Cenitia launchesLaunching September 2026 — first 250 founders get the launch price locked for life.

Reserve your spot →
Cenitia
How it worksLibraryGlossaryRegulationsToolsAbout
Reserve your spot
How it worksLibraryGlossaryRegulationsToolsAbout

On this page

  • Two different objects of regulation
  • Inside ISO/IEC 27001:2022 — clauses and Annex A
  • Inside the CRA — Annex I as the conformity target
  • Where the two overlap — and where they don't
  • A practical decision matrix
  • Common mistakes
  • How Cenitia helps
  • Frequently asked questions
  • Related from the Library
  • Further reading
← Library
comparison·ISO27001, CRA·8 min read

ISO/IEC 27001 vs CRA — when to certify both

ISO/IEC 27001:2022 is an organisational ISMS standard; the EU Cyber Resilience Act is a product-level regulation. Where they overlap, where they don't, and why you need both.

By Vladimír Vician · 29 June 2026

TL;DR

ISO/IEC 27001:2022 certifies how your organisation manages information security; the EU Cyber Resilience Act (Regulation (EU) 2024/2847) regulates the cybersecurity of products you place on the EU market. Annex A of 27001 (93 controls in four themes) overlaps with CRA Annex I Part II vulnerability-handling duties but does not substitute for CE marking, the EU Declaration of Conformity, or conformity assessment. If you ship connectable products into the EU after 11 December 2027, you need CRA conformity regardless of any ISO certificate you hold.

Many hardware teams arrive at compliance planning carrying an ISO/IEC 27001 certificate they earned for enterprise procurement and assume it covers their obligations under the EU Cyber Resilience Act. It does not — at least not on its own. ISO/IEC 27001 is an organisational management-system standard published jointly by ISO and IEC; the CRA is a product-safety regulation in the New Legislative Framework family, sitting alongside the Radio Equipment Directive, EMC, LVD and the Machinery Regulation.

This article walks through the structural differences, the genuine overlap in vulnerability handling, and the practical decision: when to pursue both, when to defer one, and how to make ISMS evidence reusable in a Notified Body assessment.

Who this is for

Hardware and IoT vendors deciding whether ISO/IEC 27001 certification, CRA conformity, or both belongs on their 2026–2027 roadmap. This article is not legal advice — for binding interpretation of CRA Annex I or ISO/IEC 27001 audit scope, consult a Notified Body, an ISO-accredited certification body, or qualified counsel.

Two different objects of regulation

The first and most important distinction is structural.

DimensionISO/IEC 27001:2022CRA — Regulation (EU) 2024/2847
Object certifiedThe organisation's ISMSThe product with digital elements
Legal natureVoluntary international standardBinding EU regulation (CE marking)
Governing bodyISO + IECEuropean Commission + market surveillance
EvidenceISMS scope, risk register, SoA, Annex A controlsTechnical file, EU DoC, Annex I conformity
Audit cycle3-year cycle with annual surveillanceConformity assessment + ongoing post-market
SanctionsLoss of certificateUp to €15M or 2.5% of worldwide turnover

ISO/IEC 27001 is described by ISO as a standard that "specifies requirements for establishing, implementing, maintaining and continually improving an information security management system". Certification is awarded by accredited registrars after a three-stage audit (Stage 1 documentation review, Stage 2 implementation audit, surveillance audits). It says nothing about whether your product meets any specific security property; it says your organisation manages risk to information assets in a systematic way.

The CRA, by contrast, is a product regulation. Article 13 places duties on the manufacturer to ensure products with digital elements "comply with essential cybersecurity requirements" in Annex I, prepare technical documentation, draw up an EU Declaration of Conformity, and affix the CE marking before placing the product on the market.

Inside ISO/IEC 27001:2022 — clauses and Annex A

The 2022 edition restructured Annex A significantly. The previous 2013 version had 114 controls across 14 domains. The current standard consolidates these into 93 controls organised into four themes:

ThemeNumber of controlsExamples
Organizational37Information security policy, supplier relationships, threat intelligence
People8Screening, terms of employment, awareness training
Physical14Physical perimeter, secure disposal, equipment maintenance
Technological34Access control, cryptography, secure development, logging

The management-system requirements themselves sit in Clauses 4 to 10 of the main body: context of the organisation, leadership, planning (including risk assessment), support, operation, performance evaluation, and improvement. These clauses follow the harmonised ISO management-system structure also used by ISO 9001 and ISO 14001 — meaning a Statement of Applicability (SoA) is the bridge between Clause 6 risk treatment and the Annex A controls you actually deploy.

