ISO 27001 Website Security Checklist: Annex A Controls Mapped

ISO 27001 is the gold standard for information security management. While the standard covers the entire organization, your website is often the most visible and attacked component of your information security posture.

This guide maps the most relevant ISO 27001:2022 Annex A controls to specific, actionable website security checks you can implement and verify today.

ISO 27001 Overview for Websites

ISO 27001:2022 Annex A contains 93 controls in 4 themes. For websites, the most critical are:

• A.8.24 Use of cryptography — TLS/SSL, encryption at rest
• A.8.3-8.5 Access control — authentication, authorization, privilege management
• A.8.20-8.22 Network security — firewalls, segmentation, web filtering
• A.8.25-8.31 Secure development — secure coding, testing, change management
• A.8.15-8.16 Logging and monitoring — audit trails, event detection
• A.8.8 Vulnerability management — scanning, patching, remediation
• A.5.23 Cloud security — cloud service provider controls

A.8.24: Cryptography CRITICAL

"A policy on the use of cryptographic controls, including key management, shall be developed and implemented."

Website Requirements

• TLS 1.2 or higher — TLS 1.0 and 1.1 are deprecated and non-compliant
• Strong cipher suites — AES-256-GCM, ChaCha20-Poly1305; no RC4, DES, or 3DES
• Valid SSL certificate — not expired, correct domain, trusted CA
• HSTS header — prevents protocol downgrade attacks
• Encryption at rest — database encryption for personal and sensitive data
• Key management — documented key rotation procedures

# Verify TLS configuration
# Apache — enforce TLS 1.2+
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305

# Nginx — enforce TLS 1.2+
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

# HSTS header
Strict-Transport-Security: max-age=31536000; includeSubDomains

A.8.3-8.5: Access Control CRITICAL

"Access to information and systems shall be restricted in accordance with the access control policy."

Website Requirements

• Strong authentication — enforce password complexity, check against breached databases
• Multi-factor authentication — required for admin accounts, recommended for all users
• Session management — secure cookies (HttpOnly, Secure, SameSite), session timeouts
• Principle of least privilege — role-based access control (RBAC)
• Account lockout — after repeated failed login attempts
• Admin panel protection — restrict access by IP, use non-default URLs

# Secure session cookies
Set-Cookie: session=token; Secure; HttpOnly; SameSite=Strict; Path=/; Max-Age=1800

# Rate limit login attempts (Nginx)
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /login {
    limit_req zone=login burst=3 nodelay;
}

A.8.20-8.22: Network Security HIGH

"Networks and network services shall be secured and segregated."

Website Requirements

• Firewall configuration — only required ports open (80, 443, SSH)
• Database isolation — database ports not accessible from internet
• WAF (Web Application Firewall) — protection against OWASP Top 10 attacks
• DDoS protection — rate limiting, CDN-based protection
• Network segmentation — separate web, application, and database tiers

See our Firewall Hardening Guide for detailed configuration.

A.8.25-8.31: Secure Development HIGH

"Rules for the secure development of software and systems shall be established and applied."

Website Requirements

• Security headers — CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• Input validation — server-side validation of all user input
• Output encoding — prevent XSS through proper encoding
• Parameterized queries — prevent SQL injection
• CSRF protection — anti-CSRF tokens on all state-changing forms
• Dependency management — regular updates, vulnerability scanning of libraries
• Secure configuration — no debug mode, no default credentials, no exposed .env files

See our Security Headers Guide and OWASP Top 10 Explained for implementation details.

A.8.15-8.16: Logging & Monitoring HIGH

"Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed."

Website Requirements

• Access logs — record all HTTP requests with timestamps, IPs, and user agents
• Authentication logs — record login attempts (successful and failed)
• Error logs — capture application errors without exposing them to users
• Audit trails — record administrative actions and data modifications
• Log protection — logs should be tamper-proof and access-restricted
• Log retention — define and enforce retention periods (typically 90 days to 1 year)
• Alerting — automated alerts for suspicious patterns

A.8.8: Vulnerability Management CRITICAL

"Information about technical vulnerabilities shall be obtained, exposure evaluated, and appropriate measures taken."

• Regular vulnerability scanning — automated scans at least monthly
• Patch management — critical patches applied within 48 hours
• Penetration testing — annual or after significant changes
• Remediation tracking — documented process for fixing findings
• Risk assessment — prioritize by severity and business impact

Use AI QA Monkey's Compliance Scanner for automated vulnerability scanning mapped to ISO 27001 controls.

A.5.23: Cloud Security HIGH

"Processes for acquisition, use, management and exit from cloud services shall be established."

• Cloud provider assessment — verify provider's own ISO 27001 certification
• Data residency — know where your data is stored geographically
• Shared responsibility — understand what you vs. the provider are responsible for
• Backup and recovery — test restore procedures regularly
• Exit strategy — documented plan for migrating away from the provider

Complete Website Checklist

Cryptography (A.8.24)

• ☐ TLS 1.2+ enforced, TLS 1.0/1.1 disabled
• ☐ Valid SSL certificate from trusted CA
• ☐ HSTS header with max-age ≥ 31536000
• ☐ Strong cipher suites only
• ☐ Database encryption at rest

Access Control (A.8.3-8.5)

• ☐ Strong password policy enforced
• ☐ MFA enabled for admin accounts
• ☐ Secure session cookies (HttpOnly, Secure, SameSite)
• ☐ Account lockout after failed attempts
• ☐ Admin panel access restricted

Network Security (A.8.20-8.22)

• ☐ Only ports 80/443/SSH open externally
• ☐ Database ports blocked from internet
• ☐ WAF configured and active
• ☐ Rate limiting on sensitive endpoints

Secure Development (A.8.25-8.31)

• ☐ All security headers configured
• ☐ No exposed .env or configuration files
• ☐ Debug mode disabled in production
• ☐ Dependencies up to date
• ☐ CSRF protection on all forms

Logging (A.8.15-8.16)

• ☐ Access and error logs enabled
• ☐ Authentication events logged
• ☐ Log retention policy defined
• ☐ Alerting on suspicious patterns

Vulnerability Management (A.8.8)

• ☐ Regular automated scanning
• ☐ Patch management process documented
• ☐ Remediation tracking in place

Frequently Asked Questions

What is ISO 27001 and does my website need to comply?

ISO 27001 is the international standard for Information Security Management Systems. While not legally required, it's increasingly demanded by enterprise clients, government contracts, and cyber insurance providers.

What are ISO 27001 Annex A controls?

Annex A contains 93 controls in the 2022 version, organized into Organizational, People, Physical, and Technological themes. For websites, the most relevant are cryptography, access control, secure development, network security, and logging.

How do I prepare my website for ISO 27001 audit?

Start with a gap analysis using AI QA Monkey's compliance scanner, document your current controls, identify gaps, and create a remediation plan with timelines.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

The 2022 version restructured Annex A from 114 controls in 14 domains to 93 controls in 4 themes, and added 11 new controls including cloud security and secure coding.