Purpose: Central library for ISO standard alignment, crosswalks, and evidence mapping across the ICT Governance Framework.
Status: Active — June 2026
Maintainer: Compliance + Architecture
This library supports alignment and audit preparation. It is not a certification claim.
For remediation gates before external assessment, see Improvement Focus Areas.
docs/compliance/ISO/
├── README.md ← You are here
├── ISO-Standards-Reassessment-2026.md ← Latest posture review (June 2026)
├── ICT-Governance-Framework-ISO-Alignment.md ← Master map: entire framework ↔ ISO
├── ISO-Standards-Inventory.md ← Catalog of applicable ISO standards
├── standards/ ← Per-standard library entries
│ ├── ISO-IEC-38500-IT-Governance.md
│ ├── ISO-IEC-27001-Information-Security.md
│ ├── ISO-IEC-27002-Security-Controls.md
│ ├── ISO-31000-Risk-Management.md
│ ├── ISO-22301-Business-Continuity.md
│ ├── ISO-IEC-20000-Service-Management.md
│ ├── ISO-IEC-27017-Cloud-Security.md
│ ├── ISO-IEC-27018-Cloud-Privacy.md
│ ├── ISO-IEC-27701-Privacy-Management.md
│ └── ISO-IEC-42001-AI-Management.md
└── crosswalks/
├── ISO-38500-Framework-Crosswalk.md ← Six principles + EDM cycle
├── ISO-27001-Seven-Pillar-Crosswalk.md ← Annex A ↔ seven pillars
└── ISO-Standards-Implementation-Roadmap.md ← Prioritised remediation
| Role | Start here |
|---|---|
| Governance / board | ISO/IEC 38500 library entry · 38500 crosswalk |
| CISO / security | ISO/IEC 27001 library entry · Seven-pillar crosswalk |
| Risk | ISO 31000 library entry |
| BC / resilience | ISO 22301 library entry |
| Compliance officer | Reassessment 2026 · Implementation roadmap |
| Tenant / MSP delivery | Framework ISO alignment · ADPA iso38500-crosswalk template |
| Document | Relationship |
|---|---|
| ICT Governance Framework | Primary framework — ISO 38500 is foundational |
| ISO/IEC 38500 Governance Standards (regulatory) | Authoritative deep-dive for 38500 (retained in regulatory/) |
| A033 Applicable Regulatory Frameworks | Broader regulatory inventory (48 frameworks) |
| A034 Compliance ↔ Features Mapping | Feature-level mappings — reconciliation in progress (Gate A) |
| NIST CSF 2.0 Compliance Review | Parallel cybersecurity framework assessment |
| Improvement Focus Areas | Remediation gates before attestation |
| Tier | Standards | Framework role |
|---|---|---|
| Tier 1 — Foundational | ISO/IEC 38500, ISO/IEC 27001, ISO 31000, ISO 22301, ISO/IEC 20000-1 | Core governance, security, risk, continuity, service management |
| Tier 2 — Supporting | ISO/IEC 27002, 27017, 27018, 27701, ISO 9001 | Control detail, cloud, privacy extension, quality |
| Tier 3 — Emerging | ISO/IEC 42001, 23053, 30141, ISO 14001 | AI, IoT, sustainability |
See ISO Standards Inventory for the full catalog and Reassessment 2026 for evidence-based posture.
Generated tenant governance packs can include ISO crosswalks via ADPA:
adpa/templates/ict-governance/iso38500-crosswalk.template.mdadpa/coe/compliance-lineage-bridge.json (ISO 27001 control IDs)adpa/tenants/tenant-contoso-health/| Activity | Frequency | Owner |
|---|---|---|
| Reassess posture after major releases | Per release tag | Compliance |
| Update crosswalks when pillars or Annex A mappings change | Per sprint | Architecture |
| Reconcile A034 implementation tags | Until Gate A closed | Compliance + Dev |
| Add new ISO standards to inventory | As scoped | Compliance |
Last updated: June 2026 (v1.0-adaptive-governance)