messages leaking schema, unauthenticated PII endpoints. | full | GitleaksScannerSensitiveFilesScannerBusinessLogicScannerAuthReplay |
| A.8.20 | Networks security Open port discovery, network-layer service fingerprinting. | partial | NmapScanner |
| A.8.21 | Security of network services TLS configuration, weak protocols, expired certs, header-based hardening. | full | SSLyzeScannerHeaderAnalyzer |
| A.8.23 | Web filtering Indirectly — exposed redirect endpoints, host header injection, SSRF to internal targets. | partial | OpenRedirectScannerHostHeaderScannerSsrfScanner |
| A.8.24 | Use of cryptography TLS only — code-level crypto review is out of scope. | partial | SSLyzeScanner |
| A.8.25 | Secure development life cycle DAST + SAST integrated into CI/CD via GitHub Action; per-PR scan + fail-on threshold. | full | SemgrepScannerTrivyScannerGitleaksScanner |
| A.8.26 | Application security requirements OWASP Top 10 + ASVS L1 coverage via DAST + SAST. | full | ZapScannerNucleiScannerXxeScannerSstiScannerSqlmapScannerAuthReplay |
| A.8.28 | Secure coding Static analysis findings (Semgrep), CVE detection in dependencies (Trivy), secret scanning (Gitleaks). | full | SemgrepScannerTrivyScannerGitleaksScanner |
| A.8.29 | Security testing in development and acceptance Pre-prod environment scanning + acceptance-criteria-driven fail-on-finding gates. | full | ZapScannerNucleiScanner |
Sample findings AuditCore surfaces for this standard
Real findings types our scanners produce. Each maps to one or more of the requirements above.
Direct certification failure on data leakage prevention AND secure coding. Auditor will revoke audit pass.
Application security requirement breached. In a multi-tenant SaaS this is a customer-facing data breach.
Takeover-vulnerable. Auditor sees evidence of incomplete cloud asset lifecycle management.
Direct A.8.8 vulnerability management failure. The simplest finding to remediate before the auditor visit.
Configuration management gap. Auditors check headers as quick proof of secure-by-default mindset.
What AuditCore doesn't cover
Honest scope — these items are part of the standard but require process, paperwork, or org-level controls outside what a web scanner can verify. Use a manual auditor / compliance consultant for these.
- •ISMS Clauses 4-10 (leadership, policy, risk methodology, internal audit)
- •Statement of Applicability (SoA) production — manual mapping work
- •Risk treatment plan + risk register documentation
- •A.6.x People controls (training, screening, NDAs)
- •A.7.x Physical controls (datacenter, clear desk, equipment)
- •Internal audit + management review processes (Clause 9)
- •Certification body engagement + Stage 1 / Stage 2 audit logistics
- •Third-party / supplier risk assessments (A.5.19) — process work
FAQ
Can AuditCore alone get us ISO 27001 certified?+
No. ISO 27001 is a management system standard — Clauses 4-10 require documented policies, risk methodology, leadership commitment, internal audits, and management review. AuditCore produces technical evidence for the Annex A controls in your Statement of Applicability. Pair us with an ISMS consultant (or a tool like Vanta/Drata for the policy/document side) and you'll have the full picture.
What's different in ISO 27001:2022 vs 2013?+
Annex A reorganized from 14 domains → 4 themes (Organizational, People, Physical, Technological). 11 new controls added including A.5.23 cloud services, A.8.12 DLP, A.8.28 secure coding. AuditCore's coverage maps to the 2022 control numbers because new certifications must use 2022; transition period for existing certifications ended October 2025.
Will my certification auditor accept AuditCore output as evidence?+
Yes for the technological controls. Auditors care about: (1) scope appropriateness — does the scan cover all in-scope systems? (2) frequency — running once a year isn't 'continuous'. (3) remediation tracking — what happened to last quarter's high-severity findings? AuditCore PDF reports include scan scope + date + severity + recommendation. Combine with a remediation tracker (Jira/Linear) and you've got the evidence chain auditors look for.
How does this compare to running OWASP ZAP myself?+
ZAP is the engine inside AuditCore for active scanning — so technically you get the same DAST output if you self-host ZAP. The differences: (1) we orchestrate 50+ tools (ZAP, Nuclei, Semgrep, Trivy, sqlmap, gitleaks, BOLA/BFLA replay, AI prompt-injection) so one scan covers what would otherwise be 6+ separate tools; (2) we produce auditor-ready PDFs; (3) we deduplicate findings across tools; (4) we mark known false-positives. If your auditor accepts raw ZAP HTML reports, self-hosting works; most don't.
Do you produce evidence for A.5.7 Threat intelligence?+
Indirectly. Our Nuclei templates and CVE detection consume threat intelligence (8000+ templates updated continuously) and our findings include CVE refs + EPSS scores where available. We don't produce a 'threat intelligence subscription report' — that's typically what a managed XDR/MDR partner provides if your auditor demands one.
Can I scope AuditCore to match my Statement of Applicability?+
Yes. Custom scan profiles (Business tier) let you select which scanners run per scan — so if your SoA excludes mobile-app testing (because you don't ship a mobile app), turn off the ApkScanners suite. Each scheduled scan can use a different profile.
Start the audit in 60 seconds
Free 1-page audit, no credit card. Upgrade to Pro ($299) when you need the full standard coverage.