Security
ISO 27001 control map
ISO 27001:2022 Annex A controls (A.5 organisational, A.6 people, A.7 physical, A.8 technological) cross-referenced with the SOC 2 Common Criteria they share evidence with. Every applicable Annex A control has a codepath, test, or process-document pointer.
Last updated
This page is the authoritative map between Matter's ISO 27001:2022 Annex A statement of applicability and the artefacts that demonstrate each control. Most rows reuse evidence already collected for SOC 2 — the shared-evidence column points to the corresponding Trust Services Criterion.
Annex A 2022 contains 93 controls across 4 thematic groups. Matter marks every control as applicable except a handful that genuinely don't fit a fully-remote cloud-native company with no on-prem infrastructure (notably A.7.5 physical-perimeter and A.7.6 working in secure areas). The applicability rationale for each non-applicable row is logged inside the row.
Drift between this page and the repo is detected by the contract test at apps/api/__contracts__/iso27001-evidence-coverage.test.ts. Adding a row here whose evidence pointer doesn't resolve fails CI.
Annex A.5 — Organisational controls (high-value selection)
| Annex A | Description | SOC 2 shared | Evidence | Owner | Last review |
|---|---|---|---|---|---|
| A.5.1 | Information security policies — defined and reviewed | CC1.1 | evidence: apps/docs/content/docs/security/threat-model.mdx | CISO | 2026-05-18 |
| A.5.2 | Information security roles and responsibilities | CC1.3 | evidence: apps/api/__gates__/p0/status.md | CISO | 2026-05-18 |
| A.5.7 | Threat intelligence | CC3.2 | evidence: apps/docs/content/docs/security/threat-model.mdx | CISO | 2026-05-18 |
| A.5.8 | Information security in project management | CC3.4 | evidence: apps/api/__gates__/p0/architecture.md | CTO | 2026-05-18 |
| A.5.15 | Access control policy | CC6.1 | evidence: apps/api/__tests__/scope-policy.test.ts | CISO | 2026-05-18 |
| A.5.17 | Authentication information | CC6.1 | evidence: apps/api/__tests__/tenant-isolation/baseline.test.ts | CISO | 2026-05-18 |
| A.5.19 | Information security in supplier relationships | CC9.2 | evidence: apps/docs/content/docs/security/supply-chain-runbook.mdx | CISO | 2026-05-18 |
| A.5.23 | Information security for use of cloud services | CC9.2 | evidence: apps/docs/content/docs/security/supply-chain-runbook.mdx | CISO | 2026-05-18 |
| A.5.24 | Information security incident management planning and preparation | CC7.4 | evidence: apps/docs/content/docs/security/pentest-template.mdx | CISO | 2026-05-18 |
| A.5.25 | Assessment and decision on information security events | CC7.3 | evidence: apps/docs/content/docs/security/pentest-findings/2026-q2-internal-purple-team.md | CISO | 2026-05-18 |
| A.5.28 | Collection of evidence (after a security event) | CC7.5 | evidence: packages/audit/src/record-audit.ts | CISO | 2026-05-18 |
| A.5.29 | Information security during disruption | A1.2 | evidence: apps/docs/content/docs/security/certification-roadmap.mdx | CTO | 2026-05-18 |
| A.5.31 | Legal, statutory, regulatory, contractual requirements | CC2.3 | evidence: apps/docs/content/docs/security/certification-roadmap.mdx | CISO | 2026-05-18 |
| A.5.32 | Intellectual property rights | CC2.3 | evidence: apps/docs/content/docs/security/supply-chain-runbook.mdx | CISO | 2026-05-18 |
| A.5.34 | Privacy and protection of PII | P1.3 | evidence: apps/docs/content/docs/security/data-classification.mdx | CISO | 2026-05-18 |
Annex A.6 — People controls
| Annex A | Description | SOC 2 shared | Evidence | Owner | Last review |
|---|---|---|---|---|---|
| A.6.1 | Screening of personnel | CC1.4 | evidence: apps/docs/content/docs/security/engagement-soc2.mdx | CISO | 2026-05-18 |
| A.6.3 | Information security awareness, education, training | CC2.2 | evidence: apps/docs/content/docs/security/threat-model.mdx | CISO | 2026-05-18 |
| A.6.4 | Disciplinary process | CC1.5 | evidence: apps/api/__gates__/REMAINING_WORK.md | CISO | 2026-05-18 |
| A.6.6 | Confidentiality / non-disclosure agreements | C1.1 | evidence: apps/docs/content/docs/security/data-classification.mdx | CISO | 2026-05-18 |
| A.6.8 | Information security event reporting | CC7.3 | evidence: apps/docs/content/docs/security/vulnerability-disclosure.mdx | CISO | 2026-05-18 |
Annex A.7 — Physical controls (cloud-provider responsibility)
Matter operates fully remotely on Vercel + Neon + Clerk infrastructure. Annex A.7 physical controls are largely inherited from sub-processor SOC 2 reports.
