ARCS/Crosswalks/ARCS / ISO/IEC 27001 and 27002 Crosswalk
ARCS / ISO/IEC 27001:2022 and ISO/IEC 27002:2022 Crosswalk
Source-element links point to official public source materials where stable public URLs are available. For standards or criteria that do not expose freely accessible clause-level text, links point to the official product, browsing, or reference page. The mapping remains informative.
ISO/IEC 27001 clause links use the ISO Online Browsing Platform where available. ISO/IEC 27002 references use the official ISO product page. ARCS does not reproduce ISO requirement text.
Overview
ISO/IEC 27001:2022 specifies requirements for an information security management system. ISO/IEC 27002:2022 provides guidance for information security controls.
ARCS is a separate lifecycle-governance standard for records created during AI system use. This crosswalk identifies where ARCS supports ISMS evidence discipline for AI interaction records.
Interpretive status
This instrument is an informative crosswalk. It is intended for governance alignment and implementation planning. It is not an ISO/IEC 27001 implementation guide, not an ISO/IEC 27002 control guide, and not a certification or conformity assessment instrument.
Framework scope
ISO/IEC 27001 addresses management-system requirements for information security. ISO/IEC 27002 provides control guidance. Together they address broad information security governance, risk treatment, documented information, operational control, performance evaluation, and improvement.
ARCS relevance
ARCS addresses the narrower record layer created by AI systems: interaction records, governance records, agent records, delegation records, custody surfaces, publish-boundary events, preservation state, and verification evidence.
Selected mappings
Table A maps selected ISO/IEC 27001 and ISO/IEC 27002 themes to ARCS control families. The mapping is directional and explanatory, not a clause-by-clause equivalence claim.
| ISO/IEC theme | Reference | ARCS families | Crosswalk note |
|---|---|---|---|
| ISO/IEC 27001:2022 Clauses 4.1, 4.2, 4.3, 4.4 | ARCS-OPB, ARCS-CUS, ARCS-TAX | ISO/IEC 27001 requires the organization to define the context and scope of its information security management system. ARCS contributes a record-surface view of that scope by identifying operator boundaries, custody surfaces, and interaction-record taxonomies that may otherwise be hidden inside AI-enabled services. | |
Leadership, policy, and responsibility (Clause 5) | ISO/IEC 27001:2022 Clause 5; ISO/IEC 27002:2022 organizational controls | ARCS-OPB, ARCS-LIF, ARCS-VER | ISO/IEC 27001 and ISO/IEC 27002 emphasize policies, roles, and responsibilities. ARCS supplies record-lifecycle responsibilities for retained AI interaction records, including who controls, verifies, preserves, deletes, or exports those records. |
Information security risk assessment (Clause 6.1.2) | ISO/IEC 27001:2022 Clause 6.1.2 | ARCS-CUS, ARCS-TAX, ARCS-PUB, ARCS-PV | ARCS supports risk assessment by making retained interaction records visible as assets, evidence, and exposure surfaces. The mapping helps identify risks associated with vendor custody, downstream publication, preservation duties, and regulated or sensitive record classes. |
Information security risk treatment and Statement of Applicability (Clause 6.1.3) | ISO/IEC 27001:2022 Clause 6.1.3 and Annex A | ARCS-LIF, ARCS-NCR, ARCS-VER, ARCS-DEL | Where an organization selects information security controls, ARCS can help express whether record creation, retention, deletion, non-creation, delegation, and verification controls are applicable to AI interaction-record surfaces. |
| ISO/IEC 27001:2022 Clauses 7.2, 7.3, 7.4, 7.5 | ARCS-LIF, ARCS-TAX, ARCS-VER | Documented information is central to management-system operation. ARCS provides classification and lifecycle structure for the records that document AI governance decisions, custody posture, attestation, and verification activity. | |
Operational planning and control (Clause 8) | ISO/IEC 27001:2022 Clause 8 | ARCS-LIF, ARCS-AGT, ARCS-DEL, ARCS-CUS | Operational control of information security processes increasingly includes AI systems, agents, tool use, and delegated workflows. ARCS identifies the records those operations create and the custody controls needed to manage them across operators and vendors. |
Performance evaluation, monitoring, and internal audit (Clause 9) | ISO/IEC 27001:2022 Clause 9 | ARCS-VER, ARCS-PV, ARCS-LIF | ISO/IEC 27001 requires monitoring, measurement, analysis, evaluation, and internal audit of the ISMS. ARCS supports that activity by making interaction-record lifecycle state, preservation posture, and verification evidence auditable. |
Improvement and corrective action (Clause 10) | ISO/IEC 27001:2022 Clause 10 | ARCS-VER, ARCS-LIF, ARCS-PUB | When nonconformities or improvement actions involve AI records, ARCS supplies a way to track record-state changes, correction, withdrawal, export, publication, and lifecycle adjustment without confusing those actions with the underlying AI system behavior. |
| ISO/IEC 27002 implementation guidance | ISO/IEC 27002:2022 information security controls | ARCS-OPB, ARCS-CUS, ARCS-PV, ARCS-VER | ISO/IEC 27002 provides implementation guidance for information security controls. ARCS complements that guidance by focusing on AI interaction-record custody, preservation, verification, and boundary documentation rather than general information security control design. |
Outside scope
ARCS governs several record-lifecycle domains that remain distinct from ISO/IEC 27001 certification and ISO/IEC 27002 control guidance:
ISMS certification
ARCS Section 16; ARCS-VER
ARCS conformance does not establish ISO/IEC 27001 certification, readiness, control effectiveness, or audit outcome. Certification remains a separate conformity assessment process.
General information security controls
ARCS does not replace enterprise information security controls, cybersecurity risk management, or ISO/IEC 27002 implementation guidance. It addresses the narrower lifecycle and custody layer for AI interaction records.
Information assets outside the interaction-record layer
ARCS does not classify or govern every organizational information asset. It applies where automated interaction records, governance records, agent records, delegation records, or related custody surfaces are created or retained.
References
ISO/IEC 27001 clause links use the ISO Online Browsing Platform where available. ISO/IEC 27002 references use the official ISO product page. ARCS does not reproduce ISO requirement text.
ISO/IEC 27001:2022, Information security management systems - Requirements
ISO/IEC 27002:2022, Information security controls
Vega Commons Project, Automated Record Custody Standard (ARCS)