Mapping: Nexus SecOps ↔ ISO/IEC 27001:2022¶
This document maps Nexus SecOps benchmark controls to ISO/IEC 27001:2022 Annex A controls. ISO 27001:2022 reorganized the control set into four themes: Organizational (5), People (6), Physical (7), Technological (8).
5 — Organizational Controls¶
| ISO Control | Title | Nexus SecOps Controls |
|---|---|---|
| 5.1 | Policies for information security | Nexus SecOps-201 |
| 5.2 | Information security roles and responsibilities | Nexus SecOps-205, Nexus SecOps-068 |
| 5.3 | Segregation of duties | Nexus SecOps-205, Nexus SecOps-114 |
| 5.4 | Management responsibilities | Nexus SecOps-201, Nexus SecOps-211 |
| 5.5 | Contact with authorities | Nexus SecOps-069, Nexus SecOps-073 |
| 5.6 | Contact with special interest groups | Nexus SecOps-088 |
| 5.7 | Threat intelligence | Nexus SecOps-081, Nexus SecOps-082, Nexus SecOps-083, Nexus SecOps-084 |
| 5.8 | Information security in project management | Nexus SecOps-202 |
| 5.9 | Inventory of information and other assets | Nexus SecOps-001, Nexus SecOps-027, Nexus SecOps-030 |
| 5.10 | Acceptable use of information and assets | Nexus SecOps-201, Nexus SecOps-215 |
| 5.11 | Return of assets | Nexus SecOps-114, Nexus SecOps-215 |
| 5.12 | Classification of information | Nexus SecOps-030 |
| 5.13 | Labelling of information | Nexus SecOps-030 |
| 5.14 | Information transfer | Nexus SecOps-003, Nexus SecOps-127, Nexus SecOps-215 |
| 5.15 | Access control | Nexus SecOps-111, Nexus SecOps-114 |
| 5.16 | Identity management | Nexus SecOps-111, Nexus SecOps-115 |
| 5.17 | Authentication information | Nexus SecOps-112, Nexus SecOps-113 |
| 5.18 | Access rights | Nexus SecOps-114, Nexus SecOps-116 |
| 5.19 | Information security in supplier relationships | Nexus SecOps-204 |
| 5.20 | Addressing information security within supplier agreements | Nexus SecOps-204 |
| 5.21 | Managing information security in ICT supply chain | Nexus SecOps-204, Nexus SecOps-151 |
| 5.22 | Monitoring, review and change management of supplier services | Nexus SecOps-204, Nexus SecOps-210 |
| 5.23 | Information security for use of cloud services | Nexus SecOps-121, Nexus SecOps-122, Nexus SecOps-008 |
| 5.24 | Information security incident management planning and preparation | Nexus SecOps-066, Nexus SecOps-068 |
| 5.25 | Assessment and decision on information security events | Nexus SecOps-051, Nexus SecOps-067 |
| 5.26 | Response to information security incidents | Nexus SecOps-066, Nexus SecOps-070, Nexus SecOps-096 |
| 5.27 | Learning from information security incidents | Nexus SecOps-072, Nexus SecOps-220 |
| 5.28 | Collection of evidence | Nexus SecOps-071 |
| 5.29 | Information security during disruption | Nexus SecOps-066, Nexus SecOps-080 |
| 5.30 | ICT readiness for business continuity | Nexus SecOps-080, Nexus SecOps-213 |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Nexus SecOps-073, Nexus SecOps-212 |
| 5.32 | Intellectual property rights | Nexus SecOps-212 |
| 5.33 | Protection of records | Nexus SecOps-004, Nexus SecOps-005, Nexus SecOps-029 |
| 5.34 | Privacy and protection of personal identifiable information | Nexus SecOps-214, Nexus SecOps-215 |
| 5.35 | Independent review of information security | Nexus SecOps-207, Nexus SecOps-208 |
| 5.36 | Compliance with policies, rules and standards for information security | Nexus SecOps-212 |
| 5.37 | Documented operating procedures | Nexus SecOps-053, Nexus SecOps-066, Nexus SecOps-097 |
6 — People Controls¶
| ISO Control | Title | Nexus SecOps Controls |
|---|---|---|
| 6.1 | Screening | Nexus SecOps-206 |
| 6.2 | Terms and conditions of employment | Nexus SecOps-206 |
| 6.3 | Information security awareness, education and training | Nexus SecOps-061, Nexus SecOps-206 |
| 6.4 | Disciplinary process | Nexus SecOps-206 |
| 6.5 | Responsibilities after termination or change of employment | Nexus SecOps-114, Nexus SecOps-115 |
| 6.6 | Confidentiality or non-disclosure agreements | Nexus SecOps-204, Nexus SecOps-206 |
| 6.7 | Remote working | Nexus SecOps-113, Nexus SecOps-121, Nexus SecOps-136 |
| 6.8 | Information security event reporting | Nexus SecOps-066, Nexus SecOps-069 |
7 — Physical Controls¶
| ISO Control | Title | Nexus SecOps Controls |
|---|---|---|
| 7.1 | Physical security perimeters | Nexus SecOps-213 |
| 7.2 | Physical entry | Nexus SecOps-213 |
| 7.3 | Securing offices, rooms and facilities | Nexus SecOps-213 |
| 7.4 | Physical security monitoring | Nexus SecOps-213 |