ISO/IEC 27002:2022 provides implementation guidance for each of the 93 controls but is not itself certifiable.

Inside the CRA — Annex I as the conformity target

The CRA's substantive product requirements live in Annex I, split into two parts.

Annex I Part I — Essential cybersecurity requirements (security properties). Products must be "designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks" and "delivered without any known exploitable vulnerabilities". The listed properties include secure default configuration, protection against unauthorised access, confidentiality and integrity of data, data minimisation, availability of essential functions, attack-surface reduction, exploitation mitigation, security monitoring, and a secure update mechanism.

Annex I Part II — Vulnerability handling requirements. Manufacturers must identify and document vulnerabilities and components (including a machine-readable SBOM), remediate without delay, conduct effective security testing, publicly disclose information about fixed vulnerabilities, operate a coordinated disclosure policy, facilitate vulnerability reporting via a single point of contact, distribute updates securely and "without delay and free of charge", and provide accompanying advisories.

Conformity is assessed via the modules in Annex VIII — predominantly Module A (self-assessment) for default products, Module B+C (EU-type examination) or H (full quality assurance) for important and critical products listed in Annex III/IV.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Where the two overlap — and where they don't

The genuine overlap is in vulnerability handling and secure development lifecycle. A mature ISMS audited under ISO/IEC 27001:2022 should already evidence:

  • Coordinated vulnerability disclosure (Annex A.5.5, A.5.7) — maps to CRA Annex I Part II §5, §6.
  • Information-security incident management (Annex A.5.24–A.5.28) — maps to CRA Article 14 incident reporting and Annex I Part II §3.
  • Secure development lifecycle (Annex A.8.25–A.8.31) — supports CRA Annex I Part I "appropriate level of cybersecurity based on the risks".
  • Supplier and third-party risk management (Annex A.5.19–A.5.23) — supports the CRA "due diligence" duty on integrated components.
  • Configuration management and secure-by-default principles (Annex A.8.9, A.8.27).

Where the standards do not overlap:

  • ISO/IEC 27001 says nothing about CE marking, the EU Declaration of Conformity, or notified-body involvement.
  • ISO/IEC 27001 does not test product-level security properties — your ISMS audit will not verify whether the product is delivered "without any known exploitable vulnerabilities" or whether secure defaults are correctly implemented.
  • ISO/IEC 27001 does not impose the CRA's 24-hour and 72-hour ENISA reporting timers for actively exploited vulnerabilities and severe incidents.
  • ISO/IEC 27001 imposes no 10-year technical-file retention or 5-year minimum support period.

A Notified Body can accept ISMS evidence as partial substantiation of CRA Annex I Part II conformity — particularly for Modules B/C and H — but cannot waive product-level testing for Annex I Part I.

A practical decision matrix

Your situationRecommendation
Pre-revenue hardware MVP, no enterprise buyers yetCRA first. Defer ISO/IEC 27001 until enterprise sales demand it.
Selling to public sector, defence, banking, healthcareBoth. ISO/IEC 27001 is often a procurement gate; CRA is mandatory anyway.
SaaS-only product no embedded deviceCRA still applies to "software products" — verify scope first. ISO/IEC 27001 is the typical commercial signal.
Hardware vendor already SOC 2 Type II certifiedMap SOC 2 controls to Annex A. CRA work remains separate.
Class I/II "important" product under Annex IIICRA Module B+C or H is mandatory. Pre-existing ISO 27001 will materially shorten NB audit time.

Common mistakes

  • Treating an ISO/IEC 27001 certificate as a CRA exemption. It is not. The CRA requires CE marking and an EU DoC against Annex I — independent of any ISMS certificate.
  • Confusing ISO/IEC 27001 with ISO/IEC 62443 or EN 18031. Product-level cybersecurity standards (62443 for industrial automation, EN 18031 for radio equipment) are testable against products. ISO/IEC 27001 is not.
  • Scoping the ISMS to exclude the product team. If product engineering and the secure-development lifecycle are outside the ISMS scope, you cannot reuse ISMS evidence for CRA conformity.
  • Ignoring the SoA. Annex A controls in 27001:2022 are reference controls; the Statement of Applicability is what binds your specific ISMS to them. Notified Bodies will ask to see it.
  • Assuming ISO/IEC 27001 covers ENISA reporting timers. It doesn't. The 24-hour early warning and 72-hour notification duties from 11 September 2026 are CRA-specific.

