Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This crosswalk separates the same ISMS material into three views:
- implementer view: what to build;
- auditor view: what to verify;
- ISO/IEC 27005 view: what risk logic supports the decision.
Core mapping
| ISMS topic | Implementer guide | Auditor guide | ISO 27005 risk view |
|---|---|---|---|
| ISMS context and scope | Define boundaries, interested parties, requirements | Verify scope is justified and reflected in processes | Establish risk context |
| Policy and governance | Create approved policies and ownership | Verify approval, communication, review, and use | Communicate expectations and assign accountability |
| Risk assessment | Define method, criteria, owners, register | Verify method is applied consistently | Identify, analyze, and evaluate risks |
| Risk treatment | Select controls and actions | Verify decisions are justified and implemented | Choose treatment options and residual risk |
| Statement of Applicability | Record applicability, justification, implementation status | Verify SoA matches risks, controls, and reality | Document treatment rationale |
| Annex A controls | Implement selected controls | Test design, operation, evidence, awareness | Risk modification and monitoring |
| Evidence | Define records during implementation | Test evidence quality and consistency | Support monitoring and review |
| Internal audit | Prepare audit-ready processes | Perform independent verification | Monitor control effectiveness |
| Management review | Review performance, risks, resources, actions | Verify review inputs/outputs and decisions | Review risk status and residual risk |
| Corrective action | Fix root causes and update controls | Verify correction and effectiveness | Feed risk reassessment and improvement |
ISO 27002 relationship
| ISO 27001 requirement/control view | ISO 27002 guidance view | ISO 27005 risk view |
|---|---|---|
| Annex A selected control | Purpose, implementation guidance, attributes, examples | Risk treatment rationale |
| Control implementation status in SoA | Practical control operation and review | Residual risk and effectiveness |
| Audit evidence for a control | Evidence expectations and control attributes | Monitoring and risk review |
| Control gaps or nonconformities | Weak implementation or missing operation | Increased residual risk or failed treatment |
Annex A section maps
| Annex A section | Implementer lens | Auditor lens | ISO 27005 risk lens |
|---|---|---|---|
| A.5 Organizational Controls MOC | Governance, roles, policies, suppliers, incidents, compliance, and operating procedures | Test governance design, operating evidence, review, awareness, and corrective action | Organizational risk treatment and control-effectiveness monitoring |
| A.6 People Controls MOC | Personnel trust, screening, contracts, security responsibilities, and role-change triggers | Test HR/procurement/legal records, timing before access, role proportionality, and privacy handling | Personnel risk, insider risk, contractual ambiguity, and privacy exposure |
| A.7 Physical Controls MOC | Physical zones, entry controls, visitor handling, delivery controls, and facility security evidence | Test site walkthroughs, physical access records, visitor logs, delivery controls, and perimeter completeness | Unauthorized physical access, theft, tampering, exposure, and environmental dependency risk |
| A.8 Technological Controls MOC | Endpoint controls, privileged access, technical enforcement, logging, and system protection evidence | Test technical configuration, access records, logs, compliance reports, and exception handling | Endpoint compromise, privilege misuse, technical vulnerability, monitoring failure, and control-bypass risk |
Practical use
When adding a new control or topic, create or update:
- the detailed control/topic note;
- implementer guidance or workbook entry;
- audit evidence pack/checklist;
- ISO/IEC 27005 risk mapping if the topic affects risk assessment, treatment, acceptance, monitoring, or review;
- MOCs and crosswalks.
Related notes
- ISO 27001 Implementer Guide MOC
- ISO 27001 Auditor Guide MOC
- ISO 27002 Knowledge Base MOC
- ISO 27005 Risk Management Guide MOC
- A.5 Controls Implementation Audit Risk Mapping
- A.6 People Controls Implementation Audit Risk Mapping
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.8 Technological Controls Implementation Audit Risk Mapping
- Iso27001
- Iso27005
- Mapping
- Implementer guide
- Auditor guide
Note Metadata
Aliases: ISO 27001 27005 Crosswalk
Source: 08 Crosswalks/ISO 27001 Implementer Auditor ISO 27005 Mapping.md
Related Notes
- ISO27001 ISMS KB - Start Here
- A.5 Organizational Controls MOC
- A.6 People Controls MOC
- A.7 Physical Controls MOC
- A.8 Technological Controls MOC
- A.6 People Controls Implementation Guide
- A.7 Physical Controls Implementation Guide
- A.8 Technological Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO 27001 Implementer Guide
- ISO 27001 Auditor Guide
- ISO 27005 Risk Management Guide
- A.5 Controls Implementation Audit Risk Mapping
- A.6 People Controls Implementation Audit Risk Mapping
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27001 Knowledge Base
- ISO 27002 Control Attributes Evidence Map
- ISO 27002 Knowledge Base
- GRC Knowledge Model
- Audit Evidence Index
- ISO 27001 Overview
- Templates MOC