This matrix maps ISO 27001:2022 Annex A controls, SOC 2 Trust Services Criteria, Australian Privacy Principles (APPs) & Notifiable Data Breach (NDB), and PCI DSS (SAQ A / A-EP). It provides control intent, owner, and expected evidence.
| Control Area | ISO 27001:2022 | SOC 2 (TSC) | AU APPs / NDB | PCI DSS (SAQ A/A-EP) | Owner | Evidence |
|---|---|---|---|---|---|---|
| Identity & Access Management | A.5.15, A.5.18 | CC6.1, CC6.2 | APP 11 (security) | Req. 7–8 (restrict access) | CTO | Quarterly access review exports (Google Workspace, Git, prod DB), SSO/MFA screenshots |
| Multi-Factor Authentication | A.5.17 | CC6.1 | APP 11 | Req. 8.3 (MFA for admin) | CTO | IdP MFA enforcement settings, MDM compliance logs |
| Password Policy | A.5.17 | CC6.1 | APP 11 | Req. 8.2.3 | CTO | Password policy doc, IdP config screenshot (length, breach check) |
| Endpoint Security (MDM/Encryption) | A.8.9, A.8.10 | CC6.1 | APP 11 | Not directly scoped | CTO | Device inventory, FileVault/BitLocker status reports |
| Backups & Recovery | A.8.13 | CC7.4 | APP 11 | Req. 9.5 (if in scope) | CTO | Backup logs, restore test evidence, Wasabi Object Lock config |
| Logging & Monitoring | A.8.15 | CC7.2, CC7.3 | APP 11 | Req. 10.6, 11.5 | CTO | Wazuh alert reports, Cloudflare log exports, retention policy |
| Vulnerability Mgmt | A.8.8 | CC7.1 | APP 11 | Req. 6.3, 11.2 | CTO | Monthly vuln scan reports, patch tickets closed ≤14 days |
| Change Mgmt (SDLC) | A.8.32, A.8.28 | CC8.1, CC8.2 | APP 11 | Req. 6.4 | CTO | Git PR approvals, CI/CD logs, dependency scan reports |
| Secure Development (OWASP ASVS) | A.8.25 | CC8.1 | APP 11 | Req. 6.5 | CTO | Code review checklists, DAST/SAST reports |
| Incident Response & Breach Notification | A.5.26, A.5.29 | CC7.4 | APP 11, NDB scheme | Req. 12.10 | CTO | IR playbooks, tabletop minutes, notification templates |
| Privacy & Data Protection | A.5.34 | CC1.2 | APPs 1–13, NDB | Not PCI-scoped | CTO | Privacy policy, DPIA template, Article 30(2) RoPA, DPA/BAA records |
| Vendor Risk Mgmt | A.5.19 | CC9.2 | APP 8 (cross-border disclosure) | Req. 12.8 | CTO | Vendor VSAQ results, subprocessor list, DPAs |
| Network Security | A.8.20 | CC6.6 | APP 11 | Req. 1.3, 1.4 | CTO | Firewall rules, bastion/Tailscale config, Cloudflare WAF logs |
| Physical Security (Hosting providers) | A.7.4 | CC6.6 | APP 11 | Req. 9 | Provider | Data centre SOC 2 reports, hosting provider attestations |
| PCI Scope Management | A.5.20 | CC6.6 | – | SAQ A / A-EP scoping | CTO | SAQ A or A-EP self-assessment, Stripe Checkout vs Elements design evidence |
Usage¶
- Owner column: currently all CTO, but can be delegated (e.g., Dev Lead for SDLC, Ops Lead for backups).
- Evidence cadence: Access reviews (quarterly), vuln scans (monthly), backups (weekly + annual test), IR tabletop (annual), risk register (annual).
- Client pack: export rows with Owner + Evidence → becomes your “Trust Pack” appendix for assessments.