Add ISO/IEC 27001:2022 AWS policy pack reference docs

[danbiwer]

Adds the policy reference page for the new ISO/IEC 27001:2022 AWS pre-built policy pack, following the same format as the existing pack pages (#16496, #16753):

• content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — all 238 policies across 31 Annex A controls, in the standard policy table format (policies mapped to multiple controls show semicolon-joined references, as on the PCI DSS page)
• config/_default/menus.yml — ISO/IEC 27001 menu entry (alphabetical, after HITRUST)
• content/docs/insights/policy/policy-packs/pre-built-packs.md — pack row on the index page

[pulumi-bot]

Your site preview for commit f30b9e1 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19612-f30b9e15.s3-website.us-west-2.amazonaws.com

[pulumi-bot]

Lighthouse Performance Report

Commit: f30b9e1 | Metric definitions

Page	Device	Score	FCP	LCP	TBT	CLS	SI
Homepage	Mobile	🔴 32	5.6s	13.7s	1384ms	0.001	8.9s
Homepage	Desktop	🟡 79	0.8s	1.1s	282ms	0.040	2.9s
Install Pulumi	Mobile	🟡 52	5.3s	8.4s	284ms	0.029	8.6s
Install Pulumi	Desktop	🟡 87	1.3s	1.8s	22ms	0.013	1.6s
AWS Get Started	Mobile	🟡 62	5.1s	8.2s	88ms	0.066	5.1s
AWS Get Started	Desktop	🟡 82	1.3s	1.9s	22ms	0.023	2.9s

[github-actions]

Pre-merge Review — Last updated 2026-06-11T21:47:41Z

Tip

Summary: This PR adds a new reference page (content/docs/reference/pre-built-policy-packs/iso-27001/aws.md) that lists all 238 policies in the ISO/IEC 27001:2022 pre-built policy pack for AWS, wires it into the left nav via config/_default/menus.yml, and adds a row to the pre-built-packs index table — paralleling the existing CIS, HITRUST, NIST, and PCI DSS pack pages. The wrongness that would block a reader is an inaccurate policy→control mapping or a misquoted standard control text, since readers use this page to map AWS resource policies to specific ISO/IEC 27001:2022 Annex A controls. Passes run: factual verification of the control mappings and policy descriptions, a frontmatter/menu-wiring sweep, a cross-sibling consistency read (3 of 3 siblings), and pattern-based style linting. The 238-row count and the A.5.x/A.8.x Annex A numbering both check out; the main thing to resolve is a systematic rendering of the standard's control text with "shall" where ISO uses "should".

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	MEDIUM	Control→Annex A mappings spot-check correct, but many per-policy behavior descriptions can't be confirmed against public sources, and the specification column renders ISO's "should" as "shall" throughout.
cross-sibling consistency	HIGH

Investigation log

• Cross-sibling reads: 3 of 3 siblings
• External claim verification: 30 of 52 claims verified (18 unverifiable, 4 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 25 Pass 1, 0 Pass 2, 27 Pass 3 (verified 19, contradicted 3, unverifiable 5).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
3	28	0	0

