AWS Security Blog

New compliance guide available: ISO/IEC 27001:2022 on AWS

We’re excited to announce the release of our latest compliance guide, ISO/IEC 27001:2022 on AWS, which provides practical guidance for organizations designing and operating an Information Security Management System (ISMS) using AWS services.

As organizations migrate critical workloads to the cloud, aligning with globally recognized standards such as ISO/IEC 27001:2022 becomes an important step toward strengthening governance, risk management, and information security practices. This guide helps cloud architects, security teams, compliance leaders, and DevOps practitioners understand how to implement and operate ISO 27001-aligned controls using AWS services while applying the AWS Shared Responsibility Model.

The guide explains how organizations can integrate AWS services into their ISMS to support the requirements defined in ISO 27001:2022 clauses 4–10 and selected Annex A controls. It also highlights how AWS security, monitoring, and automation capabilities can help customers maintain visibility, improve operational consistency, and prepare audit-ready evidence.

While AWS provides a secure and compliant cloud infrastructure, customers remain responsible for defining their ISMS scope, implementing controls, and demonstrating conformity during certification audits.

Inside the guide:

  • Overview of the ISO/IEC 27001:2022 framework, including ISMS clauses 4–10 and the Annex A control
  • Mapping of selected ISO 27001:2022 Annex A controls to AWS services and architectural capabilities
  • Guidance for implementing complementary customer controls within AWS environments
  • Recommendations for evidence collection, documentation, and audit readiness using AWS native tooling
  • Governance and risk management considerations for organizations establishing an ISMS on AWS
  • Best practices for operationalizing compliance activities through automation and infrastructure-as-code.

By combining ISO 27001 best practices with AWS security services, organizations can build scalable environments that support continuous security improvement, operational visibility, and certification readiness.

Download: ISO/IEC 27001:2022 on AWS Compliance Guide
For further assistance, contact AWS Security Assurance Services

If you have feedback about this post, please submit comments in the Comments section below.

Ted Tanner

Ted Tanner

Ted is a Principal Assurance Consultant and PCI DSS QSA with AWS Security Assurance Services. He has more than 25 years of IT, security, and compliance experience, which he uses to advise customers on building and optimizing their cloud compliance programs. He is co-author of several PCI DSS–related publications at AWS.

Satish Uppalapati

Satish Uppalapati

Satish is an Associate Assurance Consultant with AWS Security Assurance Services and has more than 8 years of experience in IT risk, governance, and regulatory assurance. He works with AWS customers to help align cloud environments with frameworks such as ISO 27001, SOC 2, and FFIEC. Satish also focuses on advancing governance for AI systems, including emerging standards such as ISO/IEC 42001.

Viktor Mu

Viktor Mu

Viktor is a Senior Assurance Consultant with AWS Security Assurance Services and has more than a decade of experience specializing in security and compliance assessments. Viktor holds several industry-recognized audit and security certifications, including PCI QSA, and CISA. Viktor works with partners and customers handling security and compliance frameworks like SOC 2 in key market verticals and regulated industries.

Lola Quadri

Lola Quadri

With more than ten years of experience across Big 4 consulting, financial services, and technology, Lola is a trusted security consultant specializing in risk and compliance. She leverages deep expertise across leading compliance frameworks to guide AWS customers toward sustainable, audit-ready compliance postures. Lola is a CISA, CISM, and AWS Certified Solutions Architect.