ISO 27001 Compliance — BlockForge WordPress Management Platform

Control mapping

Annex A Control Mapping

See exactly how BlockForge features align to ISO 27001 Annex A controls across six key domains.

A.9 Access Control

Access Control

A.9.1

Business Requirements

Role-based access control (RBAC) with workspace and site-level permissions.

Granular access at workspace and site level

A.9.2

User Access Management

Team invitations, member deactivation, permission assignment.

Complete user lifecycle management

A.9.4

System Access Control

HMAC-authenticated API, WP Auto-Login without password sharing, session management with timeout controls.

Secure authentication without credential exposure

Session management with configurable timeouts and revocation

A.10 Cryptography

Cryptography

A.10.1

Cryptographic Controls

HMAC-SHA256 API authentication, AES-256 encrypted backups, automated security key rotation.

HMAC-SHA256 API authentication

AES-256 encrypted backups

Automated security key rotation

All cryptographic controls are built into BlockForge's core architecture. No additional configuration or third-party tools required.

A.12 Operations Security

Operations Security

A.12.1

Operational Procedures

Centralized remote configuration management, automated maintenance mode.

Standardized operational workflows

A.12.2

Protection from Malware

Automated malware scanning with pattern detection.

Continuous malware detection

A.12.3

Backup & Data Retention

Automated daily backups with verification, dual-location storage, and configurable data retention policies with automated disposal.

Automated daily backups

Dual-location storage

Backup verification

Configurable data retention policies

A.12.4

Logging & Monitoring

Complete audit trail, change detection, compliance scoring, and exportable audit reports in PDF and CSV for auditors.

Complete audit trail

Exportable audit reports (PDF/CSV)

Compliance scoring with automated alerts

A.12.6

Technical Vulnerability Management

CVE scanning for all plugins, themes, and WordPress core.

Plugin CVE scanning

Theme CVE scanning

WordPress core CVE scanning

A.14 System Acquisition, Development, Maintenance

System Acquisition, Development & Maintenance

A.14.2

Security in Development

File integrity verification against official releases, code safety checks, staging environments for safe testing.

File integrity verification against official releases

Code safety checks

Docker-based staging environments

A.16 Incident Management

Incident Management

A.16.1

Management of Incidents

Complete incident lifecycle management: real-time detection, multi-channel notifications, incident reporting with evidence linking, and exportable documentation for auditors.

Real-time change detection

Email, Slack & Webhook notifications

Incident report generator with PDF export

Evidence linking to scans and findings

A.17 Business Continuity

Business Continuity

A.17.1

Information Security Continuity

Verified backups, WordPress broken detection with auto-healing, uptime monitoring with automated recovery.

Verified backups with integrity checks

WordPress broken detection with auto-healing

Uptime monitoring with automated recovery

Scope limitations

Controls Not In Scope

ISO 27001 includes organizational and physical controls that fall outside the scope of a WordPress management platform. These areas require separate policies and processes within your organization.

A.5 Information Security Policies

Organizational policy framework

A.6 Organization of Information Security

Internal organization & mobile devices

A.7 Human Resource Security

Employee screening & awareness

A.8 Asset Management

Beyond WordPress assets

A.11 Physical & Environmental Security

Physical access & facility protection

A.15 Supplier Relationships

Third-party management

A.18 Compliance

Legal & regulatory requirements

Information security management for WordPress infrastructure.