🔍 Verification trail

52 claims extracted · 30 verified · 18 unverifiable · 4 contradicted

• L21 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Pulumi Cloud comes with pre-built policy packs that codify best practices for common security and compliance frameworks." → ✅ verified (evidence: The file at content/docs/insights/policy/policy-packs/pre-built-packs.md contains the exact sentence at L21: "Pulumi Cloud comes with pre-built policy packs that codify best practices for common security and compliance frameworks."; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L26 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Pre-built policy packs are authored and maintained by Pulumi." → ✅ verified (evidence: The official Pulumi pre-built packs docs page states: "Packs are authored and maintained by Pulumi, incorporating deep expertise in cloud security best practices."; source: https://www.pulumi.com/docs/insights/policy/policy-packs/pre-built-packs/)
• L28 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Pre-built policy packs can catch common security risks and compliance violations during pulumi preview, before they reach production environments." → ✅ verified (framing: strengthened — claim omits "long" from "long before they reach your production environments"; source's broader form proves the claim as a subset; evidence: The file at L28 states: "Catch common security risks and compliance violations during pulumi preview, long before they reach your production environments." The claim accurately reflects this, omitting only the word "long."; source: content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L32 in content/docs/insights/policy/policy-packs/pre-built-packs.md "The pre-built policy packs are available out of the box in Pulumi Cloud, with availability varying by plan." → ✅ verified (evidence: The file at line 32 states: "The following pre-built policy packs are available out of the box in Pulumi Cloud. Availability varies by plan. See Pricing for details." This directly confirms the claim.; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L36-38 in content/docs/insights/policy/policy-packs/pre-built-packs.md "The HITRUST CSF 11.5 pre-built policy pack provides predefined controls that align cloud resources with HITRUST CSF requirements." → ✅ verified (evidence: The file at L36-38 contains a table row for HITRUST CSF 11.5 with the description: "Provides predefined controls that align cloud resources with HITRUST CSF requirements, helping organizations enforce security and compliance baselines acro…; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L38-43 in content/docs/insights/policy/policy-packs/pre-built-packs.md "The AWS Organizations Tag Policies pre-built policy pack integrates with AWS Organizations Tag Policies to validate that infrastructure as code resources have…" → ✅ verified (evidence: The file content/docs/insights/policy/policy-packs/pre-built-packs.md contains the exact claim verbatim in the policy packs table: "Integrates with AWS Organizations Tag Policies to validate that infrastructure as code resources have req…; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L49 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Pulumi's Policy as Code framework allows users to author their own policy packs and add them to the same Policy Groups alongside pre-built packs." → ✅ verified (evidence: The file at content/docs/insights/policy/policy-packs/pre-built-packs.md states: "Pulumi's flexible Policy as Code framework allows you to [author your own packs] and add them to the same Policy Groups alongside pre-built packs, giving y…; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L55 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Policy Packs in the Pulumi Registry follow semantic versioning." → ✅ verified (evidence: The file content/docs/insights/policy/policy-packs/pre-built-packs.md contains the exact text in the FAQ section: "Policy Packs in the Pulumi Registry follow semantic versioning. We release new versions when we add coverage for new contr…; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L55 in content/docs/insights/policy/policy-packs/pre-built-packs.md "New versions of pre-built policy packs are released when new controls are added or existing policies are fixed." → ✅ verified (evidence: The file at L55 area contains the FAQ answer: "We release new versions when we add coverage for new controls or fix existing policies." This directly confirms the claim.; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L55 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Users can choose when to update to a new version of a pre-built policy pack in their Policy Group configuration." → ✅ verified (evidence: The file's FAQ section states: "You can choose when to update to a new version in your Policy Group configuration." This directly confirms the claim that users can choose when to update to a new version of a pre-built policy pack in their…; source: content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L59 in content/docs/insights/policy/policy-packs/pre-built-packs.md "Users can add both a pre-built pack and a custom-authored policy pack to the same Policy Group to enforce both general best practices and organization-specific…" → ✅ verified (evidence: The file at L59 area (FAQ section) states: "You can add both a pre-built pack (like Pulumi Best Practices) and your own custom-authored policy pack to the same Policy Group. This allows you to enforce both general best practices and your o…; source: repo:content/docs/insights/policy/policy-packs/pre-built-packs.md)
• L3 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The page covers ISO/IEC 27001:2022 (the 2022 edition of the standard) compliance policies for AWS." (also L12) → 🤷 unverifiable (evidence: The Pulumi compliance-policies repo confirms ISO 27001 policies for AWS exist, but no public source specifies whether the pre-built policy pack page at that path targets the 2022 edition vs. the 2013 edition. The repo README references "IS…; source: WebSearch ran query "Pulumi pre-built policy packs iso-27001 aws '27001:2022' OR 'iso 27001 2022' site:pulumi.com OR site:github.com/pulumi"; top results didn't confirm the 2022 edition claim for the specific doc page.; intuition: Pulumi's compliance-policies repo historically mapped to ISO 27001:2013 controls; the 2022 edition claim should be veri…)
• L3 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The meta description states this page is a complete list of ISO/IEC 27001:2022 compliance policies for AWS." → ✅ verified (evidence: The file's frontmatter at line 3 reads exactly: meta_desc: Complete list of ISO/IEC 27001:2022 compliance policies for AWS.; source: repo:content/docs/reference/pre-built-policy-packs/iso-27001/aws.md)
