GraphWarden and ISO 27001: how the proxy supports your Annex A controls
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Clauses 4-10 define the management-system requirements, and Annex A enumerates 93 reference controls organized into four themes: organizational (A.5), people (A.6), physical (A.7), and technological (A.8). For organizations running Microsoft 365 with Graph-integrated applications, several Annex A controls land on the API access surface. GraphWarden helps address those controls by centralizing access to Graph, producing structured audit events, and keeping credentials inside your own Azure Key Vault. This document maps the most relevant Annex A controls to GraphWarden's capabilities, with explicit limits on the parts of ISO 27001 that remain your responsibility.
Who this document is for
ISO 27001 context
ISO/IEC 27001 was first published in 2005 and most recently revised in 2022. The 2022 revision updated the Annex A control catalogue from the 2013 edition (114 controls across 14 categories) to 93 controls organized under four themes (A.5 organizational, A.6 people, A.7 physical, A.8 technological). Certification is issued by accredited certification bodies after a three-stage surveillance cycle: Stage 1 (documentation review), Stage 2 (on-site audit of operating effectiveness), and ongoing surveillance audits until recertification at year three.
The main body of ISO 27001 consists of Clauses 4 through 10, which define the management-system obligations: context of the organization (Cl. 4), leadership (Cl. 5), planning (Cl. 6), support (Cl. 7), operation (Cl. 8), performance evaluation (Cl. 9), and improvement (Cl. 10). Annex A is a reference catalogue of controls; organizations select applicable controls based on their risk assessment and document the selection in a Statement of Applicability (SoA). The companion standard ISO/IEC 27002 provides implementation guidance for each Annex A control. GraphWarden maps most directly to controls in A.5 (organizational), A.8 (technological), and A.12.4 (logging), with supporting relevance to A.9 and A.18.
ISO 27001 mapping to GraphWarden capabilities
| Annex A control | GraphWarden capability | Status | Technical proof |
|---|---|---|---|
| A.5.15 — Access Control | Ruleset YAML as access-control policy artifact | Aligned | Each ruleset is a versioned policy document mapping App Identities to Graph endpoints. |
| A.8.2 — Information Classification | Response Filter transforms enforce field-level classification | Supported | Fields classified sensitive can be filtered or transformed per ruleset. |
| A.8.3 — Information Access Restriction | Ruleset denies unauthorized endpoints | Aligned | 403 response for any call not explicitly permitted by the App Identity ruleset. |
| A.9.2 — User Access Management | App Identity lifecycle tied to Key Vault credential rotation | Supported | Credential rotation documented; revocation invalidates all future calls for that identity. |
| A.12.4 — Logging and Monitoring | HMAC audit events delivered to your SIEM | Aligned | All proxied calls produce structured audit events suitable for ISO 27001-compliant log retention. |
| A.18.1.3 — Protection of Records | Immutable-by-default audit export | Supported | Audit records can be exported to WORM storage via the HMAC audit endpoint. |
Concrete scenario
An organization pursuing ISO 27001:2022 certification needs to evidence its access-control policy (A.5.15), information access restrictions (A.8.3), and logging and monitoring (A.12.4) for Graph-integrated applications. It operates 11 integrated systems on a Microsoft 365 tenant. The Stage 2 auditor asks for documented access-control decisions and for evidence that the decisions are enforced. The organization produces the 11 App Identity rulesets (access-control artifacts) and a 6-month audit-log export (operating effectiveness evidence). The SoA cites the GraphWarden rulesets as the technical implementation of A.5.15 and A.8.3, and the HMAC audit export as the implementation of A.12.4.