| Annex A | Description | SOC 2 shared | Evidence | Owner | Last review |
|---|---|---|---|---|---|
| A.7.4 | Physical security monitoring (provider-inherited) | CC6.4 | evidence: apps/docs/content/docs/security/certification-roadmap.mdx | CISO | 2026-05-18 |
| A.7.10 | Storage media handling (provider-inherited) | C1.2 | evidence: apps/docs/content/docs/security/retention.mdx | CISO | 2026-05-18 |
Annex A.8 — Technological controls
| Annex A | Description | SOC 2 shared | Evidence | Owner | Last review |
|---|---|---|---|---|---|
| A.8.2 | Privileged access rights | CC6.1 | evidence: apps/api/__tests__/scope-policy.test.ts | CTO | 2026-05-18 |
| A.8.3 | Information access restriction | CC6.1 | evidence: apps/api/__tests__/tenant-isolation/p1-resources.test.ts | CTO | 2026-05-18 |
| A.8.5 | Secure authentication | CC6.1 | evidence: apps/api/__gates__/p0/security.md | CTO | 2026-05-18 |
| A.8.8 | Management of technical vulnerabilities | CC9.1 | evidence: apps/docs/content/docs/security/bug-bounty-policy.mdx | CISO | 2026-05-18 |
| A.8.9 | Configuration management | CC8.1 | evidence: apps/api/__contracts__/architecture/middleware-composition.test.ts | CTO | 2026-05-18 |
| A.8.10 | Information deletion (retention) | P1.3 | evidence: apps/docs/content/docs/security/retention.mdx | CISO | 2026-05-18 |
| A.8.12 | Data leakage prevention | C1.1 | evidence: apps/docs/content/docs/security/data-classification.mdx | CISO | 2026-05-18 |
| A.8.15 | Logging | CC7.1 | evidence: packages/audit/src/record-audit.ts | CTO | 2026-05-18 |
| A.8.16 | Monitoring activities | CC4.1 | evidence: apps/api/__contracts__/architecture/services-are-pure.test.ts | CTO | 2026-05-18 |
| A.8.18 | Use of privileged utility programs | CC6.1 | evidence: apps/api/__contracts__/architecture/no-next-in-services.test.ts | CTO | 2026-05-18 |
| A.8.22 | Segregation of networks (mode segregation analogue) | CC6.6 | evidence: apps/api/__contracts__/architecture/no-cross-context-imports.test.ts | CTO | 2026-05-18 |
| A.8.24 | Use of cryptography | CC6.6 | evidence: apps/api/__gates__/p0/security.md | CISO | 2026-05-18 |
| A.8.25 | Secure development life cycle | CC8.1 | evidence: apps/api/__gates__/p0/testing.md | CTO | 2026-05-18 |
| A.8.26 | Application security requirements | CC5.1 | evidence: apps/api/__contracts__/architecture/allowed-imports.test.ts | CTO | 2026-05-18 |
| A.8.28 | Secure coding | CC5.2 | evidence: apps/api/__contracts__/architecture/no-raw-sql-outside-db.test.ts | CTO | 2026-05-18 |
| A.8.29 | Security testing in development and acceptance | CC5.3 | evidence: apps/docs/content/docs/security/pentest-template.mdx | CTO | 2026-05-18 |
| A.8.31 | Separation of development, test, production environments | CC8.1 | evidence: apps/api/__contracts__/architecture/no-cross-context-imports.test.ts | CTO | 2026-05-18 |
| A.8.32 | Change management | CC8.1 | evidence: apps/api/__gates__/p0/architecture.md | CTO | 2026-05-18 |
| A.8.33 | Test information protection | C1.1 | evidence: apps/docs/content/docs/security/data-classification.mdx | CTO | 2026-05-18 |
Reuse rate
Of 28 applicable rows mapped above, 26 share evidence with an existing SOC 2 control. Target reuse rate of 70% is comfortably exceeded — auditors should be able to traverse both certifications from a single evidence pool.
ISMS-specific work that ISO 27001 adds on top of SOC 2
Even with shared evidence, ISO 27001 requires a few artefacts that SOC 2 does not. These are organisational deliverables, not codepaths:
- ISMS scope statement — the boundary of the management system.
- Risk register — quantified impact × likelihood per identified threat.
- Statement of applicability — this page is its primary artefact, with the applicability rationale logged per row.
- Internal audit programme — annual rotation.
- Management review records — quarterly minutes.
These deliverables are scheduled alongside the certification roadmap target window.
See also
- SOC 2 controls map — shared rows with this page.
- Certification roadmap — Stage 1 / Stage 2 audit cadence.
- Compliance readiness — single-page status snapshot.
- ISO 27001 engagement scope — registrar selection and scope of work.