• L16-17 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "Policies related to public access controls and least privilege map to ISO/IEC 27001:2022 framework references A.5.15 (Access control) and A.8.3 (Information ac…" (also L42-43, L68-70, L74-75, L85) → ✅ verified (evidence: ISO/IEC 27001:2022 Annex A 5.15 is titled "Access Control" (covering role-based and least-privilege access policies), and A.8.3 is titled "Information Access Restriction" — confirmed by multiple authoritative sources. A.8.3's purpose is "T…; source: WebSearch ran query "ISO/IEC 27001:2022 Annex A controls A.5.15 A.8.3"; https://www.isms.online/iso-27001/annex-a-2022/5-15-access-control-2022/ and https://hightable.io/iso-27001-annex-a-8-3-information-access-restriction/)
• L22 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| cloudfront-distribution-disallow-default-certificate | CloudFront distributions must use a custom SSL certificate rather than the default CloudFront certific…" → ✅ verified (framing: strengthened — claim uses "shall" (mandatory) where the ISO 27001:2022 standard text uses "should" (recommended); the substance of the control description is o…; evidence: ISO 27001 Annex A 5.14 is titled "Information Transfer" and its standard definition matches the claim's description. Per multiple authoritative sources quoting the standard: "Information transfer rules, procedures, or agreements should be…; source: https://hightable.io/iso-27001-annex-a-5-14-information-transfer/)
• L43 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The s3-bucket-public-access-block policy maps to ISO/IEC 27001:2022 framework references A.5.15 (Access control) and A.8.3 (Information access restriction)." → ✅ verified (evidence: ISO/IEC 27001:2022 Annex A 5.15 is titled "Access Control" and A.8.3 is titled "Information Access Restriction." Multiple authoritative sources confirm: "If 5.15 (Access control) sets the rules, Control 8.3 is about making sure your actual…; source: https://iseoblue.com/iso-27001/annex-a/control-8-3/ and https://www.isms.online/iso-27001/annex-a-2022/5-15-access-control-2022/)
• L51 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | A.5.15 Access control; A.8.3 Information access…" → 🤷 unverifiable (evidence: Web search confirmed the Pulumi ISO 27001 AWS compliance policy pack exists (pulumi/compliance-policies repo) and that EMR public-IP restrictions are a recognized compliance concern, but no public source directly confirms the exact policy…; source: WebSearch ran query "Pulumi ISO 27001 policy pack emr-no-public-ip A.5.15 A.8.3"; top results didn't address the claim directly)
• L57 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "Policies related to IAM least privilege and privileged access map to ISO/IEC 27001:2022 framework references A.5.15 (Access control) and A.8.2 (Privileged acce…" (also L64) → ✅ verified (evidence: Multiple authoritative ISO 27001:2022 sources confirm A.5.15 is titled "Access Control" (covering least-privilege access policies) and A.8.2 is titled "Privileged Access Rights." One source states: "Proper access control also aids Clause 8…; source: https://iso27001.com/iso-27001-annex-a-5-15-access-control/ ; https://www.isms.online/iso-27001/annex-a-2022/8-2-use-of-privileged-access-rights-2022/)
• L62 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The pubsub-least-privilege-iam policy covers IAM least privilege for Pub/Sub services including SNS, SQS, and Kinesis." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L69 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The iam-user-group-membership-required policy maps to ISO/IEC 27001:2022 framework references A.5.16 (Identity management) and A.5.18 (Access rights)." → ✅ verified (evidence: ISO/IEC 27001:2022 A.5.16 is titled "Identity management" and A.5.18 is titled "Access rights," confirmed by multiple authoritative sources. The mapping of iam-user-group-membership-required to these controls is logically sound: requiring…; source: WebSearch ran query "ISO 27001 2022 A.5.16 A.5.18 identity management access rights"; confirmed by https://www.isms.online/iso-27001/annex-a-2022/5-16-identity-management-2022/ and https://www.isms.online/iso-27001/annex-a-2022/5-18-access-rights-2022/)
• L71 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The iam-role-assume-role-mfa-enforcement policy ensures IAM roles require MFA when assumed by human users but not by AWS services." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L75 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The no-direct-user-access-keys policy maps to ISO/IEC 27001:2022 framework references A.5.17 (Authentication information) and A.8.5 (Secure authentication)." → ✅ verified (evidence: Multiple authoritative ISO 27001:2022 sources confirm A.5.17 is titled "Authentication information" and A.8.5 is titled "Secure authentication." One source states A.5.17 "connects to Clause 8.5 (Secure Authentication) for technical configu…; source: https://iso27001.com/iso-27001-annex-a-5-17-authentication-information/ ; https://watchdogsecurity.io/iso-27001/authentication-information)
• L77 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The iam-password-policy-minimum-password-length policy requires a minimum IAM password length of 14 or greater." → ✅ verified (evidence: Pulumi's ISO 27001 AWS IAM compliance page lists "Ensure IAM password policy requires minimum password length of 14 or greater" as a required control, confirming the minimum of 14 characters.; source: https://www.pulumi.com/compliance/iso-27001-aws-iam/)
• L81 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The no-hardcoded-secrets policy ensures EC2 instance userData does not contain hardcoded secrets." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L85 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The codebuild-project-envvar-awscred-check policy ensures CodeBuild project environment variables do not contain AWS credentials." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L90-92 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The cloudwatch-alarms-actions-required policy maps to ISO/IEC 27001:2022 framework references A.5.25 (Assessment and decision on information security events),…" → ✅ verified (evidence: Multiple authoritative ISO 27001:2022 sources confirm: A.5.25 is "Assessment and decision on information security events," A.5.26 is "Response to information security incidents," and A.8.16 is "Monitoring activities" — all matching the cla…; source: https://iseoblue.com/iso-27001/annex-a/iso-27001-controls-list/ ; https://www.urmconsulting.com/blog/iso-27001-2022-a-5-organisational-controls-incident-management ; https://certikit.com/the-iso-27001-controls-2022-standard)
• L92 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "Backup and replication policies (S3 replication, RDS backup retention, ElastiCache backup, Redshift snapshots, DynamoDB PITR) map to ISO/IEC 27001:2022 framewo…" (also L95-97) → ✅ verified (evidence: Multiple authoritative ISO 27001:2022 sources confirm: A.8.13 = "Information Backup", A.5.29 = "Information Security During Disruption", and A.5.30 = "ICT Readiness for Business Continuity." One source states: "ISO 27001: 2022 Annex A 5.29…; source: https://hightable.io/iso-27001-glossary-of-terms/ict-readiness-for-business-continuity/ and https://hightable.io/iso-27001-annex-a-5-30-ict-readiness-for-business-continuity/)
• L104 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The backup-vault-encryption policy requires AWS Backup vaults to be encrypted with a customer-managed KMS key, and maps to ISO/IEC 27001:2022 framework referen…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L110-111 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| codebuild-project-artifact-encryption | Ensure CodeBuild project build artifacts are encrypted. | A.5.33 Protection of records | Records shall be protected f…" → ❌ contradicted (framing: shifted — claim uses "shall" (mandatory) while the ISO 27001:2022 A.5.33 standard text uses "should" (recommended); these carry distinct normative meanings in…; evidence: The ISO 27001:2022 A.5.33 standard text reads "Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release" — using "should" (a recommendation), not "shall" (a mandatory requirement) as t…; source: https://docs.evolveum.com/midpoint/compliance/iso27001/5.33/)
• L129-130 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The security-hub-enabled policy maps to ISO/IEC 27001:2022 framework references A.5.36 (Compliance with policies, rules and standards for information security)…" → ✅ verified (evidence: ISO/IEC 27001:2022 A.5.36 is titled "Compliance with policies, rules and standards for information security" and A.8.16 is titled "Monitoring activities" — both confirmed by multiple authoritative sources. One source states: "Monitoring Ac…; source: WebSearch ran query "ISO/IEC 27001:2022 Annex A.5.36 A.8.16 controls"; confirmed at https://hightable.io/iso-27001-annex-a-5-36-compliance-with-policies-rules-and-standards-for-information-security/ and https://elevateconsult.com/insights/iso-27001-controls-decoded-your-expert-guide-to-annex-a-mapping/)
• L132 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| codebuild-project-privileged-mode | Ensure CodeBuild projects do not run in privileged mode. | A.8.2 Privileged access rights | The allocation and use of pri…" → ❌ contradicted (framing: shifted — claim uses "shall be restricted and managed" but the source quotes the standard as "should be restricted and managed"; "shall" vs "should" is a norma…; evidence: The ISO 27001 standard's description for A.8.2 is quoted as "The allocation and use of privileged access rights should be restricted and managed" — using "should" (a recommendation), not "shall" (a mandatory requirement) as the claim state…; source: https://hightable.io/iso-27001-annex-a-8-2-privileged-access-rights/)
• L137 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The efs-accesspoint-posix-user policy requires EFS access points to enforce a POSIX user identity so all file system requests are made with a defined user." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L148 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The autoscaling-group-capacity-rebalancing policy description states it proactively replaces Spot Instances at risk of interruption." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L148 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The autoscaling-group-capacity-rebalancing policy maps to ISO/IEC 27001:2022 framework reference A.8.6 (Capacity management)." → ✅ verified (evidence: Multiple authoritative ISO 27001 sources confirm that ISO/IEC 27001:2022 Annex A control A.8.6 is titled "Capacity Management." As one source states: "ISO 27001:2022 Annex A 8.6 (Capacity Management) ensures that organisations proactively…; source: https://www.isms.online/iso-27001/annex-a-2022/8-6-capacity-management-2022/)
• L150 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The guardduty-malware-detection-enabled policy maps to ISO/IEC 27001:2022 framework references A.8.7 (Protection against malware) and A.8.16 (Monitoring activi…" → ✅ verified (framing: strengthened — the ISO control names and numbers are confirmed authoritative; the specific policy-to-control mapping is an editorial decision consistent with t…; evidence: ISO/IEC 27001:2022 A.8.7 is confirmed as "Protection against malware" and A.8.16 as "Monitoring activities" by multiple authoritative sources. One source explicitly notes their relationship: "Logs and monitoring (A8.15 – Logging & A8.16 Mo…; source: WebSearch ran query "ISO 27001 2022 A.8.7 protection against malware A.8.16 monitoring activities"; https://consultantslikeus.co.uk/post/a8-7-protection-against-malware/ and https://iso27001.com/iso-27001-annex-a-8-7-protection-against-malware/)
• L152 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "Managed patching and vulnerability management policies (RDS, Neptune, DocumentDB, Elastic Beanstalk, ECR, ECS, Lambda, Redshift) map to ISO/IEC 27001:2022 fram…" (also L160-161, L165-167) → ✅ verified (evidence: ISO/IEC 27001:2022 Annex A control A.8.8 is titled "Management of Technical Vulnerabilities" and covers patching and vulnerability management. Multiple authoritative sources confirm: "ISO 27001 Annex A 8.8 is a fundamental control that req…; source: https://hightable.io/iso-27001-annex-a-8-8-management-of-technical-vulnerabilities/; https://www.isms.online/iso-27001/annex-a-2022/8-8-management-of-technical-vulnerabilities-2022/)
• L159 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The lambda-runtime-restrictions policy ensures that AWS Lambda functions are created only with approved runtime versions." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L162 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The config-snapshot-retention policy ensures AWS Config retention configuration meets a minimum 7-year requirement for compliance auditing." → 🤷 unverifiable (evidence: No authoritative source confirms that ISO 27001 mandates a minimum 7-year AWS Config retention requirement. ISO 27001 is a risk-based standard that does not prescribe a fixed retention period; the 7-year figure is not found in ISO 27001 do…; source: WebSearch ran query "AWS Config snapshot retention ISO 27001 compliance requirement years"; top results didn't address the specific 7-year claim for ISO 27001.; intuition: ISO 27001 does not mandate a specific retention period; a "minimum 7-year requirement" is more characteristic of SOX/PC…)
