ISO/IEC 27001 vs CRA — when to certify both
ISO/IEC 27001:2022 is an organisational ISMS standard; the EU Cyber Resilience Act is a product-level regulation. Where they overlap, where they don't, and why you need both.
By Vladimír Vician
Many hardware teams arrive at compliance planning carrying an ISO/IEC 27001 certificate they earned for enterprise procurement and assume it covers their obligations under the EU Cyber Resilience Act. It does not — at least not on its own. ISO/IEC 27001 is an organisational management-system standard published jointly by ISO and IEC; the CRA is a product-safety regulation in the New Legislative Framework family, sitting alongside the Radio Equipment Directive, EMC, LVD and the Machinery Regulation.
This article walks through the structural differences, the genuine overlap in vulnerability handling, and the practical decision: when to pursue both, when to defer one, and how to make ISMS evidence reusable in a Notified Body assessment.
Two different objects of regulation
The first and most important distinction is structural.
| Dimension | ISO/IEC 27001:2022 | CRA — Regulation (EU) 2024/2847 |
|---|---|---|
| Object certified | The organisation's ISMS | The product with digital elements |
| Legal nature | Voluntary international standard | Binding EU regulation (CE marking) |
| Governing body | ISO + IEC | European Commission + market surveillance |
| Evidence | ISMS scope, risk register, SoA, Annex A controls | Technical file, EU DoC, Annex I conformity |
| Audit cycle | 3-year cycle with annual surveillance | Conformity assessment + ongoing post-market |
| Sanctions | Loss of certificate | Up to €15M or 2.5% of worldwide turnover |
ISO/IEC 27001 is described by ISO as a standard that "specifies requirements for establishing, implementing, maintaining and continually improving an information security management system". Certification is awarded by accredited registrars after a three-stage audit (Stage 1 documentation review, Stage 2 implementation audit, surveillance audits). It says nothing about whether your product meets any specific security property; it says your organisation manages risk to information assets in a systematic way.
The CRA, by contrast, is a product regulation. Article 13 places duties on the manufacturer to ensure products with digital elements "comply with essential cybersecurity requirements" in Annex I, prepare technical documentation, draw up an EU Declaration of Conformity, and affix the CE marking before placing the product on the market.
Inside ISO/IEC 27001:2022 — clauses and Annex A
The 2022 edition restructured Annex A significantly. The previous 2013 version had 114 controls across 14 domains. The current standard consolidates these into 93 controls organised into four themes:
| Theme | Number of controls | Examples |
|---|---|---|
| Organizational | 37 | Information security policy, supplier relationships, threat intelligence |
| People | 8 | Screening, terms of employment, awareness training |
| Physical | 14 | Physical perimeter, secure disposal, equipment maintenance |
| Technological | 34 | Access control, cryptography, secure development, logging |
The management-system requirements themselves sit in Clauses 4 to 10 of the main body: context of the organisation, leadership, planning (including risk assessment), support, operation, performance evaluation, and improvement. These clauses follow the harmonised ISO management-system structure also used by ISO 9001 and ISO 14001 — meaning a Statement of Applicability (SoA) is the bridge between Clause 6 risk treatment and the Annex A controls you actually deploy.
ISO/IEC 27002:2022 provides implementation guidance for each of the 93 controls but is not itself certifiable.
Inside the CRA — Annex I as the conformity target
The CRA's substantive product requirements live in Annex I, split into two parts.
Annex I Part I — Essential cybersecurity requirements (security properties). Products must be "designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks" and "delivered without any known exploitable vulnerabilities". The listed properties include secure default configuration, protection against unauthorised access, confidentiality and integrity of data, data minimisation, availability of essential functions, attack-surface reduction, exploitation mitigation, security monitoring, and a secure update mechanism.
Annex I Part II — Vulnerability handling requirements. Manufacturers must identify and document vulnerabilities and components (including a machine-readable SBOM), remediate without delay, conduct effective security testing, publicly disclose information about fixed vulnerabilities, operate a coordinated disclosure policy, facilitate vulnerability reporting via a single point of contact, distribute updates securely and "without delay and free of charge", and provide accompanying advisories.
Conformity is assessed via the modules in Annex VIII — predominantly Module A (self-assessment) for default products, Module B+C (EU-type examination) or H (full quality assurance) for important and critical products listed in Annex III/IV.
One email at launch · cancel any time
Where the two overlap — and where they don't
The genuine overlap is in vulnerability handling and secure development lifecycle. A mature ISMS audited under ISO/IEC 27001:2022 should already evidence:
- Coordinated vulnerability disclosure (Annex A.5.5, A.5.7) — maps to CRA Annex I Part II §5, §6.
- Information-security incident management (Annex A.5.24–A.5.28) — maps to CRA Article 14 incident reporting and Annex I Part II §3.
- Secure development lifecycle (Annex A.8.25–A.8.31) — supports CRA Annex I Part I "appropriate level of cybersecurity based on the risks".
- Supplier and third-party risk management (Annex A.5.19–A.5.23) — supports the CRA "due diligence" duty on integrated components.
