Framework — ISO 27002:2022
93 controls, continuously verified
ISO 27002 provides implementation guidance for ISO 27001 Annex A controls. Sudory's scanners map to key controls across all four domains — organisational, people, physical, and technological.
Four domains
The 2022 structure
ISO 27002:2022 reorganised controls into four domains (from 14 clauses in 2013). Each domain has different automation potential — Sudory covers organisational and technological controls most deeply.
Organisational
37 controls · 5.1–5.37Policies, roles, asset management, access control, supplier relationships, incident management, business continuity, and compliance. Sudory covers supplier controls (5.19–5.23) directly.
People
8 controls · 6.1–6.8Screening, employment terms, awareness, disciplinary process, responsibilities after termination. Sudory's role policies enforce separation of duties and authorisation requirements.
Physical
14 controls · 7.1–7.14Security perimeters, physical entry, offices, monitoring, utilities, cabling, equipment maintenance. Outside Sudory's automated scanning scope — tracked as manual controls.
Technological
34 controls · 8.1–8.34Endpoint devices, access rights, source code, authentication, capacity, malware, logging, network security, cryptography, secure development. Sudory's primary scanning domain.
DNS + header scans
What a single scan covers
One DNS + header scan produces evidence for seven ISO 27002 controls. No credentials needed — works from day one on any domain.
5.14
Information transfer
Policies and procedures for secure information transfer. Sudory verifies email authentication controls — SPF records, DKIM signatures, and DMARC policies.
8.9
Configuration management
Configurations of hardware, software, services, and networks are established, documented, and monitored. Sudory scans DNS and HTTP configurations; CIS benchmarks cover cloud platforms.
8.20
Network security
Networks and network devices are secured. Sudory checks DNSSEC signing, nameserver configuration, IPv6 readiness, and CAA records restricting certificate issuance.
8.21
Security of network services
Security mechanisms and service levels for network services. Sudory evaluates TLS configuration, HSTS enforcement, DANE records, and certificate validity.
8.24
Use of cryptography
Rules for effective use of cryptography. Sudory checks cipher suites, key lengths, algorithm choices, and certificate configurations.
8.25
Secure development lifecycle
Rules for secure development of software and systems. Sudory detects version disclosure in server headers and legacy technology indicators.
8.28
Secure coding
Secure coding principles applied in software development. Sudory checks Content Security Policy, clickjacking protection, cookie security attributes, and CSRF defences.
CIS benchmark mapping
Deeper coverage with integrations
Connect integrations and CIS benchmark results map to additional ISO 27002 controls — access rights, authentication, logging, and more.
CIS Google Workspace
Google Workspace CIS benchmark checks map to access control, configuration management, and authentication controls in ISO 27002.
CIS Slack
Slack installed apps and OAuth scopes map to ICT supply chain controls and configuration management.
CIS AWS Foundations
AWS CIS benchmark covers IAM, S3, networking, encryption, and CloudTrail — mapping to multiple technological controls.
How Sudory helps
From controls to evidence
ISO 27002 tells you what to implement. Sudory tells you whether it's working — with evidence that maps to specific control numbers.
Automated control evidence
Every scan result maps to specific ISO 27002 controls. DNS scans cover 5.14, 8.20, 8.21, 8.24. Header scans cover 8.9, 8.28. CIS benchmarks extend coverage to 8.2, 8.5, 8.15.
Supplier controls coverage
5.19–5.23 are covered by Sudory's vendor directory and continuous scanning. Subprocessor chains, DPA links, certifications, and security posture monitoring — all five controls addressed.
Gap analysis
See which ISO 27002 controls have automated evidence and which require manual processes. Physical controls (domain 7) need manual evidence. Most technological controls are scanned automatically.
Control effectiveness
Sudory doesn't just check presence — it evaluates effectiveness. A DMARC policy of "none" exists but doesn't protect. Sudory distinguishes between implemented and effective controls.
Attribute-based filtering
ISO 27002:2022 introduced control attributes — preventive/detective/corrective, confidentiality/integrity/availability. Sudory's framework mapping preserves these attributes for reporting.
Continuous vs periodic
ISO 27002 assumes periodic review. Sudory makes it continuous. Freshness policies ensure controls are scanned regularly. Temporal policies catch stale evidence before auditors do.
For MSPs
ISO 27002 coverage across clients
Deliver control implementation evidence as a managed service. Same controls, same scanning, consistent reporting across your portfolio.
Control coverage across clients
See which ISO 27002 controls are covered by scanning for each client. Identify gaps systematically — not by reading spreadsheets.
Standardised control implementation
Apply the same technological controls across your portfolio. When one client improves their CSP, show others the benchmark they should meet.
Annex A reporting
Generate per-client reports showing Annex A control coverage, evidence freshness, and findings. The deliverable auditors ask for — built from scan data.
See your control coverage
Scan your domain — one scan covers seven ISO 27002 controls with zero credentials. Connect integrations for CIS benchmark coverage. Supplier controls come from the vendor directory.