ISO 27001 Control Mapping
How InnerWarden supports 13 ISO/IEC 27001:2022 Annex A controls, with a live compliance dashboard and a tamper-evident, hash-chained audit trail.
ISO 27001 Mapping
For: compliance buyers and auditors checking InnerWarden against ISO/IEC 27001:2022.
If you have to show an auditor which controls a tool helps you satisfy, this page is the map. InnerWarden covers 13 Annex A controls through its detection, response, and audit features. The mapping is not a static claim: the agent computes it live from your running configuration and shows it in the dashboard's Compliance tab. Turn a capability on, and the matching control flips to met, with no code change.
This page owns the control mapping and the audit-trail mechanics. It does not repeat the data-retention schedule or the data-subject-rights commands: those have one canonical home in Privacy and GDPR. Where this page needs a retention number or an export command, it links there.
Two things to set expectations before the table:
- This is a self-assessed mapping of where a control is supported by a feature. It is not a certification, and it does not replace your ISMS. See Customer Security Pack for the wider readiness picture.
- Whether a control reads "met" depends on your config. An auditor should check the running config (via the API or the Compliance tab) rather than trusting any static document, including this one.
The 13 controls
| Control | Name | InnerWarden feature | Reads "met" when | Where to see the evidence |
|---|---|---|---|---|
| A.5.1 | Information security policies | Your automated-response policy is defined in the responder config | The agent is running | Responder config, plus the decisions audit trail |
| A.6.1 | Organization of information security | AI-driven triage via your chosen provider (local Warden model, or an external one) | AI triage is enabled | Decision entries naming the provider, model, and confidence |
| A.8.1 | Asset management | The sensor inventories the host across its collectors (logs, eBPF, native network capture, firmware and kernel integrity, containers, and more) | Always | The sensors API and the dashboard Sensors view. Full list in What It Detects |
| A.9.1 | Access control | The sudo-abuse detector watches privilege-escalation attempts via eBPF | Sudo protection is enabled | Incidents from the sudo detector |
| A.10.1 | Cryptography | A SHA-256 hash chain over the decision audit trail; each entry links to the one before it | At least one decision has been recorded | The decisions file and the hash-chain verification on the Compliance API |
| A.12.1 | Operations security | Automated response (block IP, suspend user, kill process, block container, honeypot) | The responder is enabled | Decision entries with the action and its result |
| A.12.4 | Logging and monitoring | Continuous collection feeding 82 stateful detectors and the eBPF kernel programs | Always | The events and incidents files; the sensors API |
| A.12.6 | Technical vulnerability management | The execution guard analyses shell commands for exploit payloads before they run | The execution guard is enabled | Incidents from the execution guard; the loopback command-check endpoint |
| A.13.1 | Network security management | IP blocking at multiple layers: wire-speed XDP, host firewalls (iptables, ufw, nftables, pf, firewalld), and optional Cloudflare edge | The responder is enabled and out of dry-run | Block-IP decision entries; the XDP blocklist |
| A.13.2 | Information transfer | Container-drift detection and io_uring monitoring catch data movement that tries to bypass normal syscalls | Always | Incidents from the container-drift and io_uring detectors |
| A.16.1 | Incident management | The full pipeline: detect, correlate across layers, triage, respond, notify | Always | Incidents and decisions files; notification logs |
| A.18.1 | Compliance | A retained, tamper-evident audit trail with a configurable retention period | Decisions are kept at least 90 days | The retention config; see Privacy and GDPR for the schedule |
| A.18.2 | Information security reviews | A daily automated security report with aggregated telemetry | Always | The daily report files and the report API |
The counts above (82 detectors, the eBPF programs, the cross-layer correlation rules) are the canonical figures for the current release. Their authoritative source and the full detector list live in What It Detects.
The audit trail (the evidence an auditor cares about)
Hash-chained decisions
Every automated decision is appended to a daily decisions file. Each entry holds the SHA-256 digest of the previous entry, so the records form a tamper-evident chain: change or delete any historical entry and the chain breaks from that point forward.
The Compliance API verifies the chain on every call, reading the current day's file and checking that each linked hash matches the computed hash of the previous entry. It reports:
- whether the chain is intact
- the number of entries in the chain
- the hash of the most recent entry
Hash-chained admin actions
Administrative actions (enable, disable, configure, block, allowlist, mesh operations, and data erasures) are recorded in their own daily file with the same hash-chain structure. Each entry names the operator and the operation. GDPR erasure operations recompute the chain after removing records so the trail stays intact (see Privacy and GDPR).
Dashboard session controls
The dashboard supports session-based authentication alongside Basic Auth: log in to receive a Bearer token, log out to invalidate it, and list active sessions without exposing the tokens. Session timeout and the maximum number of concurrent sessions are configurable; the keys live in Configuration. Expired sessions are swept automatically. Login and logout are written to the admin-actions trail.
Hardening on the dashboard itself: login rate-limiting with IP lockout after repeated failures, refusal to perform actions over insecure HTTP when auth is configured on a non-localhost bind, standard security response headers, a cap on concurrent live-event streams, and constant-time credential comparison. Detail on these and the auth model is in Dashboard and Notifications and Trust and Safety Invariants.
The Compliance tab
The dashboard's Compliance tab is the single screen an auditor can sit in front of. It loads live and shows:
- Four KPI cards: active sessions, admin actions recorded today, the ISO 27001 score in
N / 13form, and the hash-chain status (intact or broken). - Audit Trail Hash Chain: chain length, last hash, and the verification result.
- Data Retention Policy: the configured retention period for each data type (the schedule itself is owned by Privacy and GDPR).
- ISO 27001 Control Mapping: the 13 controls with met / not-met status and, for each not-met control, the specific action that would satisfy it.
- Admin Actions: today's entries from the admin-actions trail.
- Trusted Advisor Cache and Active Sessions: current advisory recommendations and the authenticated sessions (tokens never shown).
The same data is available from the Compliance API endpoint, which returns the hash-chain status, the retention settings, the control list with per-control met/reason, the met/total counts, and the running version. It requires dashboard authentication when auth is configured.
Notes for auditors
- Control status is dynamic. The 13 controls reflect the current agent configuration. Verify against the running config via the Compliance API or the dashboard tab, not against this page.
- Chain verification is automated. The Compliance endpoint cryptographically verifies the decision trail on every call. An intact result that flips to broken indicates possible tampering and should be investigated.
- Retention enforcement is automatic. The agent deletes data past its configured retention with no manual step. The schedule and how to change it are in Privacy and GDPR.
- GDPR operations produce audit records. Both export and erase are logged, and erase recomputes the affected hash chains. The commands themselves live in Privacy and GDPR.
- Evidence files sit in the agent's data directory: the hash-chained decisions, the hash-chained admin actions, the incidents, the raw events, and the daily reports. The exact file shapes are in Data Formats.
Related
- Privacy and GDPR: the canonical data-retention schedule and the data-subject-rights commands.
- Trust and Safety Invariants: the runtime guarantees behind these controls.
- Customer Security Pack: the wider self-assessed readiness against ISO, SOC 2, SLSA, and more.
- Data Formats: the on-disk shapes of the evidence files.
- Configuration: the config keys an auditor will ask you to confirm.
- Dashboard and Notifications: the Compliance tab and dashboard auth in context.