Hosting and data residency
Hosted tier: the proxy runtime is in Azure Canada Central; the control plane runs in Canada East (OVHCloud). On-premise tier (Windows Service or Docker) inside your own infrastructure: processing remains entirely under your control — relevant to the control-of-processing and supplier-relationship considerations your SoA captures. For the Hosted tier, document the tier in the supplier-relationship controls (A.5.19 through A.5.23 in ISO 27001:2022); geography itself is not material to Annex A, but documenting the deployment target is. Graph credentials (client secrets, certificates) never leave your Azure Key Vault: GraphWarden holds only their SHA-256 fingerprint to authenticate calls from your applications.
Limits
GraphWarden helps address several Annex A controls but does not cover the full ISO 27001 regime. The following items remain your responsibility.
- GraphWarden does NOT cover Clauses 4-10 of the main body — the management-system requirements (context, leadership, planning, support, operation, evaluation, improvement) are entirely the ISMS's responsibility.
- GraphWarden does NOT cover A.6 people controls — recruitment, training, awareness, disciplinary processes, and role definitions are administrative controls.
- GraphWarden does NOT cover A.7 physical controls — facility access, perimeter protection, and physical media handling are physical controls.
- GraphWarden does NOT cover A.17 business continuity beyond the proxy's availability — business continuity planning at the organizational level is your architecture and process responsibility.
- GraphWarden does NOT carry an ISO 27001 attestation — the standard is issued to an ISMS, not to a product. Page-level status is
aligned, not a formal attestation. - GraphWarden does NOT manage supplier relationships on your behalf (A.5.19 to A.5.23 in 2022 / A.15 in 2013) — your DPA process, supplier assessment, and contractual controls remain your responsibility.
Prepare your ISO 27001 brief with an AI assistant
Prepare an ISO 27001 compliance brief
Prepare an ISO 27001 Annex A compliance brief for A.5, A.8, A.9, A.12, A.18 using GraphWarden as a control on M365 Graph access.
I need to deliver to my ISMS lead:
1. Which Annex A controls GraphWarden helps meet (control-by-control mapping)
2. Which controls and clauses remain under my responsibility (out of scope — Clauses 4-10, A.6 people, A.7 physical, A.17 continuity, supplier relationships)
3. The technical artifacts I can attach to my Statement of Applicability (YAML rulesets, audit log export, App Identity inventory)
Reference documentation: https://graphwarden.com/llms.txt
Ask me:
- Whether I am on the ISO 27001:2022 or 2013 control catalogue
- The stage I am at (internal gap assessment, Stage 1, Stage 2, surveillance)
- How many Graph-integrated applications are in the scope of my ISMS
Reference: llms.txt
Troubleshooting
- My auditor asks for evidence of access-control decisions under A.5.15. Export each ruleset YAML and cite it in the SoA as the technical policy artifact; see Rulesets and Rules.
- My auditor asks for log retention evidence under A.12.4. Configure the HMAC audit export to forward to your SIEM and apply the retention tier matching your ISMS policy (90 days, 1 year, 7 years); see Agent API.
- The auditor asks how I handle a supplier whose access I revoked. Revoke the App Identity in GraphWarden; the revocation invalidates all future calls and is captured in the audit log for the evidence trail.
- My SoA states we apply A.8.3 at the field level. Walk through a Response Filter on a representative ruleset; the ruleset is the control's technical artifact.
- How do I demonstrate that my logging is protected against tampering (A.12.4.2)? Export audit records to WORM storage via the HMAC endpoint; the append-only target enforces the tamper-evidence requirement.
Resources
- For deployment, see On-Premise Windows Installation.
- For app identities, see App Identities.
- For the proxy trust model, see Trust Model.
- Data Processing Agreement (DPA) template — coming in a later phase .
Next steps
For a demo tailored to your ISO 27001 deployment, contact the GraphWarden team. Review the use cases to see how other organizations have mapped GraphWarden capabilities to their Annex A controls. Bring to the session: your control-catalogue version (2022 or 2013), your current ISMS stage, your list of Graph-integrated applications, and the desired audit retention tier (90 days, 1 year, or 7 years).
Last reviewed: