Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

ISO 27001 readiness in Nuxari

How Nuxari supports ISO 27001 ISMS program building, key artifacts required, and Annex A control mapping.

Last updated: June 2026

ISO 27001 certification requires an external audit by an accredited certification body. Nuxari is building towards ISO 27001 readiness. Certification reports will be shared when external audits are completed.

What ISO 27001 is

ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS). It defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. Unlike SOC 2 which is primarily a North American framework, ISO 27001 is internationally recognized and is often required for global enterprise relationships, government contracts, and regulated industry suppliers.

ISO 27001 uses a risk-driven approach. Instead of prescribing specific technical controls, it requires organizations to identify their information security risks and select appropriate controls from Annex A (or justify exclusions in a Statement of Applicability).

Key ISMS artifacts

A complete ISO 27001 program requires the following artifacts. Nuxari supports building and maintaining each of these:

  • ISMS scope document. Defines the boundaries of the information security management system — which systems, processes, locations, and data types are covered.
  • Risk treatment plan. Documents identified risks, their likelihood and impact, chosen treatment options (mitigate, accept, transfer, avoid), and responsible owners.
  • Statement of Applicability (SoA). Lists all Annex A controls, indicates which apply to your organization and which are excluded, with justifications for exclusions.
  • Internal audit. A structured review of ISMS implementation conducted by someone other than the control owners, at least annually.
  • Management review. A formal review by organizational leadership of ISMS performance, risk posture, and improvement opportunities, documented with decisions and action items.
  • Approved information security policies. Documented, approved, and communicated policies covering each relevant area (access control, asset management, cryptography, etc.).

Annex A control categories

ISO 27001:2022 Annex A contains 93 controls organized into four themes. Nuxari maps its built-in controls to these categories:

  • Organizational controls (A.5). Policies, roles, responsibilities, threat intelligence, supplier relationships, and information security in projects.
  • People controls (A.6). Screening, terms of employment, information security awareness, non-disclosure agreements, and remote working.
  • Physical controls (A.7). Physical security perimeters, physical entry controls, securing offices and equipment.
  • Technological controls (A.8). User endpoint devices, privileged access rights, access control, authentication, log management, network security, and vulnerability management.

Nuxari's control library provides the greatest coverage for organizational and technological controls, particularly around access control (A.8.2–A.8.5), log management (A.8.15), vulnerability management (A.8.8), and supplier relationships (A.5.19–A.5.22).

Using Nuxari for ISO 27001 readiness

Nuxari helps you operate the ongoing management activities that ISO 27001 requires: continuous access reviews, evidence-backed control assessments, risk register maintenance, policy approval workflows, vendor risk management, and audit log retention. The platform generates evidence automatically as operational actions occur, reducing the manual burden of gathering documentation before an audit.

Related docs

Compliance readiness overview

What readiness means and workspace types

SOC 2 readiness

Trust Services Criteria mapping

Control library

Built-in controls mapped to ISO 27001

Risk register

Risk treatment plan management

Policy center

Policy approval workflow

Was this page helpful?