SBCMSP maps your external vulnerability scans, internal agent checks, and M365 assessments directly to ISO 27001:2022 Annex A controls โ generating audit-ready evidence packages for every client, automatically.
Generate Your ISO 27001 Assessment FreeISO 27001 is the international standard for Information Security Management Systems (ISMS). The 2022 revision updated 114 controls in 14 domains to 93 controls in 4 themes โ reflecting how modern security risks have shifted toward cloud, identity, and supply chain.
For MSP clients, ISO 27001 certification demonstrates to customers, partners, and regulators that security is managed systematically rather than reactively. It's increasingly required for SaaS companies, financial services firms, and businesses handling sensitive healthcare or government data.
For MSPs, ISO 27001 is both a service opportunity and a compliance requirement โ many MSPs are being asked by clients to demonstrate their own ISO 27001 alignment as part of vendor security questionnaires.
The SBCMSP ISO 27001 assessment is not a certification โ that requires a formal audit by an accredited certification body. It is a technical controls assessment that gives you and your clients a defensible baseline of which Annex A controls are passing, which are failing, and what evidence exists to support each one.
93 controls across 4 themes โ here are the technical controls our scanner maps to directly
Anti-malware configured and active. Maps to SBCMSP Agent endpoint protection checks.
Vulnerability scanning, patch management, and remediation tracking. Core SBCMSP capability โ 673 external + 200 internal checks.
Secure system configurations, hardening baselines, and change detection. Maps to CIS benchmark checks in the SBCMSP Agent.
Network controls, firewall configuration, port exposure, and segmentation. Maps to external port scanning and internal network checks.
Secure TLS configuration, encryption in transit, certificate validity. Maps to TLS/SSL checks including protocol versions and cipher suites.
Security headers, content security policy, and web application protection. Maps to 14 HTTP header checks.
Encryption at rest and in transit, certificate management, TLS versions. Maps to encryption checks and SSL/TLS controls.
Secure coding practices, injection prevention, and application security testing. Maps to injection and API security checks.
Secure email transmission policies (SPF, DMARC, DKIM), encryption, and data loss controls. Maps to 10-check DNS intelligence.
MFA enforcement, conditional access, password policies, and privileged access. Maps to M365 assessment and AD security checks.
Admin account management, service account security, and privileged user monitoring. Maps to Active Directory and login anomaly checks.
Continuous monitoring, audit logging, and change detection. Maps to uptime monitoring, DNS change detection, and internal change detection module.
Every finding produced by SBCMSP's scanner, internal agent, and M365 assessment is pre-mapped to its relevant ISO 27001:2022 Annex A controls. When you generate a compliance report, the mapping is applied automatically โ no manual crosswalk required.
| ISO 27001 Control | Finding Examples | Source |
|---|---|---|
| A.8.21 Security of Network Services | TLS 1.0/1.1 enabled, HSTS missing, weak cipher suite, self-signed certificate, certificate expiry | External |
| A.8.23 Web Filtering | Content-Security-Policy missing, X-Frame-Options absent, HSTS not configured, Permissions-Policy missing | External |
| A.5.14 Information Transfer | DMARC not enforced (p=none or missing), SPF missing, DKIM absent, MTA-STS not configured, BIMI absent | External |
| A.8.8 Management of Technical Vulnerabilities | Open admin interfaces (phpMyAdmin, Kibana), exposed databases, default credentials, missing patches | External Internal |
| A.8.5 Secure Authentication | MFA not enforced in M365, legacy authentication not blocked, global admin count excessive | M365 Internal |
| A.8.2 Privileged Access Rights | Excessive local administrators, stale admin accounts, service accounts with excessive permissions | Internal |
| A.8.24 Use of Cryptography | BitLocker not enabled, unencrypted sensitive data paths, weak encryption algorithms | Internal |
| A.8.9 Configuration Management | CIS benchmark failures, PowerShell logging not enabled, AppLocker not configured, NTLMv1 enabled | Internal |
All 673 external checks, 200 internal checks, and 100 M365 checks are mapped to ISO 27001:2022 Annex A controls with zero gaps. The compliance report PDF includes the full control mapping table with pass/fail status per control.
ISO 27001 auditors need evidence. SBCMSP generates timestamped artifacts that document your clients' security posture at a point in time.
White-labeled PDF with executive summary, Annex A control mapping, finding detail by severity, and remediation roadmap.
Each scan result is stored with an exact UTC timestamp. Auditors can see the security posture at any point in history.
One-click export of all compliance evidence for a client โ scan reports, findings history, remediation records โ as a ZIP archive for auditors.
Compliance workflow tracks client acknowledgment of findings with named signature and timestamp โ creates audit trail of remediation approvals.
No. ISO 27001 certification requires a formal audit by an ISO/IEC 17021-1 accredited certification body โ a process that typically takes several months and costs thousands. SBCMSP provides a technical controls assessment that helps you prepare for certification, demonstrate posture to clients and auditors, and maintain evidence between formal audit cycles.
ISO 27001 includes organizational and people controls (HR security, asset management policies, security awareness) that can't be assessed by a technical scanner. SBCMSP's report clearly distinguishes between controls with technical evidence and those requiring management attestation, so you know exactly what documentation to collect separately.
The 2022 revision restructured controls from 114 in 14 domains to 93 controls in 4 themes, added 11 new controls, and updated 24 controls to reflect cloud, supply chain, and threat intelligence realities. Organizations certified to the 2013 standard had a transition deadline of October 31, 2025. SBCMSP maps to the 2022 Annex A structure exclusively.
SBCMSP generates reports per domain/client on demand or on a scheduled basis. You can set up weekly or monthly scheduled report delivery to automatically send ISO 27001 PDFs to each client. Bulk generation across all domains in a workspace is available on Business and Enterprise plans.
SBCMSP includes 10 frameworks: CIS Controls v8, SOC 2 Type II, NIST CSF 1.1, NIST CSF 2.0, ISO 27001:2022, HIPAA Security Rule, PCI DSS v4.0, CMMC 2.0 Level 2, Cyber Essentials (UK), and FTC Safeguards Rule. All 673 external checks, 200 internal checks, and 100 M365 checks are mapped to all 10 frameworks with zero gaps.
Run a scan, generate the compliance report, and see exactly which Annex A controls are passing, failing, and need evidence. No setup fee. No consultant required.
Start Free Trial โ No Credit Card14-day trial ยท All 10 compliance frameworks ยท Cancel anytime