• L166-167 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The s3-bucket-macie-access policy maps to ISO/IEC 27001:2022 framework reference A.8.12 (Data leakage prevention)." → ✅ verified (evidence: Multiple authoritative ISO 27001 sources confirm that ISO/IEC 27001:2022 Annex A control A.8.12 is titled "Data Leakage Prevention." For example: "ISO 27001 control A.8.12 Data leakage prevention requires companies to apply measures to pre…; source: WebSearch ran query "ISO 27001 2022 A.8.12 data leakage prevention"; https://advisera.com/iso27001/control-8-12-data-leakage-prevention/)
• L171 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The eventbridge-global-endpoint-replication policy maps to ISO/IEC 27001:2022 framework reference A.8.14 (Redundancy of information processing facilities)." → ✅ verified (evidence: ISO/IEC 27001:2022 Annex A control 8.14 is confirmed as "Redundancy of Information Processing Facilities" by multiple authoritative sources. AWS EventBridge Global Endpoint replication is a cross-region redundancy mechanism, making the map…; source: WebSearch ran query "ISO 27001 2022 A.8.14 redundancy information processing facilities"; https://www.isms.online/iso-27001/annex-a-2022/8-14-redundancy-of-information-processing-facilities-2022/)
• L172 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The lb-multi-az policy requires ELBv2 load balancers to span at least two Availability Zones." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L174 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The subnet-multi-az policy maps to ISO/IEC 27001:2022 framework references A.8.14 (Redundancy of information processing facilities) and A.5.30 (ICT readiness f…" → ✅ verified (evidence: Multiple authoritative ISO 27001:2022 sources confirm A.8.14 is titled "Redundancy of information processing facilities" and A.5.30 is titled "ICT readiness for business continuity," and that the two controls are explicitly linked. ISMS.on…; source: https://www.isms.online/iso-27001/annex-a-2022/8-14-redundancy-of-information-processing-facilities-2022/)
• L181 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| sfn-statemachine-logging | Step Functions state machines must have execution logging enabled. | A.8.15 Logging | Logs that record activities, exceptions, fau…" → ✅ verified (evidence: AWS Config confirms the step-functions-state-machine-logging-enabled rule checks that Step Functions state machines have logging enabled. ISO 27001 A.8.15 text is confirmed verbatim: "Logs that record activities, exceptions, faults and o…; source: https://docs.aws.amazon.com/config/latest/developerguide/step-functions-state-machine-logging-enabled.html; https://www.lakeridge.io/iso-27001/controls/8-15-logging)
• L183 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| codebuild-project-logging | Ensure CodeBuild projects have an enabled log destination. | A.8.15 Logging | Logs that record activities, exceptions, faults and…" → ❌ contradicted (framing: shifted — claim replaces the standard's "should" with "shall", changing the normative strength of the requirement; evidence: The ISO 27001 A.8.15 control text reads "Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed" (Evolveum docs quoting the standard verbatim), but the claim uses "*…; source: https://docs.evolveum.com/midpoint/compliance/iso27001/8.15/)
• L202 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The vpc-subnet-flow-logs policy ensures all VPCs and subnets have flow logs enabled." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L209 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The elb-desync-mitigation policy requires Classic Load Balancers to use a defensive or strictest desync mitigation mode." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L210 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The networkfirewall-multi-az policy requires Network Firewalls to span at least two Availability Zones for resilience." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L213 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The networkfirewall-policy-rule-group-associated policy requires Network Firewall policies to reference at least one rule group." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L220 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The lambda-vpc-placement-required policy maps to ISO/IEC 27001:2022 framework references A.8.20 (Networks security) and A.8.22 (Segregation of networks)." → ✅ verified (evidence: ISO/IEC 27001:2022 A.8.20 is confirmed as "Networks security" ("Networks and network devices should be secured, managed and controlled") and A.8.22 is confirmed as "Segregation of networks" ("mandates the segregation of networks to restric…; source: WebSearch ran query "ISO 27001 2022 A.8.20 A.8.22 networks security segregation"; https://hightable.io/iso27001-annex-a-8-20-network-security/ and https://hightable.io/iso27001-annex-a-8-22-segregation-of-networks/)
• L222-223 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks |…" → 🤷 unverifiable (evidence: Web searches found the pulumi/compliance-policies repo covers ISO 27001 for AWS, and a related policy named elasticsearch-in-vpc-only exists in AWSGuard, but the specific policy name elasticsearch-vpc-required, its description, and I…; source: WebSearch ran query "Pulumi ISO 27001 policy pack elasticsearch-vpc-required A.8.20 A.8.22"; top results didn't address the claim; intuition: The policy name elasticsearch-vpc-required differs from the known AWSGuard policy elasticsearch-in-vpc-only; worth…)
• L225 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "The vpc-route-table-internet-gateway-restricted policy maps to ISO/IEC 27001:2022 framework references A.8.20 (Networks security), A.8.22 (Segregation of netwo…" → 🤷 unverifiable (evidence: No public web source or search result confirms the specific ISO/IEC 27001:2022 framework references (A.8.20, A.8.21, A.8.22) mapped to the vpc-route-table-internet-gateway-restricted policy. The pulumi/compliance-policies GitHub repo e…; source: WebSearch ran query "pulumi compliance-policies vpc-route-table-internet-gateway-restricted A.8.20 A.8.21 A.8.22"; top results didn't address the claim; intuition: The ordering A.8.20, A.8.22, A.8.21 (non-sequential) is slightly unusual and worth a reviewer double-check against the…)
• L1 in content/docs/reference/pre-built-policy-packs/iso-27001/aws.md "frontmatter menu.reference.parent: reference-pre-built-policy-packs-iso-27001 does not exist in the reference menu" → ⚔️ mismatch (evidence: menu=reference parent=reference-pre-built-policy-packs-iso-27001 parent_exists_in_menu=false; source: frontmatter-validate.py pre-step)

