ISO 27001 alignment
built into the infrastructure.
Annex A controls satisfied by design, not by policy document alone. Our sixteen checks provide the technical evidence your certification auditor needs to see operating.
The ISMS
in practice.
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). Certification requires demonstrating that you’ve identified information security risks, selected appropriate controls to treat them, and can prove those controls operate effectively over time.
The 2022 revision reorganized the Annex A controls into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). PrismWeb’s infrastructure directly addresses the technological controls and provides evidence for several organizational ones.
What certification auditors look for is a clear line from your risk assessment to your Statement of Applicability to your operating controls. Our sixteen checks create that line for infrastructure security — the risk is identified, the control is selected, and the check proves it’s working.
Surveillance audits (conducted annually after initial certification) focus on evidence of continuous operation. Because our checks run continuously and produce timestamped results, you always have current evidence ready for your auditor’s sampling.
How PrismWeb maps to
Annex A controls.
| Check | ISO 27001 Controls | Control Theme |
|---|---|---|
| DNSSEC | A.8.20, A.8.24 | Technological |
| SSL/TLS | A.8.24, A.8.26 | Technological |
| Enhanced HTTPS | A.8.24, A.8.26 | Technological |
| Enhanced TLS | A.8.24, A.8.26 | Technological |
| Certificate Validation | A.8.24 | Technological |
| Security Headers | A.8.9, A.8.20 | Technological |
| SPF | A.8.20, A.8.23 | Technological |
| DKIM | A.8.20, A.8.24 | Technological |
| DMARC | A.8.20, A.8.23 | Technological |
| MTA-STS | A.8.24, A.8.26 | Technological |
| TLS-RPT | A.8.15, A.8.16 | Technological |
| IP Abuse | A.8.16, A.8.20 | Technological |
| WordPress Detection | A.8.8, A.8.9 | Technological |
| Website Scanning | A.8.8, A.8.12 | Technological |
| IPv6 | A.8.20, A.8.22 | Technological |
| RPKI | A.8.20, A.8.22 | Technological |
What we provide for
your certification.
Pre-written control descriptions that map our infrastructure checks to your SoA. Each entry includes the control objective, implementation description, and evidence reference.
Timestamped check results demonstrating control operation over time. Satisfies the monitoring, measurement, analysis, and evaluation requirements of Clause 9.
When checks detect degradation, we log the nonconformity, root cause analysis, and corrective action — exactly what Clause 10.2 requires.
Documentation linking each security risk to its treatment (our infrastructure control) and the evidence that the treatment is effective. Supports your risk treatment plan.
Annual evidence packages ready for your surveillance auditor, covering the period since your last audit with all relevant check history and any corrective actions taken.
Certification evidence
from your infrastructure.
Your ISMS needs operating controls, not just documented ones. Our infrastructure provides both — the control and the proof that it works.