ISO 27001:2022 is the international standard for information security management systems. The 2022 revision added 11 new controls to Annex A that have significant relevance for organisations operating AI systems. But even with these additions, applying ISO 27001 to LLMs, RAG pipelines, and AI agents requires deliberate extension — the standard's language is technology-agnostic and needs interpretation in an AI context.
New Annex A Controls Relevant to AI (ISO 27001:2022)
A.5.7 — Threat Intelligence
Requires collection and analysis of information about threats. For AI systems, this extends to monitoring OWASP LLM Top 10 updates, tracking published AI attack research, and maintaining awareness of novel prompt injection and extraction techniques relevant to your model and deployment architecture.
A.5.23 — Information Security for Use of Cloud Services
Directly applicable to organisations using foundation model APIs (OpenAI, Anthropic, Google Vertex AI, AWS Bedrock). Your ISMS must document data handling agreements with model providers, classify what data is sent to external APIs, and assess the security posture of those providers as part of your supplier management program.
A.8.25 — Secure Development Lifecycle
For AI systems, the secure development lifecycle must include: security requirements for AI components (including adversarial robustness requirements), security testing of AI pipelines (prompt injection testing, RAG boundary testing), and security review of prompt templates and system instructions as part of change management.
A.8.16 — Monitoring Activities
Monitoring must extend to AI-specific anomaly detection: unusual query patterns suggesting extraction attacks, anomalous model outputs indicating jailbreak attempts, and API consumption spikes suggesting denial-of-service probing.
Mapping Existing Controls to AI-Specific Risks
A.8.24 — Use of Cryptography
Standard application: Encryption of data in transit and at rest.
AI extension: Encryption of vector embeddings in the database (mitigating embedding inversion attacks). Encryption of fine-tuning datasets. Secure storage of model weights and prompt templates.
A.8.8 — Management of Technical Vulnerabilities
Standard application: Patch management for software components.
AI extension: Version management for model checkpoints and base model updates. Evaluation of security impact when upgrading to new model versions or switching foundation model providers. Tracking of published vulnerabilities in AI frameworks (LangChain, LlamaIndex, Hugging Face transformers).
A.5.10 — Acceptable Use of Information and Other Associated Assets
Standard application: Acceptable use policy for corporate assets.
AI extension: Policy for acceptable use of AI systems by employees and external users. Prohibited input categories. Data retention policies for conversation logs and retrieval queries.
A.5.29 — Information Security During Disruption
Standard application: Business continuity for critical systems.
AI extension: Fallback procedures when AI components are unavailable or producing anomalous outputs. Human override mechanisms for AI-assisted decisions. Testing of failover to non-AI alternatives for critical workflows.
Conducting an AI Security Gap Analysis
Start your gap analysis by mapping your AI system architecture to the relevant Annex A controls. For each control, answer three questions:
- Does the control as currently implemented address AI-specific risks? (Your A.8.8 patch management process may handle software CVEs but not model version security.)
- Are AI components documented as assets within scope of the ISMS? (LLM APIs, vector databases, prompt templates, and fine-tuning datasets should all be in your asset register.)
- Does your risk assessment include AI-specific threat scenarios? (Prompt injection, RAG exfiltration, agent hijacking, and training data poisoning should appear in your risk register with assessed likelihood and impact.)
Gaps identified in this analysis become implementation work items tied to specific Annex A controls. Document the gap, the planned control implementation, the responsible owner, and the target completion date — the same format your ISO 27001 auditor expects for any open remediation item.
Evidence for AI-Related Controls in Your Stage 2 Audit
Your ISO 27001 Stage 2 auditor will sample evidence for implemented controls. For AI-extended controls, prepare:
- AI system architecture diagrams showing data flows through model APIs, retrieval systems, and agent orchestration.
- AI security penetration test report (covering OWASP LLM Top 10) as evidence for A.8.8 and A.5.7.
- Data processing agreements with foundation model providers as evidence for A.5.23.
- AI incident response playbook and evidence of tabletop exercises.
- Monitoring dashboards showing AI-specific anomaly detection alerts.
Key Takeaways
- This post covers practical, actionable guidance for security and engineering teams.
- All findings and techniques are mapped to recognised frameworks (OWASP, NIST, ISO).
- Contact Vynox Security to test your systems against the vulnerabilities described here.