Click any framework to open a dedicated page with a non-technical explainer, the requirements that actually matter, and the tools that cover them.
We rebuild the requirements table for whichever standard you click. Tools are scored row by row, honestly.
ISO 27001 requires a managed information security program, risk assessment, controls, ownership, evidence and continual improvement. The hard part is not writing policies; it is proving that security work actually happens.
| Requirement | Why it matters | Evidence | Tools that help | Common miss | Shielda |
|---|---|---|---|---|---|
| Asset inventory | You can't protect what you don't know. | Live asset list with owner. | Wazuh, Defender, MDM | Cloud + SaaS + endpoint reconciled. | Implemented |
| Vulnerability management | Unpatched vulns are the top breach vector. | Scan reports + remediation tickets. | CrowdStrike, Wiz, Snyk | Cross-tool prioritization. | Implemented |
| Patch and remediation tracking | Find ≠ fix. | Closed tickets with owner + date. | Jira, ITSM | Owners and SLA enforcement. | Implemented |
| Endpoint protection | Endpoints remain a top entry point. | EDR coverage and detections. | CrowdStrike, SentinelOne, Defender, ESET, Bitdefender | Coverage gaps on contractors. | Partial |
| Identity and access review | Stale access is a common audit finding. | Quarterly access review records. | Entra, Okta | Reviews for SaaS sprawl. | Via integration |
| MFA evidence | MFA is universally expected. | MFA enrollment + enforcement reports. | Entra, Okta, Google | Coverage for admin and break-glass. | Via integration |
| Email/domain security | Phishing remains #1. | SPF/DKIM/DMARC + filtering reports. | Defender, Google | DMARC enforcement. | Via integration |
| Cloud / SaaS posture | Misconfigs cause most cloud breaches. | CSPM reports + remediation. | Wiz, native CSPM | SaaS coverage beyond cloud. | Implemented |
| Code and dependency security | Vulnerable libs ship to prod. | SCA/SAST reports tied to fixes. | Snyk, Semgrep | Triage discipline. | Implemented |
| Backup and recovery testing | Backups that never restore are not backups. | Restore test reports. | Acronis, native cloud backup | Documented restore proofs. | Via integration |
| Incident response workflow | Speed and clarity reduce damage. | Playbooks + drill reports. | MDR providers | Tabletop exercises evidence. | Implemented |
| Logging and monitoring | Detection requires telemetry. | Log retention + review records. | Wazuh, SIEMs | Review documentation. | Via integration |
| Supplier / vendor risk | Your vendors are your attack surface. | Vendor register + due diligence. | OneTrust, Vanta, Drata | Continuous re-review. | Implemented |
| Contract / SLA evidence | Required by NIS2 / DORA. | Contract clauses mapped to controls. | Legal + GRC | Gap analysis at scale. | Implemented |
| Security awareness evidence | People are the perimeter. | Training completion + phishing tests. | KnowBe4, Hoxhunt | Evidence centralization. | Via integration |
| Executive / board reporting | Mandated by NIS2 / DORA / NYDFS. | Board minutes + dashboards. | GRC platforms | Translating tech to business risk. | Implemented |
| Audit-ready evidence pack | Audits live or die on evidence. | Standard-mapped evidence repository. | Vanta, Drata | Mapping to multiple standards. | Implemented |