ISO 27001 compliance software
Lumicost evaluates 12 ISO/IEC 27001:2022 Annex A controls (A.5, A.8, A.12, A.13) against your AWS, GCP and Azure infrastructure every day — and writes the result to an append-only audit log with SHA-256 integrity hashes your certification body can verify.
ISO 27001:2022 certification turns on continuous evidence: did your access controls drift, did logs survive retention, did risks get treated. Lumicost continuously inspects your cloud configuration against 12 pre-mapped Annex A controls — Threat Intelligence (A.5.7), Information Classification (A.5.12), Access Control (A.5.15), ICT Continuity (A.5.30), Asset Inventory (A.8.1), Privileged Access (A.8.2), Monitoring (A.8.16), Change Management (A.12.1.2), Event Logging (A.12.4.1), Vulnerability Management (A.12.6.1), Network Controls (A.13.1.1), Information Transfer (A.13.2.1) — and emits cryptographically-signed evidence ready for Stage 1 and Stage 2 audits.
A.5 Organisational (5.7, 5.12, 5.15, 5.30) · A.8 Technological (8.1, 8.2, 8.16) · A.12 Operations Security (12.1.2, 12.4.1, 12.6.1) · A.13 Communications Security (13.1.1, 13.2.1). Each control gets COMPLIANT / PARTIAL / NON_COMPLIANT with rationale and evidence map.
Each generated report is hashed with SHA-256 over the canonical JSON of its controls and stored in a database that disallows UPDATE / DELETE at the row level. Auditors can re-compute the hash to verify integrity — a clean answer for A.12.4.1 Event Logging.
Surveillance audits expect proof you stayed in conformance for 12 months. The freshness engine downgrades COMPLIANT → PARTIAL the moment evidence ages past its rolling window, and alerts your compliance channel so you can remediate before the auditor asks.
One-click CSV / JSON / PDF exports aligned to the auditor's request list. Same evidence supports SOC 2 (CC6/CC7/CC8) and HIPAA Security Rule — map once, audit many.
All evidence is gathered through read-only credentials (WIF on GCP, IAM Role with external-id on AWS, App Registration on Azure). No write paths into your environment, no agent on workloads.
No tool can. Certification is granted by an accredited certification body after Stage 1 (documentation review) and Stage 2 (operational audit). Lumicost automates the operational evidence — the part the auditor inspects in Stage 2 — for the 12 Annex A controls that map to cloud configuration.
ISO 27001:2022 Annex A contains 93 controls across 4 themes. The majority are organisational, people-related, or physical — evidenced with policies, training records, and contracts. Lumicost evaluates the 12 controls that map directly to cloud telemetry; the rest must live in your ISMS documentation.
Annex A renamed and reorganised controls in the 2022 revision. Our evaluator outputs :2022 codes (A.5.x, A.8.x, A.12.x, A.13.x). If your audit is still on :2013, the underlying evidence is the same — your auditor will accept the cross-mapping.
A.5.23 (use of cloud services) is evidenced through your cloud connection inventory and contracts. Lumicost surfaces the inventory automatically; the contractual side (DPA, BAA, regional residency) is documented in our Trust Center and DPA, signed alongside subscription.
Connect read-only credentials, get your first insights in 24 hours.