ISO/IEC 27001:2022 — Information Security Management Annex A + Clauses 4-10
ISO/IEC 27001:2022 — Information Security Management Annex A + Clauses 4-10
ISO/IEC 27001:2022 — Information Security Management Annex A + Clauses 4-10 — 79% covered.
118 requirements · 83 enforced · 6 designed · 29 advisory · 0 deferred.
Source: ISO/IEC 27001:2022 Annex A (93 controls, 4 themes): mirrors ISO/IEC 27002:2022 control catalogue. Main-body clauses 4-10 (Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement) added 2026-05-29 (Wave-Ralph-B) for a regulator-grade ISMS-level deep-mapping. · License: ISO — control text is copyrighted; KYE registry paraphrases each control's intent and cites the official identifier for mapping purposes only.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| A.5 Organisational controls | 37 | 32 | 1 | 4 | 0 | 91% |
| A.6 People controls | 8 | 3 | 1 | 4 | 0 | 56% |
| A.7 Physical controls | 14 | 2 | 0 | 12 | 0 | 36% |
| A.8 Technological controls | 34 | 26 | 3 | 5 | 0 | 85% |
| Clause 4 Context of the organisation | 4 | 2 | 0 | 2 | 0 | 63% |
| Clause 5 Leadership | 3 | 3 | 0 | 0 | 0 | 100% |
| Clause 6 Planning | 5 | 4 | 0 | 1 | 0 | 85% |
| Clause 7 Support | 5 | 4 | 0 | 1 | 0 | 85% |
| Clause 8 Operation | 3 | 3 | 0 | 0 | 0 | 100% |
| Clause 9 Performance evaluation | 3 | 2 | 1 | 0 | 0 | 83% |
| Clause 10 Improvement | 2 | 2 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
iso-27001.A.5.1 |
Policies for information security | enforced | audit_events: kye.signal.tool.compiled.v1engines: internalworkers: kye-rules-gateway-workerconstitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.2 |
Information security roles and responsibilities | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.3 |
Segregation of duties | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.4 |
Management responsibilities | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
iso-27001.A.5.5 |
Contact with authorities | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.6 |
Contact with special interest groups | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.7 |
Threat intelligence | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.5.8 |
Information security in project management | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
iso-27001.A.5.9 |
Inventory of information and other associated assets | enforced | audit_events: kye.risk.authority_register.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.A.5.10 |
Acceptable use of information and other associated assets | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.11 |
Return of assets | enforced | audit_events: kye.revocation.event.v1, kye.signal.revocation.cascaded.v1engines: internalworkers: kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.12 |
Classification of information | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.5.13 |
Labelling of information | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.5.14 |
Information transfer | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.5.15 |
Access control | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.16 |
Identity management | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.17 |
Authentication information | enforced | audit_events: kye.signing.multisig_envelope.v1engines: internal, internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.5.18 |
Access rights | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.5.19 |
Information security in supplier relationships | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.5.20 |
Addressing information security within supplier agreements | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.5.21 |
Managing information security in the ICT supply chain | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.22 |
Monitoring, review and change management of supplier services | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.5.23 |
Information security for use of cloud services | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.5.24 |
Information security incident management planning and preparation | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.5.25 |
Assessment and decision on information security events | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.5.26 |
Response to information security incidents | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.5.27 |
Learning from information security incidents | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.5.28 |
Collection of evidence | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.5.29 |
Information security during disruption | enforced | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.5.30 |
ICT readiness for business continuity | designed | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.5.31 |
Legal, statutory, regulatory and contractual requirements | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.32 |
Intellectual property rights | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.33 |
Protection of records | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.5.34 |
Privacy and protection of PII | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.5.35 |
Independent review of information security | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.5.36 |
Compliance with policies, rules and standards for information security | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
iso-27001.A.5.37 |
Documented operating procedures | enforced | audit_events: kye.risk.authority_register.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.A.6.1 |
Screening | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.6.2 |
Terms and conditions of employment | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.6.3 |
Information security awareness, education and training | designed | audit_events: kye.training.completion.v1constitution_refs: constitution/10-PARTNER.md |
iso-27001.A.6.4 |
Disciplinary process | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.6.5 |
Responsibilities after termination or change of employment | enforced | audit_events: kye.revocation.event.v1, kye.signal.revocation.cascaded.v1engines: internalworkers: kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.6.6 |
Confidentiality or non-disclosure agreements | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.6.7 |
Remote working | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.6.8 |
Information security event reporting | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.7.1 |
Physical security perimeters | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.2 |
