UnixTime

Research Note

ISO 27001 Implementer Auditor ISO 27005 Mapping

1. implementer view: what to build; 2. auditor view: what to verify; 3. ISO/IEC 27005 view: what risk logic supports the decision.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This crosswalk separates the same ISMS material into three views:

  1. implementer view: what to build;
  2. auditor view: what to verify;
  3. ISO/IEC 27005 view: what risk logic supports the decision.

Core mapping

ISMS topic Implementer guide Auditor guide ISO 27005 risk view
ISMS context and scope Define boundaries, interested parties, requirements Verify scope is justified and reflected in processes Establish risk context
Policy and governance Create approved policies and ownership Verify approval, communication, review, and use Communicate expectations and assign accountability
Risk assessment Define method, criteria, owners, register Verify method is applied consistently Identify, analyze, and evaluate risks
Risk treatment Select controls and actions Verify decisions are justified and implemented Choose treatment options and residual risk
Statement of Applicability Record applicability, justification, implementation status Verify SoA matches risks, controls, and reality Document treatment rationale
Annex A controls Implement selected controls Test design, operation, evidence, awareness Risk modification and monitoring
Evidence Define records during implementation Test evidence quality and consistency Support monitoring and review
Internal audit Prepare audit-ready processes Perform independent verification Monitor control effectiveness
Management review Review performance, risks, resources, actions Verify review inputs/outputs and decisions Review risk status and residual risk
Corrective action Fix root causes and update controls Verify correction and effectiveness Feed risk reassessment and improvement

ISO 27002 relationship

ISO 27001 requirement/control view ISO 27002 guidance view ISO 27005 risk view
Annex A selected control Purpose, implementation guidance, attributes, examples Risk treatment rationale
Control implementation status in SoA Practical control operation and review Residual risk and effectiveness
Audit evidence for a control Evidence expectations and control attributes Monitoring and risk review
Control gaps or nonconformities Weak implementation or missing operation Increased residual risk or failed treatment

Annex A section maps

Annex A section Implementer lens Auditor lens ISO 27005 risk lens
A.5 Organizational Controls MOC Governance, roles, policies, suppliers, incidents, compliance, and operating procedures Test governance design, operating evidence, review, awareness, and corrective action Organizational risk treatment and control-effectiveness monitoring
A.6 People Controls MOC Personnel trust, screening, contracts, security responsibilities, and role-change triggers Test HR/procurement/legal records, timing before access, role proportionality, and privacy handling Personnel risk, insider risk, contractual ambiguity, and privacy exposure
A.7 Physical Controls MOC Physical zones, entry controls, visitor handling, delivery controls, and facility security evidence Test site walkthroughs, physical access records, visitor logs, delivery controls, and perimeter completeness Unauthorized physical access, theft, tampering, exposure, and environmental dependency risk
A.8 Technological Controls MOC Endpoint controls, privileged access, technical enforcement, logging, and system protection evidence Test technical configuration, access records, logs, compliance reports, and exception handling Endpoint compromise, privilege misuse, technical vulnerability, monitoring failure, and control-bypass risk

Practical use

When adding a new control or topic, create or update:

  • the detailed control/topic note;
  • implementer guidance or workbook entry;
  • audit evidence pack/checklist;
  • ISO/IEC 27005 risk mapping if the topic affects risk assessment, treatment, acceptance, monitoring, or review;
  • MOCs and crosswalks.