wazuh

Leveraging Wazuh for ISO 27001 Compliance

Baptiste Leterrier

3 min read
Share
Leveraging Wazuh for ISO 27001 Compliance
Photo by Enrique Fernández

In the evolving cybersecurity landscape of 2024-2025, organizations implementing Information Security Management Systems (ISMS) need robust tools to validate ISO 27001:2022 controls and present compelling evidence to auditors. 

For this, Wazuh has emerged as a powerful ally to demonstrate compliance with the updated standard's controls across four key categories.

Recent Wazuh Enhancements Supporting ISO 27001:2022

Wazuh's recent releases have significantly strengthened its compliance capabilities.

Version 4.8.0 introduced a redesigned Vulnerability Detector module with centralized threat intelligence feeds, while version 4.9.0 added journald log support and AWS Security Hub integration.

The latest 4.12.0 release includes Cyber Threat Intelligence (CTI) references within vulnerability detection results and enhanced File Integrity Monitoring with eBPF support for Linux endpoints.

Mapping Wazuh Capabilities to ISO 27001:2022 Controls

This post explores how Wazuh's features map to key control categories of ISO 27001:2022.

While we will highlight several high-impact examples, please note that this is not an exhaustive list. 

The versatility of Wazuh means it can support a much broader range of controls than detailed here, making it a flexible cornerstone for a modern ISMS.

Organisational Controls (A.5)

A.5.7 Threat Intelligence: Wazuh's own CTI platform and integration with threat intelligence feeds including VirusTotal, AlienVault OTX, and MISP directly supports this new control. The platform's integration with the MITRE ATT&CK framework provides comprehensive threat actor intelligence and indicators of compromise.

A.5.16 Identity Management: Wazuh's log analysis capabilities monitor authentication events across diverse systems, providing evidence of identity management effectiveness.

A.5.28 Collection of Evidence: The platform's centralized log collection and forensic capabilities directly address evidence preservation requirements for incident response. Though some evolution on immutability would make it perfect, companies can rely on Wazuh's solid OpenSearch fork to ensure logs sustainability.

People Controls (A.6)

A.6.8 Information Security Event Reporting: Wazuh's real-time alerting system and customizable dashboards enable organizations to demonstrate proper incident reporting procedures.

Technological Controls (A.8)

A.8.15 Logging and A.8.16 Monitoring Activities: These controls are core Wazuh strengths, with comprehensive log collection, analysis, and real-time monitoring capabilities, even across multiple cloud providers.

Examples

Security Configuration Assessment

Wazuh's Security Configuration Assessment (SCA) module performs automated compliance checking against industry standards.

Organizations can demonstrate compliance with controls like A.8.9 Configuration Management by presenting SCA scan results showing adherence to CIS benchmarks and custom security policies.

For example, SCA rule 28653 validates SSH session timeout configurations on Ubuntu 22.04 endpoints, directly supporting A.8.2 Privileged Access Rights requirements.

Vulnerabilities Management

Consider implementing A.8.8 Management of Technical Vulnerabilities. Organizations can configure Wazuh's redesigned Vulnerability Detector to scan endpoints against the centralized CTI repository, automatically identifying vulnerabilities from Canonical, Debian, Red Hat, and Microsoft sources. The resulting reports provide auditors with evidence of:

  • Systematic vulnerability identification processes
  • Risk-based prioritization using CVSS scores
  • Remediation tracking and timeline compliance (with a designated tool like Jira)
  • Integration with change management processes

It is easy to rely on alerts id, rules id and timestamps to have a complete graph between the initial alert, its definition and all actions taken to resolve it.

Presenting Evidence to Auditors

When presenting Wazuh evidence to ISO 27001 auditors, organizations should focus on three key evidence types:

  1. Written Evidence: SCA policy documents, custom rule configurations, and compliance dashboards.
  2. Activity Evidence: Log analysis reports, incident response records, and configuration change tracking.
  3. Performance Evidence: Metrics showing control effectiveness over time.

Auditors typically examine the Statement of Applicability (SoA) mapping controls to implemented measures.

Wazuh's compliance dashboards provide real-time visibility into control effectiveness, while its reporting capabilities generate audit trails demonstrating continuous monitoring.

Conclusion

Wazuh's up to 2025 enhancements position it as a comprehensive solution for ISO 27001:2022 compliance. 

By leveraging its capabilities, organizations can present compelling evidence to auditors while maintaining continuous compliance monitoring. 

It could be even more advanced with the mapping of the ISO 27001 Controls (like remapping with integrated NIST 800-53 controls to 27001:2022)

This makes it a foundational component in a functional and continuously improving Information Security Management System (ISMS), enabling organizations to maintain compliance, adapt to evolving threats, and drive security maturity over time.