Physical entry | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.3 |
Securing offices, rooms and facilities | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.4 |
Physical security monitoring | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.5 |
Protecting against physical and environmental threats | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.6 |
Working in secure areas | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.7 |
Clear desk and clear screen | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.8 |
Equipment siting and protection | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.9 |
Security of assets off-premises | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.10 |
Storage media | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.7.11 |
Supporting utilities | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.12 |
Cabling security | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.13 |
Equipment maintenance | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.7.14 |
Secure disposal or re-use of equipment | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.8.1 |
User end point devices | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.8.2 |
Privileged access rights | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.8.3 |
Information access restriction | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.8.4 |
Access to source code | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.A.8.5 |
Secure authentication | enforced | audit_events: kye.signing.multisig_envelope.v1engines: internal, internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.8.6 |
Capacity management | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.8.7 |
Protection against malware | designed | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
iso-27001.A.8.8 |
Management of technical vulnerabilities | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.8.9 |
Configuration management | enforced | audit_events: kye.signal.drift.detected.v1constitution_refs: constitution/34-RECONCILIATION-ENGINE.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.10 |
Information deletion | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.8.11 |
Data masking | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.8.12 |
Data leakage prevention | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.8.13 |
Information backup | enforced | audit_events: kye.compliance.attestation.v1engines: internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.A.8.14 |
Redundancy of information processing facilities | enforced | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.15 |
Logging | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.mdrule_packs: kye:rule-pack:public-sector-governance |
iso-27001.A.8.16 |
Monitoring activities | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.A.8.17 |
Clock synchronisation | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.8.18 |
Use of privileged utility programs | designed | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
iso-27001.A.8.19 |
Installation of software on operational systems | enforced | audit_events: kye.signal.drift.detected.v1constitution_refs: constitution/34-RECONCILIATION-ENGINE.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.20 |
Networks security | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
iso-27001.A.8.21 |
Security of network services | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
iso-27001.A.8.22 |
Segregation of networks | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
iso-27001.A.8.23 |
Web filtering | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.8.24 |
Use of cryptography | enforced | audit_events: kye.signing.multisig_envelope.v1engines: internal, internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
iso-27001.A.8.25 |
Secure development life cycle | enforced | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.26 |
Application security requirements | enforced | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.27 |
Secure system architecture and engineering principles | enforced | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.28 |
Secure coding | designed | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.md |
iso-27001.A.8.29 |
Security testing in development and acceptance | enforced | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.30 |
Outsourced development | advisory | constitution_refs: constitution/00-INDEX.md |
iso-27001.A.8.31 |
Separation of development, test and production environments | enforced | audit_events: kye.ci.failure.classified.v1constitution_refs: constitution/00-INDEX.md, constitution/42-CONSTITUTION-KIT.mdengines: internal, internalworkers: kye-gateway |
iso-27001.A.8.32 |
Change management | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
iso-27001.A.8.33 |
Test information | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
iso-27001.A.8.34 |
Protection of information systems during audit testing | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
iso-27001.cl-4.1 |
Understanding the organisation and its context — determine external and internal issues relevant to the ISMS purpose that affect its ability to achieve the intended outcomes. | advisory | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-4.2 |
Understanding the needs and expectations of interested parties — determine relevant interested parties and their requirements that relate to information security. | advisory | audit_events: kye.compliance.attestation.v1, kye.subprocessor.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-27001.cl-4.3 |
Determining the scope of the information security management system — determine the boundaries and applicability of the ISMS taking the context, interested parties and interfaces into account. | enforced | audit_events: kye.compliance.attestation.v1registries: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-4.4 |
Information security management system — establish, implement, maintain and continually improve an ISMS, including the processes needed and their interactions, in accordance with the requirements of this document. | enforced | audit_events: kye.compliance.attestation.v1, kye.reconciliation.verdict.v1engines: internalconstitution_refs: constitution/00-INDEX.md, constitution/34-RECONCILIATION-ENGINE.md |
iso-27001.cl-5.1 |
Leadership and commitment — top management demonstrates leadership and commitment with respect to the ISMS. | enforced | audit_events: kye.governedui.approval.v1, kye.compliance.attestation.v1governedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
iso-27001.cl-5.2 |