- Configuration management and secure-by-default principles (Annex A.8.9, A.8.27).
Where the standards do not overlap:
- ISO/IEC 27001 says nothing about CE marking, the EU Declaration of Conformity, or notified-body involvement.
- ISO/IEC 27001 does not test product-level security properties — your ISMS audit will not verify whether the product is delivered "without any known exploitable vulnerabilities" or whether secure defaults are correctly implemented.
- ISO/IEC 27001 does not impose the CRA's 24-hour and 72-hour ENISA reporting timers for actively exploited vulnerabilities and severe incidents.
- ISO/IEC 27001 imposes no 10-year technical-file retention or 5-year minimum support period.
A Notified Body can accept ISMS evidence as partial substantiation of CRA Annex I Part II conformity — particularly for Modules B/C and H — but cannot waive product-level testing for Annex I Part I.
A practical decision matrix
| Your situation | Recommendation |
|---|---|
| Pre-revenue hardware MVP, no enterprise buyers yet | CRA first. Defer ISO/IEC 27001 until enterprise sales demand it. |
| Selling to public sector, defence, banking, healthcare | Both. ISO/IEC 27001 is often a procurement gate; CRA is mandatory anyway. |
| SaaS-only product no embedded device | CRA still applies to "software products" — verify scope first. ISO/IEC 27001 is the typical commercial signal. |
| Hardware vendor already SOC 2 Type II certified | Map SOC 2 controls to Annex A. CRA work remains separate. |
| Class I/II "important" product under Annex III | CRA Module B+C or H is mandatory. Pre-existing ISO 27001 will materially shorten NB audit time. |
Common mistakes
- Treating an ISO/IEC 27001 certificate as a CRA exemption. It is not. The CRA requires CE marking and an EU DoC against Annex I — independent of any ISMS certificate.
- Confusing ISO/IEC 27001 with ISO/IEC 62443 or EN 18031. Product-level cybersecurity standards (62443 for industrial automation, EN 18031 for radio equipment) are testable against products. ISO/IEC 27001 is not.
- Scoping the ISMS to exclude the product team. If product engineering and the secure-development lifecycle are outside the ISMS scope, you cannot reuse ISMS evidence for CRA conformity.
- Ignoring the SoA. Annex A controls in 27001:2022 are reference controls; the Statement of Applicability is what binds your specific ISMS to them. Notified Bodies will ask to see it.
- Assuming ISO/IEC 27001 covers ENISA reporting timers. It doesn't. The 24-hour early warning and 72-hour notification duties from 11 September 2026 are CRA-specific.
How Cenitia helps
Cenitia is built around the CRA conformity workflow — technical file, EU DoC, Annex I evidence, vulnerability-handling artefacts, ENISA reporting timers and the SBOM lifecycle — for connectable hardware vendors. When a customer also holds (or is pursuing) ISO/IEC 27001, the platform maps the customer's existing Annex A controls and ISMS procedures onto the CRA Annex I Part II vulnerability-handling clauses so the same evidence can be reused in a Notified Body audit without duplication.
We do not issue ISO/IEC 27001 certificates — that remains the role of accredited registrars such as BSI, TÜV, DEKRA or SGS. What we do is reduce the time it takes to demonstrate that a product is CRA-conformant, and surface where your existing ISMS already does the work so you don't pay for it twice.
One email at launch · cancel any time
Frequently asked questions
Does ISO/IEC 27001 certification satisfy the CRA?
No. ISO/IEC 27001:2022 certifies an organisation's Information Security Management System (ISMS). The CRA (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. The CRA requires CE marking, an EU Declaration of Conformity, and conformity assessment against Annex I — none of which ISO/IEC 27001 alone delivers.
How many controls does ISO/IEC 27001:2022 Annex A contain?
The 2022 revision of ISO/IEC 27001 lists 93 controls in Annex A, organised into four themes: Organizational (37), People (8), Physical (14) and Technological (34). The previous 2013 version had 114 controls in 14 domains; the 2022 update consolidated and restructured them.
Where does ISO/IEC 27001 overlap with CRA Annex I Part II?
Annex A.5 (Information security incident management) and the broader operational controls overlap with CRA Annex I Part II vulnerability-handling duties: coordinated disclosure policy, secure-update distribution, SBOM maintenance, and timely remediation. ISO 27001 demonstrates the organisational process; the CRA still requires product-level evidence.
When does the CRA apply?
Regulation (EU) 2024/2847 entered into force on 10 December 2024. Reporting obligations (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026. The main product obligations — including CE marking against Annex I — apply from 11 December 2027.
If I have ISO/IEC 27001, can my Notified Body reuse it for CRA conformity assessment?
Partially. A Notified Body assessing a Class I or Class II 'important' product under the CRA can credit ISMS evidence for vulnerability-handling processes, secure-development lifecycle and incident management. But product-level testing against Annex I Part I (secure defaults, attack surface, update mechanism, etc.) is separate. Confirm scope with your Notified Body before relying on cross-recognition.
