Framework — ISO 27001
Your ISMS, always current
ISO 27001 is the global standard for information security management. Sudory maps your operational reality to Annex A controls continuously — not just before the audit.
Key clauses
The ISMS lifecycle
ISO 27001 follows Plan-Do-Check-Act. Sudory automates the Check and supports the Act — so your ISMS improves continuously, not just at recertification.
Clause 6.1
Risk assessment
Identify risks to information security, analyse likelihood and impact, and evaluate against risk criteria. Sudory's risk register automates this with ISO 27005-aligned 5×5 matrices.
Clause 8.1
Operational planning and control
Implement the plans to address risks. Sudory's policy-as-code engine enforces your controls continuously — balance policies, freshness checks, and flow controls.
Clause 9.1
Monitoring and measurement
Monitor the effectiveness of controls. Sudory scans continuously and maps results to Annex A controls — so your ISMS stays current, not just audit-day current.
Clause 10.1
Continual improvement
Improve the ISMS based on findings. Sudory's compliance ledger tracks posture over time — see trends, regressions, and the impact of remediation efforts.
Annex A — Supplier relationships
A.5.19–5.23: Supply chain controls
ISO 27001:2022 dedicates five controls to supplier relationships. These are the controls that drive vendor due diligence — and where Sudory's vendor directory provides direct evidence.
A.5.19
Information security in supplier relationships
Establish and document policies for managing risks from suppliers. Sudory's vendor directory provides the data you need — certifications, subprocessors, data regions.
A.5.20
Addressing security within supplier agreements
Include security requirements in supplier contracts. Sudory tracks DPA availability and compliance certifications for every vendor in the directory.
A.5.21
Managing security in the ICT supply chain
Address risks from the ICT product and services supply chain. Sudory maps subprocessor chains — see who your vendor shares data with, and who their subprocessors use.
A.5.22
Monitoring, review and change management of supplier services
Monitor and review supplier security practices. Sudory scans vendor infrastructure continuously — when posture degrades, you know before the next audit.
A.5.23
Information security for use of cloud services
Manage risks from cloud service providers. Sudory's CIS benchmark scanning evaluates cloud configurations against industry standards automatically.
Annex A — Technological controls
What a single scan covers
One DNS + header scan produces evidence for six Annex A technological controls. Add CIS benchmark scans and the coverage deepens further.
A.5.14
Information transfer
Email authentication controls that protect information in transit.
A.8.9
Configuration management
Secure configuration of systems, networks, and applications.
A.8.20
Network security
Security of networks and network services.
A.8.21
Security of network services
Security mechanisms and service levels for network services.
A.8.24
Use of cryptography
Effective use and management of cryptography.
A.8.28
Secure coding
Secure coding principles applied to software development.
How Sudory helps
From scans to certification evidence
Sudory doesn't replace your auditor. It gives your auditor what they need — continuous evidence mapped to Annex A controls, risk assessments linked to policies, and a timestamped compliance ledger.
Continuous ISMS monitoring
Sudory scans your infrastructure continuously, mapping results to Annex A controls. Your ISMS reflects operational reality — not a point-in-time snapshot.
Statement of Applicability
Generate your SoA from scan results. Every applicable control links to evidence. Exceptions are tracked as waivers with time-bound expiry and review requirements.
Risk-based approach
Link ISO 27001 risks to policies and controls in Sudory's risk register. Residual risk updates automatically as your posture changes — likelihood × impact with 4 treatment strategies.
Supplier management
A.5.19–5.23 covered. Vendor directory with subprocessor chains, certifications, and DPA links. Continuous scanning monitors supplier posture. CIS benchmarks evaluate cloud configurations.
Audit preparation
Point-in-time compliance snapshots with full evidence trails. Give auditors what they need without the scramble — every scan, every finding, every remediation timestamped.
Cross-framework mapping
ISO 27001 controls map to NIS2, DORA, SOC 2, and CIS Benchmarks. Already ISO 27001 certified? Your evidence covers multiple frameworks automatically.
For MSPs
ISO 27001 across your client portfolio
Your clients want ISO 27001 certification but lack the team to run an ISMS. Deliver continuous compliance monitoring as a managed service.
ISMS as a service
Your clients need ISO 27001 but lack the team to run an ISMS. Sudory provides continuous monitoring, risk assessment, and evidence collection — you deliver the expertise.
Audit readiness across clients
Generate SoA exports and evidence packages for each client. Compare Annex A coverage across your portfolio — spot systemic gaps before auditors do.
Supplier assessment at scale
A.5.19–5.23 applies to every client. Sudory's vendor directory and scanning engine assess shared suppliers across your portfolio — one directory, all clients.
Start building your evidence base
Scan your domain for Annex A coverage. Assess your suppliers in the vendor directory. Connect integrations for CIS benchmark evidence. Certification prep starts here.