🚨 Outstanding in this PR

These must be resolved or refuted before merging.

• [L110-111] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "| codebuild-project-artifact-encryption | Ensure CodeBuild project build artifacts are encrypted. | A.5.33 Protection of records | Records shall be protected f…" — verdict: contradicted; framing: shifted — claim uses "shall" (mandatory) while the ISO 27001:2022 A.5.33 standard text uses "should" (recommended); these carry distinct normative meanings in…; evidence: The ISO 27001:2022 A.5.33 standard text reads "Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release" — using "should" (a recommendation), not "shall" (a mandatory requirement) as t…; source: https://docs.evolveum.com/midpoint/compliance/iso27001/5.33/

  Fix: The Framework Specification column reproduces the ISO/IEC 27001:2022 Annex A control text but renders it with "shall" where the published standard wording is "should" — e.g., A.5.33 reads "Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release." In ISO standards "shall" (a requirement) and "should" (a recommendation) are normatively distinct, so the substituted verb misstates the standard. This is systematic, not three isolated cells: the same "shall"-form text repeats verbatim across every row of this column (A.5.33, A.8.2, A.8.15, A.8.14, A.8.24, …) — one editorial decision affecting all 238 rows. Recommend either (a) restoring the standard's "should" phrasing verbatim throughout the column, or (b) if "shall" is intentional enforcement framing, retitling the column so it doesn't present the text as a verbatim quote of the standard. Corrected cell for this row:

  Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

• [L132] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "| codebuild-project-privileged-mode | Ensure CodeBuild projects do not run in privileged mode. | A.8.2 Privileged access rights | The allocation and use of pri…" — verdict: contradicted; framing: shifted — claim uses "shall be restricted and managed" but the source quotes the standard as "should be restricted and managed"; "shall" vs "should" is a norma…; evidence: The ISO 27001 standard's description for A.8.2 is quoted as "The allocation and use of privileged access rights should be restricted and managed" — using "should" (a recommendation), not "shall" (a mandatory requirement) as the claim state…; source: https://hightable.io/iso-27001-annex-a-8-2-privileged-access-rights/

  Fix: Same systematic "should"→"shall" deviation as the A.5.33 row above. A.8.2 standard text: "The allocation and use of privileged access rights should be restricted and managed." Apply the consolidated recommendation under the A.5.33 finding (restore "should" column-wide, or retitle the column).

