🛡️

ISO/IEC 27001

Information security management systems - Requirements

Organization: ISO/IEC • Category: Information Security Management

Articles with Obligations

Key Sections

Coverage Areas

Overview

Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Provides a systematic approach to managing sensitive company information.

Applicability

Organizational security management and governance

Relevance to Cyber Resilience Act (CRA)

Foundation for organizational security practices supporting CRA compliance

Key Coverage Areas

Information security management system (ISMS)

Risk assessment and treatment

Security policies and procedures

Access control

Asset management

Incident management

Business continuity

Supplier relationships

Standard Sections & Chapters

A.5

Organizational controls

A.6

People controls

A.7

Physical controls

A.8

Technological controls

A.5.1

Policies for information security

A.5.7

Threat intelligence

A.5.23

Information security for use of cloud services

A.8.1

User endpoint devices

A.8.2

Privileged access rights

A.8.3

Information access restriction

A.8.8

Management of technical vulnerabilities

Related Cyber Resilience Act (CRA) Articles

Article 14: Reporting obligations of manufacturers

View Article →

Sections: A.5.1, A.8.8

Information security policies and vulnerability management

Implementation Guidance:

Establish ISMS with policies for security and vulnerability management

Mapped Obligations:

Report severe security incidents within 24 hours
Submit incident notification within 72 hours with nature and impact assessment
Provide final incident report within 1 month
Inform affected users about vulnerabilities and incidents with mitigation guidance

Article 15: Voluntary reporting

View Article →

Sections: A.5.1

Documentation of security policies and procedures

Implementation Guidance:

Maintain documented information for security management

Mapped Obligations:

CSIRTs must inform manufacturers when others report actively exploited vulnerabilities or severe incidents about their products

Article 16: Establishment of a single reporting platform

View Article →

Sections: A.5.7, A.8.8

Threat intelligence and vulnerability management

Implementation Guidance:

Integrate vulnerability management into overall security management system

Mapped Obligations:

ENISA must establish and maintain a single reporting platform for vulnerability and incident notifications
CSIRTs must notify market surveillance authorities of actively exploited vulnerabilities and severe incidents
ENISA must implement security measures to protect the platform and notify any security incidents

Article 18: Authorised representatives

View Article →

Sections: A.5.7, A.6.8

Incident reporting and information security event management

Implementation Guidance:

Implement incident detection, assessment, and reporting procedures

Mapped Obligations:

Keep EU declaration of conformity and technical documentation available for at least 10 years after product launch or throughout support period (whichever is longer)
Provide all necessary information and documentation to authorities when requested to prove product compliance

Article 21: Cases in which obligations of manufacturers apply to importers and distributors

View Article →

Sections: A.5.19, A.5.20, A.5.21

Supplier relationships and supply chain security

Implementation Guidance:

Address security in supplier agreements and monitor supplier security

Article 24: Obligations of open-source software stewards

View Article →

Sections: A.5, A.8

Risk assessment and organizational controls

Implementation Guidance:

Conduct risk assessments and implement appropriate security controls

Mapped Obligations:

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form

Quick Information

Organization: ISO/IEC
Category: Information Security Management
Certification: ✓ Available

← All Cyber Resilience Act (CRA) Standards View All Articles Compliance Guide

Get Implementation Help

CRA

NIS2

GDPR

DSA

AI Act

Available Now

In Development

Get notified when new content is ready

eIDAS 2.0

Available Content

MDR

Available Content

Menu

ISO/IEC 27001

Overview

Applicability

Relevance to Cyber Resilience Act (CRA)

Key Coverage Areas

Standard Sections & Chapters

Related Cyber Resilience Act (CRA) Articles

Article 14: Reporting obligations of manufacturers

Mapped Obligations:

Article 15: Voluntary reporting

Mapped Obligations:

Article 16: Establishment of a single reporting platform

Mapped Obligations:

Article 18: Authorised representatives

Mapped Obligations:

Article 21: Cases in which obligations of manufacturers apply to importers and distributors

Article 24: Obligations of open-source software stewards

Mapped Obligations:

Quick Information

Related Pages

🤝 Still Feeling Overwhelmed?

Available Now

In Development

Get notified when new content is ready

Available Content

Available Content

ISO/IEC 27001

Overview

Applicability

Relevance to Cyber Resilience Act (CRA)

Key Coverage Areas

Standard Sections & Chapters

Related Cyber Resilience Act (CRA) Articles

Article 14: Reporting obligations of manufacturers

Mapped Obligations:

Article 15: Voluntary reporting

Mapped Obligations:

Article 16: Establishment of a single reporting platform

Mapped Obligations:

Article 18: Authorised representatives

Mapped Obligations:

Article 21: Cases in which obligations of manufacturers apply to importers and distributors

Article 24: Obligations of open-source software stewards

Mapped Obligations:

Quick Information

Related Pages

🤝 Still Feeling Overwhelmed?

We use cookies