Policy — top management establishes an information security policy appropriate to the purpose of the organisation, including objectives or framework for setting objectives, commitment to satisfy applicable requirements, and commitment to continual improvement. | enforced | audit_events: kye.compliance.attestation.v1registries: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-5.3 |
Organisational roles, responsibilities and authorities — top management assigns and communicates roles and authorities relevant to information security. | enforced | audit_events: kye.authority.grant.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
iso-27001.cl-6.1.1 |
Actions to address risks and opportunities — general — plan actions to address risks and opportunities to ensure the ISMS can achieve its intended outcomes and to achieve continual improvement. | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1, kye.risk_assessment.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.cl-6.1.2 |
Information security risk assessment — define and apply an information security risk-assessment process that establishes and maintains risk criteria, ensures repeatability of results, identifies risks, analyses and evaluates them. | enforced | audit_events: kye.risk_assessment.v1, kye.risk.score.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.cl-6.1.3 |
Information security risk treatment — define and apply an information security risk-treatment process to select appropriate options, determine controls, compare to Annex A, produce a Statement of Applicability, and obtain risk-owner approval. | enforced | audit_events: kye.compliance.attestation.v1, kye.governedui.approval.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-6.2 |
Information security objectives and planning to achieve them — establish information security objectives at relevant functions and levels, consistent with the policy and measurable. | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-6.3 |
Planning of changes — when the organisation determines the need for changes to the ISMS, the changes shall be carried out in a planned manner. | enforced | audit_events: kye.change_calendar.v1, kye.governedui.approval.v1, kye.reconciliation.verdict.v1engines: internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/53-COHESION-CASCADE.md |
iso-27001.cl-7.1 |
Resources — determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS. | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-7.2 |
Competence — determine the necessary competence of persons doing work under the organisation's control that affects the ISMS performance, ensure competence on the basis of education, training or experience, and retain documented information as evidence of competence. | enforced | audit_events: kye.training.completion.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/10-PARTNER.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
iso-27001.cl-7.3 |
Awareness — persons doing work under the organisation's control are aware of the information security policy, their contribution to the effectiveness of the ISMS, and the implications of not conforming. | enforced | audit_events: kye.training.completion.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md, constitution/39-LEARN-RAIL.md |
iso-27001.cl-7.4 |
Communication — determine the need for internal and external communications relevant to the ISMS, including what, when, with whom, and how to communicate. | enforced | audit_events: kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
iso-27001.cl-7.5 |
Documented information — the ISMS shall include documented information required by this document and documented information determined by the organisation as being necessary; documented information shall be controlled regarding distribution, access, retrieval, use, storage, preservation, change control and disposition. | enforced | audit_events: kye.audit_retention_policy.v1, kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
iso-27001.cl-8.1 |
Operational planning and control — plan, implement and control the processes needed to meet requirements and to implement the actions to address risks and opportunities; control planned changes and review unintended changes. | enforced | audit_events: kye.evidence.decision_map.v1, kye.reconciliation.verdict.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md |
iso-27001.cl-8.2 |
Information security risk assessment — perform information security risk assessments at planned intervals or when significant changes are proposed or occur, retaining documented information of the results. | enforced | audit_events: kye.risk_assessment.v1, kye.signal.scenario_run.completed.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
iso-27001.cl-8.3 |
Information security risk treatment — implement the information security risk-treatment plan and retain documented information of the results. | enforced | audit_events: kye.compliance.attestation.v1, kye.reconciliation.verdict.v1engines: internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
iso-27001.cl-9.1 |
Monitoring, measurement, analysis and evaluation — evaluate the information security performance and the effectiveness of the ISMS; determine what to monitor, the methods, when, by whom, and when results are analysed. | enforced | audit_events: kye.audit.event.v1, kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
iso-27001.cl-9.2 |
Internal audit — conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the requirements and is effectively implemented and maintained. | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
iso-27001.cl-9.3 |
Management review — top management shall review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness. | designed | audit_events: kye.governedui.approval.v1, kye.compliance.attestation.v1governedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.evidence_timeline.v1constitution_refs: constitution/36-GOVERNEDUI.md |
iso-27001.cl-10.1 |
Continual improvement — continually improve the suitability, adequacy and effectiveness of the ISMS. | enforced | audit_events: kye.reconciliation.verdict.v1, kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/53-COHESION-CASCADE.md |
iso-27001.cl-10.2 |
Nonconformity and corrective action — when a nonconformity occurs, the organisation shall react, evaluate the need for action to eliminate the causes, implement the action, review effectiveness, and retain documented information. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.ci.failure.classified.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/41-ERROR-HORIZONS.md |