• [L183] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "| codebuild-project-logging | Ensure CodeBuild projects have an enabled log destination. | A.8.15 Logging | Logs that record activities, exceptions, faults and…" — verdict: contradicted; framing: shifted — claim replaces the standard's "should" with "shall", changing the normative strength of the requirement; evidence: The ISO 27001 A.8.15 control text reads "Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed" (Evolveum docs quoting the standard verbatim), but the claim uses "*…; source: https://docs.evolveum.com/midpoint/compliance/iso27001/8.15/

  Fix: Same systematic "should"→"shall" deviation. A.8.15 standard text: "Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed." Apply the consolidated recommendation under the A.5.33 finding.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L3] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The page covers ISO/IEC 27001:2022 (the 2022 edition of the standard) compliance policies for AWS." — verdict: unverifiable; evidence: The Pulumi compliance-policies repo confirms ISO 27001 policies for AWS exist, but no public source specifies whether the pre-built policy pack page at that path targets the 2022 edition vs. the 2013 edition. The repo README references "IS…; source: WebSearch ran query "Pulumi pre-built policy packs iso-27001 aws '27001:2022' OR 'iso 27001 2022' site:pulumi.com OR site:github.com/pulumi"; top results didn't confirm the 2022 edition claim for the specific doc page.; intuition: Pulumi's compliance-policies repo historically mapped to ISO 27001:2013 controls; the 2022 edition claim should be verified

  Author check: The control references used throughout the page are the A.5.x / A.8.x Annex A numbering introduced in the 2022 revision (the 2013 edition used A.9–A.18), so the body is internally consistent with the "2022" edition named in the title and meta_desc. Worth a quick confirmation that the shipped pack targets the 2022 controls; not a blocker.

• [L51] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | A.5.15 Access control; A.8.3 Information access…" — verdict: unverifiable; evidence: Web search confirmed the Pulumi ISO 27001 AWS compliance policy pack exists (pulumi/compliance-policies repo) and that EMR public-IP restrictions are a recognized compliance concern, but no public source directly confirms the exact policy…; source: WebSearch ran query "Pulumi ISO 27001 policy pack emr-no-public-ip A.5.15 A.8.3"; top results didn't address the claim directly

  Author check: The policy→control mapping (A.5.15 Access control / A.8.3 Information access restriction) is sound, but the exact policy name and description couldn't be confirmed from public sources. Verify against the source pack; not a blocker.

• [L62] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The pubsub-least-privilege-iam policy covers IAM least privilege for Pub/Sub services including SNS, SQS, and Kinesis." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L71] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The iam-role-assume-role-mfa-enforcement policy ensures IAM roles require MFA when assumed by human users but not by AWS services." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L81] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The no-hardcoded-secrets policy ensures EC2 instance userData does not contain hardcoded secrets." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L85] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The codebuild-project-envvar-awscred-check policy ensures CodeBuild project environment variables do not contain AWS credentials." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L104] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The backup-vault-encryption policy requires AWS Backup vaults to be encrypted with a customer-managed KMS key, and maps to ISO/IEC 27001:2022 framework referen…" — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L137] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The efs-accesspoint-posix-user policy requires EFS access points to enforce a POSIX user identity so all file system requests are made with a defined user." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L148] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The autoscaling-group-capacity-rebalancing policy description states it proactively replaces Spot Instances at risk of interruption." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L159] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The lambda-runtime-restrictions policy ensures that AWS Lambda functions are created only with approved runtime versions." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L162] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The config-snapshot-retention policy ensures AWS Config retention configuration meets a minimum 7-year requirement for compliance auditing." — verdict: unverifiable; evidence: No authoritative source confirms that ISO 27001 mandates a minimum 7-year AWS Config retention requirement. ISO 27001 is a risk-based standard that does not prescribe a fixed retention period; the 7-year figure is not found in ISO 27001 do…; source: WebSearch ran query "AWS Config snapshot retention ISO 27001 compliance requirement years"; top results didn't address the specific 7-year claim for ISO 27001.; intuition: ISO 27001 does not mandate a specific retention period; a "minimum 7-year requirement" is more characteristic of SOX/PCI

  Author check: Worth a closer look — ISO 27001 is risk-based and doesn't prescribe a fixed retention period, so confirm the "minimum 7-year requirement" reflects the policy's own configured default rather than an ISO mandate. The mapping to A.8.9 Configuration management is fine; not a blocker.

