NSAuditor AI EE 0.12.0 — ISO/IEC 27001:2022 Introduced as Fifth Compliance Framework: Per-Annex-A-Code Evidence at Auditor-Canonical Granularity, Statement of Applicability Discipline, ISMS Clauses 4-10 OOS-by-Design, 11 NEW 2022 Controls, 5-Attribute Taxonomy, 2013-to-2022 Transition Discipline, Cloud-Provider Certificate Inheritance Matrix, Penta-Framework One-Scan Workflow

LAS VEGAS, NV — May 24, 2026 — Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.12.0 to npm — the Track 3 fifth-framework cycle. ISO/IEC 27001:2022 (ISO + IEC, October 2022; 2013 edition retired October 31, 2025) is introduced as the fifth supported compliance framework alongside SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, NIST Cybersecurity Framework 2.0, and PCI DSS v4.0.1. The release pairs with nsauditor-ai@0.1.74 (Community Edition) and nsauditor-ai-agent-skill@0.1.41 in the company’s thirty-first consecutive trio-publish.

Coverage at the auditor-canonical per-Annex-A-control level — the granularity an ISO/IEC 17021-1 accredited certification body assessor walks Stage 1 (documentation) and Stage 2 (implementation + operating-effectiveness sampling). Matrix: 17 covered + 14 partial + 62 OOS = 93 across the complete Annex A universe organized into four themes (A.5 Organizational 37 · A.6 People 8 · A.7 Physical 14 · A.8 Technological 34).

Statement of Applicability discipline at the schema layer

ISO/IEC 27001:2022 Clause 6.1.3.d requires every certified organization to produce a Statement of Applicability for each Annex A control — applicability status, justification if excluded, implementation status, and references to evidencing policies, procedures, and operational records. The SoA is the most-tested artifact in the audit; marking a control “Not Applicable” without a defensible risk-treatment justification is a textbook Major Nonconformity.

EE 0.12.0 enforces SoA discipline at the schema layer. Every Annex A control entry carries a soaApplicability field with three values: always-applicable, risk-based-applicable, and excludable-with-justification. Reports render a per-Implementation-Status SoA pairing pattern that pre-fills the columns the Lead Auditor reads first.

ISMS Management-System Clauses 4-10 are out of scope by design

ISO/IEC 27001:2022 is not just Annex A. The standard’s Clauses 4 through 10 — Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement — describe the management system itself. Without an ISMS there is no certification, no matter how many Annex A controls are technically implemented.

EE 0.12.0 frames Clauses 4-10 as OOS-by-design upfront. The report cover page enumerates the seven Major Nonconformity classes that map to these clauses — governance, policy, risk management, incident-response program, awareness and training, management review, internal audit — and recommends per-Clause operator-side platform pairings (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard ISMS / OneTrust ISMS / Secureframe ISO 27001) for the governance surface. The honest framing is the institutional value proposition.

11 NEW 2022 controls surfaced explicitly

The 2022 edition restructured Annex A from 114 controls in 14 categories (2013 edition) into 93 controls in 4 themes — and added 11 NEW controls that did not exist in 2013. Each carries distinct cloud-evidenceability characteristics:

• A.5.7 Threat intelligence — OOS (operator-side Threat Intelligence Platform)
• A.5.23 Information security for use of cloud services — COVERED (cloud-provider AOC inheritance substrate)
• A.5.30 ICT readiness for business continuity — OOS (operator-side BCP testing)
• A.7.4 Physical security monitoring — OOS (cloud-provider physical AOC inheritance)
• A.8.9 Configuration management — COVERED (Config recorder substrate)
• A.8.10 Information deletion — PARTIAL (S3 lifecycle + KMS key-deletion substrate)
• A.8.11 Data masking — OOS (application-tier tokenization)
• A.8.12 Data leakage prevention — PARTIAL (Macie + DLP-config substrate)
• A.8.16 Monitoring activities — COVERED (CloudTrail + GuardDuty substrate)
• A.8.23 Web filtering — OOS (operator-side Secure Web Gateway)
• A.8.28 Secure coding — OOS (operator-side SAST/IAST in CI/CD)

5-attribute taxonomy and the NIST-CSF-look-alike trap

The 2022 edition introduced a new 5-attribute taxonomy that classifies every Annex A control across controlType (Preventive / Detective / Corrective), informationSecurityProperties (Confidentiality / Integrity / Availability), cybersecurityConcepts, operationalCapabilities (15 named capabilities), and securityDomains (Governance / Protection / Defence / Resilience).