How Cenitia helps

Cenitia is built around the CRA conformity workflow — technical file, EU DoC, Annex I evidence, vulnerability-handling artefacts, ENISA reporting timers and the SBOM lifecycle — for connectable hardware vendors. When a customer also holds (or is pursuing) ISO/IEC 27001, the platform maps the customer's existing Annex A controls and ISMS procedures onto the CRA Annex I Part II vulnerability-handling clauses so the same evidence can be reused in a Notified Body audit without duplication.

We do not issue ISO/IEC 27001 certificates — that remains the role of accredited registrars such as BSI, TÜV, DEKRA or SGS. What we do is reduce the time it takes to demonstrate that a product is CRA-conformant, and surface where your existing ISMS already does the work so you don't pay for it twice.

Reserve your spot — Cenitia launches September 2026

One email at launch · cancel any time

Frequently asked questions

Does ISO/IEC 27001 certification satisfy the CRA?

No. ISO/IEC 27001:2022 certifies an organisation's Information Security Management System (ISMS). The CRA (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. The CRA requires CE marking, an EU Declaration of Conformity, and conformity assessment against Annex I — none of which ISO/IEC 27001 alone delivers.

How many controls does ISO/IEC 27001:2022 Annex A contain?

The 2022 revision of ISO/IEC 27001 lists 93 controls in Annex A, organised into four themes: Organizational (37), People (8), Physical (14) and Technological (34). The previous 2013 version had 114 controls in 14 domains; the 2022 update consolidated and restructured them.

Where does ISO/IEC 27001 overlap with CRA Annex I Part II?

Annex A.5 (Information security incident management) and the broader operational controls overlap with CRA Annex I Part II vulnerability-handling duties: coordinated disclosure policy, secure-update distribution, SBOM maintenance, and timely remediation. ISO 27001 demonstrates the organisational process; the CRA still requires product-level evidence.

When does the CRA apply?

Regulation (EU) 2024/2847 entered into force on 10 December 2024. Reporting obligations (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026. The main product obligations — including CE marking against Annex I — apply from 11 December 2027.

If I have ISO/IEC 27001, can my Notified Body reuse it for CRA conformity assessment?

Partially. A Notified Body assessing a Class I or Class II 'important' product under the CRA can credit ISMS evidence for vulnerability-handling processes, secure-development lifecycle and incident management. But product-level testing against Annex I Part I (secure defaults, attack surface, update mechanism, etc.) is separate. Confirm scope with your Notified Body before relying on cross-recognition.

Should small hardware vendors pursue both?

For most MVP-stage hardware vendors the priority is CRA conformity (mandatory from December 2027). ISO/IEC 27001 is voluntary but increasingly demanded by enterprise customers and public-sector buyers. A pragmatic order: build CRA-compliant processes first, then formalise them under an ISMS once revenue justifies the audit cost (typically €15–40k initial certification plus annual surveillance).

Related from the Library

  • CRA Annex I — essential cybersecurity requirements explained — the product-level requirements ISO 27001 does not test.
  • CRA vs NIS2 — where they overlap — a parallel comparison for organisations subject to both directives.
  • CRA timeline and reporting obligations — the September 2026 and December 2027 dates that determine your runway.
  • Conformity assessment modules A to H — how Notified Body involvement is determined.
  • SBOM — CycloneDX vs SPDX for hardware — supporting the Annex I Part II SBOM requirement.

Further reading

  • Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex) — the official consolidated text.
  • European Commission — Cyber Resilience Act policy page — Commission policy explanation and FAQs.
  • ISO/IEC 27001:2022 (ISO Standards catalogue) — the canonical standard page.
  • ISO/IEC 27002:2022 — implementation guidance for the 93 Annex A controls.
  • ENISA — Cyber Resilience Act resources — single reporting platform guidance.
  • CRA Annex I full text mirror — readable cross-reference for Annex I Parts I and II.
  • Article 13 of the CRA — manufacturer obligations — the binding duty linking products to Annex I.

Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.