• [L172] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The lb-multi-az policy requires ELBv2 load balancers to span at least two Availability Zones." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L202] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The vpc-subnet-flow-logs policy ensures all VPCs and subnets have flow logs enabled." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L209] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The elb-desync-mitigation policy requires Classic Load Balancers to use a defensive or strictest desync mitigation mode." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L210] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The networkfirewall-multi-az policy requires Network Firewalls to span at least two Availability Zones for resilience." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L213] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The networkfirewall-policy-rule-group-associated policy requires Network Firewall policies to reference at least one rule group." — verdict: unverifiable; evidence: verification did not converge within 8 turns

  Author check: This describes the behavior of a single policy in the pack and couldn't be confirmed from public documentation. Please verify the description matches the policy's actual implementation in the source pack; it's not a reader-facing accuracy blocker.

• [L222-223] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | A.8.20 Networks security; A.8.22 Segregation of networks |…" — verdict: unverifiable; evidence: Web searches found the pulumi/compliance-policies repo covers ISO 27001 for AWS, and a related policy named elasticsearch-in-vpc-only exists in AWSGuard, but the specific policy name elasticsearch-vpc-required, its description, and I…; source: WebSearch ran query "Pulumi ISO 27001 policy pack elasticsearch-vpc-required A.8.20 A.8.22"; top results didn't address the claim; intuition: The policy name elasticsearch-vpc-required differs from the known AWSGuard policy elasticsearch-in-vpc-only

  Author check: The name elasticsearch-vpc-required is used consistently on the page but differs from the older AWSGuard policy elasticsearch-in-vpc-only — confirm the name matches what ships in this pack. The A.8.20 / A.8.22 mapping is sound; not a blocker.

• [L225] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "The vpc-route-table-internet-gateway-restricted policy maps to ISO/IEC 27001:2022 framework references A.8.20 (Networks security), A.8.22 (Segregation of netwo…" — verdict: unverifiable; evidence: No public web source or search result confirms the specific ISO/IEC 27001:2022 framework references (A.8.20, A.8.21, A.8.22) mapped to the vpc-route-table-internet-gateway-restricted policy. The pulumi/compliance-policies GitHub repo e…; source: WebSearch ran query "pulumi compliance-policies vpc-route-table-internet-gateway-restricted A.8.20 A.8.21 A.8.22"; top results didn't address the claim; intuition: The ordering A.8.20, A.8.22, A.8.21 (non-sequential) is slightly unusual and worth a reviewer double-check

  Author check: This row lists its Annex A references non-sequentially (A.8.20, A.8.22, A.8.21); the controls themselves are appropriate, but double-check the intended ordering/set against the pack. Not a blocker.

Style findings

Found by pattern-based linting; Findings may be false positives.

• line 16: [style] wordiness — 'shall' is too wordy.
• line 17: [style] wordiness — 'shall' is too wordy.
• line 18: [style] wordiness — 'shall' is too wordy.
• line 19: [style] wordiness — 'shall' is too wordy.
• line 20: [style] wordiness — 'shall' is too wordy.
• line 21: [style] wordiness — 'shall' is too wordy.
• line 22: [style] wordiness — 'shall' is too wordy.
• line 23: [style] wordiness — 'shall' is too wordy.
• line 23: [style] wordiness — 'shall' is too wordy.
• line 23: [style] wordiness — 'shall' is too wordy.

[github-actions]

📋 Triaged verifier findings

I double-checked these and realized they weren't real findings — click to expand

• [L1] content/docs/reference/pre-built-policy-packs/iso-27001/aws.md — "frontmatter menu.reference.parent: reference-pre-built-policy-packs-iso-27001 does not exist in the reference menu" — verdict: mismatch; evidence: menu=reference parent=reference-pre-built-policy-packs-iso-27001 parent_exists_in_menu=false; source: frontmatter-validate.py pre-step

  Spurious: The reference-pre-built-policy-packs-iso-27001 menu node is added in this same PR (config/_default/menus.yml, weight 4 under reference-pre-built-policy-packs), so the page's parent resolves once both files land. The pre-merge frontmatter check evaluated the page without the newly added menu node.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

• 2026-06-11T21:47:41Z — New ISO/IEC 27001:2022 AWS pack page (238 policies); flagged a systematic "should"→"shall" rewording of the standard's control text; menu-parent and 238-count checks pass (f30b9e1)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[CamSoper]

@danbiwer The fact check flagged a possible wording discrepency. Are we confident ours is correct?