Compliance · ISO/IEC 27001:2022
ISO 27001 website security checklist — Annex A control mapping
ISO/IEC 27001:2022 includes a refreshed Annex A control set (93 controls in four themes: organizational, people, physical, technological). The technological theme has the densest mapping to public-web-facing controls, and Scorifya's scan checks produce automated evidence for the ones that matter most: cryptography in transit, secure development, application security, and vulnerability information. This page maps Scorifya's findings to the specific Annex A 2022 control numbers most relevant to a public web property.
Scope
Scope: Scorifya scans the public surface of a hostname. It does not evaluate your ISMS, audit your risk treatment plan, validate internal access controls, or assess physical security. Use it as evidence for the Annex A technological controls that apply to public web infrastructure.
Control mapping
Each control below references the framework requirement and lists the Scorifya scan checks that produce supporting evidence.
A.8.24 — Use of cryptography
Rules for the effective use of cryptography, including cryptographic key management, are defined and implemented.
A.5.33 / A.8.20 — Network security controls
Networks and network devices are secured, managed, and controlled to protect information in systems and applications.
Scorifya checks:
A.8.27 — Secure system architecture and engineering principles
Principles for engineering secure systems are established, documented, maintained, and applied to any information system development activities.
A.8.8 — Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use is obtained, the organization's exposure to such vulnerabilities is evaluated, and appropriate measures are taken.
A.5.7 — Threat intelligence
Information relating to information security threats is collected and analysed to produce threat intelligence.
Scorifya checks:
A.5.31 — Legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to information security are identified, documented, and kept up to date.
Scorifya checks:
Important caveats
- ISO 27001 certification requires a fully implemented ISMS with a Statement of Applicability, risk treatment plan, internal audits, and management review — none of which a scanner produces.
- An accredited certification body (CB) issues the certificate after a Stage 1 / Stage 2 audit. Scan output is supporting evidence, not a certification.
- Many Annex A controls (people, physical, organizational themes) cannot be evaluated by any external scan.
Run a scan to produce evidence
Submit any URL you're authorized to test. The scan output (TLS posture, header coverage, DNS hygiene) is repeatable and dated, which is exactly what auditors expect for evidence of design and operating effectiveness.