ISO 27001:2022
Feature row 36 — Sprint COMP-3
ISO 27001 mapping is included on the Enterprise plan.
Scope
Behavry's ISO 27001:2022 module maps 8 of the Annex A controls that are directly affected by AI agent activity. It's a continuous evidence layer on top of your existing ISMS — not a replacement for one.
Source: backend/behavry/compliance/iso27001.py. UI: Compliance → ISO 27001.
Covered controls
| Annex A | Control | Behavry answer |
|---|---|---|
| A.5.15 | Access control | Agent Identity, Requester Identity Propagation |
| A.5.17 | Authentication information | Workflow tokens, credential encryption in SIEM destinations |
| A.8.3 | Information access restriction | Policy Engine, Context Gate, Blast Radius Limits |
| A.8.9 | Configuration management | Policy Writer version history, Change Requests |
| A.8.12 | Data leakage prevention | DLP Scanner, Cross-session DLP correlation |
| A.8.15 | Logging | Decision Trace, SIEM Connectors |
| A.8.16 | Monitoring activities | Behavioral Monitor, Intent Drift, Alerts |
| A.8.23 | Web filtering (for agents) | Inbound Rules domain matcher, Blast Radius URL limits |
Continuous status
Each control shows:
- Current status (green / amber / red) based on the last 30 days of evidence
- The query used to compute it
- A link to supporting audit events
- Trend over 90 days
Export
GET /api/v1/compliance/iso27001/export?format=pdf|csv|json
What's included in the PDF
- Cover page with tenant name, reporting period, logo
- Executive summary (overall posture, red-flag list)
- Per-control evidence sections with sample events
- Appendix with the methodology and the query definitions