ISO 27001 Annex A Control Mapping

Why ISO 27001 Matters for PII Protection

ISO 27001:2022 is the international standard for information security management systems (ISMS). While GDPR and HIPAA mandate what data to protect, ISO 27001 provides the framework for how to protect it systematically.

Annex A defines 14 control domains covering everything from access control and cryptography to incident management and compliance. Organizations seeking certification must demonstrate implementation of applicable controls through a Statement of Applicability (SoA).

This guide maps each Annex A domain to specific cloak.business features and infrastructure, showing how a PII protection platform can serve as a key component of your ISMS.

Annex A Control Domain Mapping

A.5

Information Security Policies

Management direction and support for information security in accordance with business requirements and relevant laws.

cloak.business maintains documented security policies covering data classification, access control, and incident response, published in our compliance documentation.Learn more

A.6

Organization of Information Security

Internal organization, roles, responsibilities, and management of mobile devices and teleworking.

Security roles defined across the development and operations team. Security responsibilities are documented with awareness of PII handling and incident reporting obligations.

A.7

Human Resource Security

Security aspects for employees joining, during employment, and when leaving the organization.

Access to production systems is restricted to authorized personnel. Security awareness covers PII handling, incident reporting, and compliance obligations.

A.8

Asset Management

Identification of information assets and definition of appropriate protection responsibilities.

The entity library covers ~320 entity types across 70+ countries — each classified by sensitivity level, region, and applicable regulations. Assets are inventoried and tagged for appropriate handling.Learn more

A.9

Access Control

Business requirements for access control, user access management, and system and application access control.

Role-based access control with mandatory 2FA (TOTP). Zero-knowledge login option for maximum privacy. Session management with configurable timeouts. Complete login audit logging tracks all authentication attempts.Learn more

A.10

Cryptography

Cryptographic controls to protect the confidentiality, authenticity, and integrity of information.

AES-256-GCM for reversible encryption, XChaCha20-Poly1305 for desktop vault, Argon2id for key derivation. All data encrypted at rest and in transit (TLS 1.3). Client-side encryption available via SDK.Learn more

A.11

Physical and Environmental Security

Prevention of unauthorized physical access, damage, and interference to facilities and equipment.

Infrastructure hosted at Hetzner's ISO 27001-certified data center in Falkenstein, Germany. Hetzner provides physical access controls, surveillance, redundant power, and environmental protections as part of their certification.Learn more

A.12

Operations Security

Operational procedures, protection from malware, backup, logging, and monitoring.

Automated health checks every 5 minutes with auto-restart. Systemd service isolation with memory limits (MemoryHigh/MemoryMax per service). Comprehensive audit logging for all API operations.

A.13

Communications Security

Network security management and information transfer security.

All external communications over TLS 1.3. Internal service communication on localhost only. UFW firewall with deny-by-default policy. Rate limiting on all public endpoints. All PII processing occurs on German infrastructure.

A.14

System Acquisition, Development, and Maintenance

Security requirements for information systems, secure development, and test data.

317 custom pattern recognizers with checksum validation and format verification. CI/CD pipelines with automated testing. Dependency scanning and version pinning. Separate development, staging, and production environments.

A.15

Supplier Relationships

Information security in supplier relationships and service delivery management.

Minimal third-party dependencies by design. Infrastructure provider (Hetzner) is ISO 27001 certified. No data shared with third parties for processing — all PII detection and anonymization happens on our own infrastructure.

A.16

Information Security Incident Management

Management of information security incidents, including reporting and response.

Login audit logging tracks all authentication attempts with IP, user agent, device type, and failure reasons. Suspicious IP detection with configurable thresholds. 90-day log retention with automated cleanup.Learn more

A.17

Business Continuity Management

Information security continuity and redundancies for availability.

Systemd auto-restart on failure with 10-second delay. Memory-aware language model loading prevents OOM. 4GB swap as safety net. Health monitoring with automated recovery.

A.18

Compliance

Compliance with legal and contractual requirements, and information security reviews.

GDPR compliant with German data residency. Data Processing Agreement (DPA) available for enterprise customers. Statement of Applicability (SoA) documented and available.Learn more

Key Implementation Highlights

Cryptography (A.10)

Three encryption algorithms cover different use cases: AES-256-GCM for reversible PII encryption, XChaCha20-Poly1305 for local vault storage, and Argon2id for key derivation. All data encrypted at rest and in transit.

Access Control (A.9)

Mandatory 2FA with TOTP, zero-knowledge login option, and complete login audit logging. Every authentication attempt is recorded with IP, user agent, device type, and failure reason.

Asset Management (A.8)

~320 entity types across 70+ countries, each classified by sensitivity level and applicable regulations. The entity library serves as a comprehensive data asset inventory for PII.

Incident Management (A.16)

Login audit logging with suspicious IP detection, automated health monitoring every 5 minutes, and 90-day log retention with automated cleanup.

ISO 27001:2022 Updates

The 2022 revision restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes: Organizational, People, Physical, and Technological. The original domain concepts (A.5–A.18) were reorganized into this new structure, though the underlying security objectives carry forward.

New controls particularly relevant to PII protection include:

A.5.7 Threat intelligence — Monitoring for new PII attack vectors and data breach patterns
A.8.11 Data masking — Core functionality of cloak.business with 5 anonymization methods
A.8.12 Data leakage prevention — Chrome extension and Office Add-in intercept PII before it leaves the organization
A.8.24 Use of cryptography — AES-256-GCM, XChaCha20-Poly1305, and Argon2id implementations

Key Takeaways

ISO 27001 provides the "how" — While GDPR says what to protect, ISO 27001 provides the systematic framework
All 14 domains are addressed — From policies and access control to cryptography and compliance
PII protection is central to ISMS — A dedicated PII tool covers data masking, encryption, access control, and audit logging
German infrastructure supports compliance — ISO 27001-certified data center, EU data residency, no third-party data sharing

Šaltiniai

Susiję Įrašai

Nuo Naršyklės iki IDE: Pilno Stakso PII Apsauga

PII teka per naršykles, IDE, Office programas ir API. Sužinokite, kodėl vieno taško sprendimai palieka spragų ir kaip pilno stakso apsauga užtikrina nuoseklumą.

Skaityti Daugiau

Kai SaaS Tik Nėra Pakankamai

Aero atskirti tinklai ir duomenų suvereniteto reikalavimai reikalauja offline PII apdorojimo. Sužinokite, kodėl SaaS tik įrankiai nepavyksta ir kaip Darbalaukio programa suteikia visą offline galimybę.