A subtle but important distinction: cybersecurityConcepts has five categories — Identify, Protect, Detect, Respond, Recover. NIST Cybersecurity Framework 2.0 has six (it added govern as a top-level Function in 2024). The two look alike but are not interchangeable. The EE 0.12.0 schema explicitly rejects govern in the ISO 27001 cybersecurityConcepts field, and the test suite enforces the boundary.

2013-to-2022 transition fully traceable

Every Annex A entry in EE 0.12.0 carries an iso2013Source field with the migration mapping: 35 controls unchanged (same identifier, refined wording), 23 renamed (same scope, new identifier), 57 merged into 24 (granular controls consolidated), and 11 NEW (iso2013Source: null). The schema rejects 2013-edition control identifiers (A.9.x through A.18.x) as stale, defending against SoA drift from organizations migrating from the prior edition.

Cloud-Provider Certificate Inheritance Matrix

Theme A.7 Physical security and substantial portions of A.5 are inheritable from cloud-provider ISO 27001:2022 Certificates. EE 0.12.0 renders a Cloud-Provider Certificate Inheritance Matrix on every ISO 27001 report. For the 16 in-scope ISO controls, the matrix names the specific cloud-provider Certificate currently inheritable across AWS / Azure / GCP, with annual currency-revisit cadence and a footer that explicitly names Theme A.7 inheritance scope.

Penta-framework one-scan workflow

The penta-framework one-scan workflow ships today: nsauditor-ai scan --host aws --plugins all --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001 --out evidence/ produces five complete auditor-ready evidence packs from a single scan. Cross-framework citation isolation is enforced in all ten pair-directions (C(5,2)=10) with sharp regex defense across 28 paired assertions — SOC 2 reports cite only CC IDs; HIPAA reports cite only §164.312 specs; NIST reports cite only Subcategory IDs; PCI reports cite only Req-x.y.z sub-requirements; ISO 27001 reports cite only Annex A codes.

Trust posture

Zero data exfiltration remains the architecture. Information assets, ePHI, Cardholder Data, and cloud credentials never leave the customer’s infrastructure. Zero Business Associate Agreement required under HIPAA §160.103. Air-gapped deployment supported via the offline NVD JSON 2.0 importer for federal-contractor, DFARS, CMMC, and payment-processing Cardholder Data Environment isolation threat models.

Regression and trust posture

EE 6273/6273 tests across 1026 suites GREEN (+37 net new tests vs EE 0.11.1 baseline). 77-session 100% green test streak preserved and extended. Plugin count UNCHANGED at 24. All four prior framework coverage matrices UNCHANGED. Live AWS penta-framework smoke ran green against test-infra-builder fixtures with 52 evidence artifacts archived for reproduction.

Install

npm install -g nsauditor-ai@0.1.74 @nsasoft/nsauditor-ai-ee@0.12.0
npm install nsauditor-ai-agent-skill@0.1.41

More: NSAuditor AI Enterprise Edition · ISO/IEC 27001:2022 coverage matrix · SOC 2 coverage · HIPAA §164.312 coverage · NIST CSF 2.0 coverage · PCI DSS v4.0.1 coverage

About Nsasoft US LLC — Nsasoft builds AI-powered network security and data recovery tools. NSAuditor AI is an open-source, zero-data-exfiltration scanner with 51 plugins (27 Community + 24 Enterprise) and air-gapped licensing that runs entirely on your infrastructure.