FAQ

Frequently asked questions

  • Does ISO/IEC 27001 certification satisfy the CRA?+

    No. ISO/IEC 27001:2022 certifies an organisation's Information Security Management System (ISMS). The CRA (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. The CRA requires CE marking, an EU Declaration of Conformity, and conformity assessment against Annex I — none of which ISO/IEC 27001 alone delivers.

  • How many controls does ISO/IEC 27001:2022 Annex A contain?+

    The 2022 revision of ISO/IEC 27001 lists 93 controls in Annex A, organised into four themes: Organizational (37), People (8), Physical (14) and Technological (34). The previous 2013 version had 114 controls in 14 domains; the 2022 update consolidated and restructured them.

  • Where does ISO/IEC 27001 overlap with CRA Annex I Part II?+

    Annex A.5 (Information security incident management) and the broader operational controls overlap with CRA Annex I Part II vulnerability-handling duties: coordinated disclosure policy, secure-update distribution, SBOM maintenance, and timely remediation. ISO 27001 demonstrates the organisational process; the CRA still requires product-level evidence.

  • When does the CRA apply?+

    Regulation (EU) 2024/2847 entered into force on 10 December 2024. Reporting obligations (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026. The main product obligations — including CE marking against Annex I — apply from 11 December 2027.

  • If I have ISO/IEC 27001, can my Notified Body reuse it for CRA conformity assessment?+

    Partially. A Notified Body assessing a Class I or Class II 'important' product under the CRA can credit ISMS evidence for vulnerability-handling processes, secure-development lifecycle and incident management. But product-level testing against Annex I Part I (secure defaults, attack surface, update mechanism, etc.) is separate. Confirm scope with your Notified Body before relying on cross-recognition.

  • Should small hardware vendors pursue both?+

    For most MVP-stage hardware vendors the priority is CRA conformity (mandatory from December 2027). ISO/IEC 27001 is voluntary but increasingly demanded by enterprise customers and public-sector buyers. A pragmatic order: build CRA-compliant processes first, then formalise them under an ISMS once revenue justifies the audit cost (typically €15–40k initial certification plus annual surveillance).

Portrait of Vladimír Vician

Written by

Vladimír Vician

Founder, Cenitia · Founder & Managing Director, Inovasense s.r.o.

Founded Inovasense in Bratislava in 2016. Specialises in EU-sovereign hardware — FPGA and embedded systems design, embedded security, and regulatory compliance under the CRA, RED (EN 18031), and the harmonised standards each cites. Named signatory on every Declaration of Conformity Inovasense ships.

Best reached on LinkedIn. For longer enquiries, the Inovasense contact form.

Inovasense profile · More about Cenitia

Continue reading

Related guides

  • reference

    CRA for existing products already on the EU market: the Article 69 transitional rules

    CRA Article 69 explained: grandfathering for products placed on the EU market before 11 December 2027, substantial modification test, Article 14 reporting carve-back.

    12 min read

  • tutorial

    CRA December 2027 readiness — the 18-month roadmap to full conformity

    18-month preparation roadmap to 11 December 2027 CRA full application. Quarterly milestones for Annex I conformity, Technical File, DoC, and Notified Body engagement.

    10 min read

  • tutorial

    CRA ENISA 24-hour reporting — the early warning rule in operational detail

    Operational walkthrough of CRA Article 14 reporting: the 24-hour early warning content, the ENISA single reporting platform, CSIRT routing, and the three-tier cascade.

    9 min read

  • tutorial

    CRA September 2026 reporting checklist — preparation for the 24-hour rule

    Practical checklist for manufacturers preparing for 11 September 2026 — when CRA Article 14 reporting to ENISA becomes mandatory. Workflow, accounts, escalation, monitoring.

    9 min read

Put this into practice

Free tools & references

  • CRA Readiness CheckerScore your product against the Cyber Resilience Act essential requirements.Open tool →
  • EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →

New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.

Reserve your spot — launching September 2026

One email at launch · cancel any time

← Back to Library

Cenitia

The EU compliance engine for hardware manufacturers. Cited drafts, electronic signing, regulation watching — all in one place.

A product of Inovasense s.r.o., Bratislava, Slovakia · Data hosted in Stockholm, EU

Site

  • How it works
  • Library
  • Glossary
  • Regulations
  • By product type
  • Tools
  • About

Legal

  • Imprint
  • Privacy
  • Terms

© 2026 Inovasense s.r.o. · cenitia.com

EU sovereign · EU data residency by design · Customer data never trains models