Should small hardware vendors pursue both?
For most MVP-stage hardware vendors the priority is CRA conformity (mandatory from December 2027). ISO/IEC 27001 is voluntary but increasingly demanded by enterprise customers and public-sector buyers. A pragmatic order: build CRA-compliant processes first, then formalise them under an ISMS once revenue justifies the audit cost (typically €15–40k initial certification plus annual surveillance).
Related from the Library
- CRA Annex I — essential cybersecurity requirements explained — the product-level requirements ISO 27001 does not test.
- CRA vs NIS2 — where they overlap — a parallel comparison for organisations subject to both directives.
- CRA timeline and reporting obligations — the September 2026 and December 2027 dates that determine your runway.
- Conformity assessment modules A to H — how Notified Body involvement is determined.
- SBOM — CycloneDX vs SPDX for hardware — supporting the Annex I Part II SBOM requirement.
Further reading
- Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex) — the official consolidated text.
- European Commission — Cyber Resilience Act policy page — Commission policy explanation and FAQs.
- ISO/IEC 27001:2022 (ISO Standards catalogue) — the canonical standard page.
- ISO/IEC 27002:2022 — implementation guidance for the 93 Annex A controls.
- ENISA — Cyber Resilience Act resources — single reporting platform guidance.
- CRA Annex I full text mirror — readable cross-reference for Annex I Parts I and II.
- Article 13 of the CRA — manufacturer obligations — the binding duty linking products to Annex I.
Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.
FAQ
Frequently asked questions
Does ISO/IEC 27001 certification satisfy the CRA?
No. ISO/IEC 27001:2022 certifies an organisation's Information Security Management System (ISMS). The CRA (Regulation (EU) 2024/2847) regulates products with digital elements placed on the EU market. The CRA requires CE marking, an EU Declaration of Conformity, and conformity assessment against Annex I — none of which ISO/IEC 27001 alone delivers.
How many controls does ISO/IEC 27001:2022 Annex A contain?
The 2022 revision of ISO/IEC 27001 lists 93 controls in Annex A, organised into four themes: Organizational (37), People (8), Physical (14) and Technological (34). The previous 2013 version had 114 controls in 14 domains; the 2022 update consolidated and restructured them.
Where does ISO/IEC 27001 overlap with CRA Annex I Part II?
Annex A.5 (Information security incident management) and the broader operational controls overlap with CRA Annex I Part II vulnerability-handling duties: coordinated disclosure policy, secure-update distribution, SBOM maintenance, and timely remediation. ISO 27001 demonstrates the organisational process; the CRA still requires product-level evidence.
When does the CRA apply?
Regulation (EU) 2024/2847 entered into force on 10 December 2024. Reporting obligations (actively exploited vulnerabilities and severe incidents) apply from 11 September 2026. The main product obligations — including CE marking against Annex I — apply from 11 December 2027.
If I have ISO/IEC 27001, can my Notified Body reuse it for CRA conformity assessment?
Partially. A Notified Body assessing a Class I or Class II 'important' product under the CRA can credit ISMS evidence for vulnerability-handling processes, secure-development lifecycle and incident management. But product-level testing against Annex I Part I (secure defaults, attack surface, update mechanism, etc.) is separate. Confirm scope with your Notified Body before relying on cross-recognition.
Should small hardware vendors pursue both?
For most MVP-stage hardware vendors the priority is CRA conformity (mandatory from December 2027). ISO/IEC 27001 is voluntary but increasingly demanded by enterprise customers and public-sector buyers. A pragmatic order: build CRA-compliant processes first, then formalise them under an ISMS once revenue justifies the audit cost (typically €15–40k initial certification plus annual surveillance).
Continue reading
Related guides
reference
CRA for existing products already on the EU market: the Article 69 transitional rules
CRA Article 69 explained: grandfathering for products placed on the EU market before 11 December 2027, substantial modification test, Article 14 reporting carve-back.
12 min read
tutorial
CRA December 2027 readiness — the 18-month roadmap to full conformity
18-month preparation roadmap to 11 December 2027 CRA full application. Quarterly milestones for Annex I conformity, Technical File, DoC, and Notified Body engagement.
10 min read
tutorial
CRA ENISA 24-hour reporting — the early warning rule in operational detail
Operational walkthrough of CRA Article 14 reporting: the 24-hour early warning content, the ENISA single reporting platform, CSIRT routing, and the three-tier cascade.
9 min read
tutorial
CRA September 2026 reporting checklist — preparation for the 24-hour rule
Practical checklist for manufacturers preparing for 11 September 2026 — when CRA Article 14 reporting to ENISA becomes mandatory. Workflow, accounts, escalation, monitoring.
9 min read
Put this into practice
Free tools & references
- CRA Readiness CheckerScore your product against the Cyber Resilience Act essential requirements.Open tool →
- EU Directive SelectorDescribe your product and find which EU directives and regulations apply.Open tool →
New to the terminology? Browse the compliance glossary — plain-English, citation-backed definitions of every term above.