| 7.5 | Protecting against physical and environmental threats | Nexus SecOps-213 |
| 7.6 | Working in secure areas | Nexus SecOps-213 |
| 7.7 | Clear desk and screen | Nexus SecOps-136 |
| 7.8 | Equipment siting and protection | Nexus SecOps-213 |
| 7.9 | Security of assets off-premises | Nexus SecOps-136, Nexus SecOps-215 |
| 7.10 | Storage media | Nexus SecOps-136, Nexus SecOps-215 |
| 7.11 | Supporting utilities | Nexus SecOps-213 |
| 7.12 | Cabling security | Nexus SecOps-213 |
| 7.13 | Equipment maintenance | Nexus SecOps-213 |
| 7.14 | Secure disposal or re-use of equipment | Nexus SecOps-215 |
8 — Technological Controls¶
| ISO Control | Title | Nexus SecOps Controls |
|---|---|---|
| 8.1 | User endpoint devices | Nexus SecOps-136, Nexus SecOps-137, Nexus SecOps-138 |
| 8.2 | Privileged access rights | Nexus SecOps-114, Nexus SecOps-116 |
| 8.3 | Information access restriction | Nexus SecOps-114, Nexus SecOps-215 |
| 8.4 | Access to source code | Nexus SecOps-114 |
| 8.5 | Secure authentication | Nexus SecOps-111, Nexus SecOps-112, Nexus SecOps-113 |
| 8.6 | Capacity management | Nexus SecOps-015, Nexus SecOps-210 |
| 8.7 | Protection against malware | Nexus SecOps-140, Nexus SecOps-141 |
| 8.8 | Management of technical vulnerabilities | Nexus SecOps-151, Nexus SecOps-152, Nexus SecOps-153 |
| 8.9 | Configuration management | Nexus SecOps-136, Nexus SecOps-137, Nexus SecOps-202 |
| 8.10 | Information deletion | Nexus SecOps-029, Nexus SecOps-215 |
| 8.11 | Data masking | Nexus SecOps-214, Nexus SecOps-186 |
| 8.12 | Data leakage prevention | Nexus SecOps-049, Nexus SecOps-127 |
| 8.13 | Information backup | Nexus SecOps-080 |
| 8.14 | Redundancy of information processing facilities | Nexus SecOps-080, Nexus SecOps-213 |
| 8.15 | Logging | Nexus SecOps-001, Nexus SecOps-002, Nexus SecOps-004, Nexus SecOps-010 |
| 8.16 | Monitoring activities | Nexus SecOps-031, Nexus SecOps-044, Nexus SecOps-007 |
| 8.17 | Clock synchronization | Nexus SecOps-017 |
| 8.18 | Use of privileged utility programs | Nexus SecOps-114, Nexus SecOps-116 |
| 8.19 | Installation of software on operational systems | Nexus SecOps-136, Nexus SecOps-141, Nexus SecOps-202 |
| 8.20 | Networks security | Nexus SecOps-121, Nexus SecOps-122 |
| 8.21 | Security of network services | Nexus SecOps-003, Nexus SecOps-121, Nexus SecOps-204 |
| 8.22 | Segregation of networks | Nexus SecOps-121, Nexus SecOps-122 |
| 8.23 | Web filtering | Nexus SecOps-121 |
| 8.24 | Use of cryptography | Nexus SecOps-003, Nexus SecOps-005, Nexus SecOps-215 |
| 8.25 | Secure development life cycle | Nexus SecOps-202 |
| 8.26 | Application security requirements | Nexus SecOps-155, Nexus SecOps-202 |
| 8.27 | Secure system architecture and engineering principles | Nexus SecOps-121, Nexus SecOps-136, Nexus SecOps-202 |
| 8.28 | Secure coding | Nexus SecOps-202 |
| 8.29 | Security testing in development and acceptance | Nexus SecOps-034, Nexus SecOps-155 |
| 8.30 | Outsourced development | Nexus SecOps-204 |
| 8.31 | Separation of development, test and production environments | Nexus SecOps-202 |
| 8.32 | Change management | Nexus SecOps-202, Nexus SecOps-203 |
| 8.33 | Test information | Nexus SecOps-202 |
| 8.34 | Protection of information systems during audit testing | Nexus SecOps-207 |
Annex A Controls Unique to AI Operations (Emerging)¶
ISO/IEC 42001 (AI Management System) is complementary to 27001. Key Nexus SecOps AI controls align to:
| ISO/IEC 42001 Area | Nexus SecOps Controls |
|---|---|
| AI risk assessment | Nexus SecOps-161, Nexus SecOps-181, Nexus SecOps-207 |
| AI impact assessment | Nexus SecOps-161, Nexus SecOps-180 |
| AI transparency | Nexus SecOps-177, Nexus SecOps-179 |
| AI human oversight | Nexus SecOps-178, Nexus SecOps-191 |
| AI data governance | Nexus SecOps-186, Nexus SecOps-214 |
Coverage Summary¶
| ISO 27001 Theme | Controls | Nexus SecOps Alignment |
|---|---|---|
| Organizational (5.x) | 37 controls | High — GOV, INC, CTI, IAM domains |
| People (6.x) | 8 controls | Medium — Nexus SecOps-061, 114, 115, 206 |
| Physical (7.x) | 14 controls | Moderate — Nexus SecOps-213 (out of SOC scope) |
| Technological (8.x) | 34 controls | High — TEL, DET, TRI, END, CLD domains |
Nexus SecOps controls address approximately 87% of ISO 27001:2022 Annex A controls directly relevant to security operations. Physical controls (7.x) are partially out of SOC scope.
See Controls Catalog for Nexus SecOps control details.