Skip to main content

ISO 27001:2022: Vectimus Mapping

ISO 27001:2022 Annex A defines 93 controls across four themes: organisational, people, physical and technological. Vectimus maps to the technological controls (A.8) and one organisational control (A.5.23) where AI agent actions produce enforceable tool calls.

This document maps Vectimus policies to specific Annex A controls. Vectimus is a tool-level enforcement layer. It does not replace an Information Security Management System (ISMS) or the broader organisational and people controls required for certification.

A.8.2: Privileged Access Rights

Coverage: PARTIAL

Vectimus restricts privileged actions that AI agents attempt:

  • Blocks privilege escalation via sudo, su and cloud CLI role assumption
  • Blocks infrastructure mutations (terraform apply/destroy, kubectl delete, cloud resource creation) that require elevated access
  • Blocks chmod 777 and other broad permission changes

Key rules: infrastructure (001-008), destructive-ops (004)

A.8.3: Information Access Restriction

Coverage: HIGH

  • Credential protection: Blocks agent reads of .env files, SSH keys, AWS credentials, npmrc tokens and secrets directories
  • Database access: Blocks direct database CLI access, destructive ORM commands, migration destruction and credential harvesting from database config files
  • MCP input inspection: Blocks MCP tool calls whose inputs reference credential paths or private keys

Key rules: secrets (001-004), database (001-008), infrastructure (005-006), mcp-safety (003-007), file-integrity (006)

A.8.6: Capacity Management

Coverage: PARTIAL

Vectimus prevents resource exhaustion from AI agent actions:

  • Blocks fork bombs and recursive process spawning
  • Blocks agent spawning with excessive turn counts that could exhaust compute

Key rules: destructive-ops (005), agent-governance (003)

A.8.9: Configuration Management

Coverage: HIGH

Vectimus protects configuration integrity across multiple domains:

  • CI/CD: Blocks writes to GitHub Actions workflows, GitLab CI configs, Jenkinsfiles, CircleCI configs
  • Containers: Blocks writes to production Dockerfiles and docker-compose
  • IDE and tool configs: Blocks writes to .vscode, .cursor, .claude settings and hook configurations
  • Governance self-protection: Blocks agents from modifying Vectimus config, running vectimus CLI commands or writing to audit logs
  • MCP server control: Default-deny for all MCP servers with explicit allowlisting

Key rules: file-integrity (001-012), agent-governance (001-005), destructive-ops (001-003), mcp-safety (001-002)

A.8.15: Logging

Coverage: HIGH

Every Vectimus evaluation is logged to structured JSONL:

  • Action attempted (command, file path, tool name)
  • Policy that matched and the decision (allow/deny/escalate)
  • Timestamp, rule ID, description and incident reference
  • Suggested alternative for denied actions

Audit logs are protected by policy: agents cannot write to or delete log files.

Key rules: agent-governance (004-005)

A.8.23: Web Filtering

Coverage: PARTIAL

Vectimus detects dangerous outbound patterns in agent commands:

  • Reverse shell connections to external hosts
  • Download-and-execute chains (curl|sh, wget|bash)
  • Data exfiltration via HTTP, DNS tunnelling and encoded payloads
  • eval/exec patterns that execute remotely-sourced code

Key rules: code-execution (001-005), data-exfiltration (001-003)

A.8.25: Secure Development Lifecycle

Coverage: HIGH

Vectimus protects development artifacts and supply chain integrity:

  • Package lockfiles: Blocks direct modification of lockfiles across npm, yarn, pnpm, pip, poetry, uv, cargo, bundler and composer
  • Registry configuration: Blocks writes to .npmrc, .pypirc, pip.conf and cargo config
  • Git integrity: Blocks force push to protected branches, git reset —hard, git clean -f and writes to .git directory
  • Publishing: Blocks npm publish and other package publishing commands

Key rules: supply-chain (001-008), git-safety (001-003)

A.5.23: Information Security for Cloud Services

Coverage: PARTIAL

Vectimus restricts AI agent interactions with cloud services:

  • Blocks MCP tool calls to unapproved external services
  • Blocks data exfiltration to external endpoints
  • Inspects MCP inputs for credential paths and dangerous parameters

Key rules: mcp-safety (001-007), data-exfiltration (001-003)

Summary

ControlNameCoveragePolicy packs
A.5.23Cloud servicesPARTIALmcp-safety, data-exfiltration
A.8.2Privileged access rightsPARTIALinfrastructure, destructive-ops
A.8.3Information access restrictionHIGHsecrets, database, mcp-safety
A.8.6Capacity managementPARTIALdestructive-ops, agent-governance
A.8.9Configuration managementHIGHfile-integrity, agent-governance, mcp-safety
A.8.15LoggingHIGHAll packs (audit trail)
A.8.23Web filteringPARTIALcode-execution, data-exfiltration
A.8.25Secure development lifecycleHIGHsupply-chain, git-safety

What Vectimus does not cover

ISO 27001 certification requires an ISMS with organisational, people and physical controls that sit outside tool-level enforcement:

  • Organisational controls (A.5): Policies, roles, segregation of duties, threat intelligence, supplier management (except A.5.23 partial coverage)
  • People controls (A.6): Screening, awareness, disciplinary processes
  • Physical controls (A.7): Perimeters, offices, equipment, storage media
  • Technology controls not covered: A.8.1 (user endpoints), A.8.5 (authentication), A.8.7 (malware protection), A.8.12 (data leakage via DLP), A.8.16 (monitoring dashboards), A.8.24 (cryptography)

Organisations should treat Vectimus as one technology control within their broader ISMS, not as a replacement for certification readiness.