ISO 27001 on AWS Cheat Sheet

Your fast path to ISO 27001 for AWS.

Which controls AWS already covers for you.

Where your real gaps are.

What your next step is.

A control-by-control map of ISO 27001:2022 on AWS. All 93 controls, in plain language, aligned to the AWS services your auditor will accept as evidence. One PDF, fifteen minutes.

Get the cheat sheet

How do you start with ISO 27001 on AWS?

Starting with ISO 27001 on AWS is daunting, and you don't know where to start. Your developers know about EC2, RDS, S3, and the day-to-day services they ship with. The auditor asks about access control, cryptography, logging, and supplier management. Two languages, one AWS account, and you're stuck in the middle translating both directions.

Every time the auditor asks for evidence, you have to chase your engineers to find out how that part of AWS is actually configured.

You don't know how every ISO 27001 Annex A control maps to your AWS infrastructure, so each new control on the spreadsheet kicks off another internal investigation.

Your compliance work for ISO 27001 feels detached from the actual changes and configuration your engineers ship in AWS every day.

The gap isn't a missing tool. It's that nobody has sat down and written down how you can solve each ISO 27001 control in your AWS infrastructure.

SaaS scale-up

Your first ISO 27001 audit is on the calendar.

An enterprise customer asked for the certificate, or your board did. Now your team is staring at a spreadsheet of 93 controls and an AWS account that nobody has ever mapped against them. You want to walk into the audit knowing what you're already doing right, what's missing, and how long the gap takes to close.

Compliance team

You passed the audit. Keeping it green is the harder problem.

You passed your ISO 27001 audit, but you're struggling with the continuous compliance work. Engineers keep shipping changes in AWS, evidence goes stale between cycles, and you can't tell at a glance which controls still hold. You need a clear view of how each control maps to AWS so you can spot drift before the re-audit catches it.

All 93 controls, mapped to what you need to do in AWS to satisfy them and build real-time evidence collection.

Per Annex A family: the controls you own, how to solve them in AWS, and the real-time evidence collection your auditor will accept. In plain language. No theory, no boilerplate.

A.5 · 37 controls

Organizational

Policies, roles, supplier management, incident response.

A.6 · 8 controls

People

Screening, awareness, joiner/leaver access.

A.7 · 14 controls

Physical

Inherited through cloud data-center compliance. Includes the exact attestations and reports to cite in your audit.

A.8 · 34 controls

Technological

Encryption, logging, network segmentation, vulnerability management, backups.

Download the cheat sheet

Fill in your name and email. The PDF downloads right after.

The PDF downloads automatically after submit.

I've walked dozens of teams through their ISO 27001 audit.

I've been through dozens of audits. More than a decade building AWS platforms for SaaS companies, taking teams through certifications, customer security questionnaires, and the quiet stretches in between where drift sets in.

The teams that come out of audits well aren't the ones with the longest control spreadsheet. They're the ones doing the work to actually make their platform more secure, who wrote the evidence collection into the platform, and stopped redoing the translation work every quarter.

With Rocketleap I now provide a turnkey platform for SaaS scale-ups with ISO 27001 built in. Logging, encryption, access control, and backups configured the way ISO 27001 expects from day one. This cheat sheet is the mapping we already use internally. No theory, no consultant boilerplate, just what works against the 2022 standard.