CRA vs ISO 27001: The Compliance Gaps Your ISMS Won't Cover

Does ISO 27001 cover the Cyber Resilience Act? Not fully. Maps the exact gaps, what your ISMS transfers, and what you still need before the 2027 deadline.

CRA Evidence Team Published January 12, 2026 Updated May 30, 2026
CRA vs ISO 27001: Compliance Gaps Your ISMS Won't Cover
In this article

If your company is ISO 27001 certified, you might assume you are well-positioned for the Cyber Resilience Act (CRA). You are not. At least not without significant additional work.

ISO 27001 protects your organization's information assets. The Cyber Resilience Act (Regulation (EU) 2024/2847) requires that every product with digital elements you place on the EU market is secure by design, ships with a software bill of materials (SBOM), and is supported with security updates for its expected lifetime. These are product-level obligations, not organizational ones. Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover (Art. 64). See the CRA penalties guide.

Article 14 reporting obligations start September 11, 2026. Full compliance is required by December 11, 2027. See the full CRA implementation timeline.

This guide on ISO 27001 vs CRA maps exactly where your ISMS helps, where it falls short, and what you need to add.

Summary

  • ISO 27001 = organizational/enterprise security management
  • CRA = product cybersecurity requirements (Annex I, Regulation (EU) 2024/2847)
  • ISO 27001 does NOT equal CRA compliance
  • ISO 27001 provides a foundation for secure development processes
  • CRA requires product-specific evidence: SBOM, vulnerability handling, CE marking
  • Both together = strong overall security posture
EUR 15M
Maximum fine
or 2.5% of global annual turnover
11 Sep 2026
Article 14 reporting
vulnerability obligations begin
11 Dec 2027
Full CRA application
conformity assessment required
5 years
Minimum support
or expected product lifetime (Art. 13(8))

Source: Regulation (EU) 2024/2847, Articles 13, 14 and 64.

What Does ISO 27001 Cover vs What the CRA Requires?

What ISO 27001 Covers

ISO 27001 is an information security management system (ISMS) standard for organization-level controls.

Organization-level controls
  • Information security policies
  • Asset management
  • Access control to systems and data
  • Cryptography use
  • Physical, operations, and communications security
  • Supplier relationships
  • Incident management
  • Business continuity
  • Compliance management

Focus: protecting your organization's information assets.

What CRA Covers

CRA is a product regulation covering cybersecurity requirements for products with digital elements (Annex I).

Product-level requirements
  • Security-by-design in products
  • No known exploitable vulnerabilities
  • Secure default configuration
  • Protection from unauthorized access in the product
  • Product data protection and update capability
  • Vulnerability handling and ENISA reporting
  • SBOM for product components (Annex I, Part II(1))
  • Coordinated vulnerability disclosure policy (Annex I, Part II(5))
  • Public vulnerability contact (Annex I, Part II(6))
  • CE marking and conformity assessment

Focus: ensuring products you sell are secure.

The CRA classifies products into categories: default, Important Class I, Important Class II, and Critical (Annex III and IV). Each category carries different conformity assessment requirements. An Important Class II product requires mandatory third-party assessment by a notified body, regardless of your ISO 27001 certification status. See the CRA product classification guide.

The Fundamental Difference

ISO 27001 vs CRA: Security Coverage Layers diagram showing three stacked layers: organizational security covered by ISO 27001, shared development processes, and product security required by CRA

ISO 27001 vs CRA SCOPE

ISO 27001:
"How does your ORGANIZATION manage security?"
+---------------------------------------------+
| Your Company                                |
| +---------+ +---------+ +---------+         |
| | Systems | | Data    | | People  |         |
| \---------+ \---------+ \---------+         |
| +---------+ +---------+ +---------+         |
| | Process | | Network | | Facilit |         |
| \---------+ \---------+ \---------+         |
\---------------------------------------------+

CRA:
"How secure are the PRODUCTS you sell?"
+---------------------------------------------+
| Your Products (sold to customers)           |
| +---------+ +---------+ +---------+         |
| |Product A| |Product B| |Product C|         |
| \---------+ \---------+ \---------+         |
|                                             |
| Each product must meet CRA requirements     |
\---------------------------------------------+

Where ISO 27001 Helps CRA and Where It Falls Short

Where ISO 27001 Helps CRA

CRA Requirement ISO 27001 Support How It Helps
Secure development A.8.25-28 (Secure development) Process foundation
Vulnerability handling A.8.8 (Technical vulnerabilities) Organizational process
Incident response A.5.24-26 (Incident management) Response capability
Supplier management A.5.19-22 (Supplier relationships) Supply chain security
Access control A.5.15-18, A.8.2-5 Development environment security
Cryptography A.8.24 (Cryptography) Crypto policy foundation
Documentation A.5.1 (Policies), 7.5 (Documented info) Documentation culture
Risk assessment 6.1 (Risk assessment) Risk methodology

Where ISO 27001 Falls Short

CRA Requirement ISO 27001 Gap What's Missing
SBOM Partial: A.8.26/A.8.28 cover component awareness, not machine-readable SBOM format Machine-readable SBOM covering top-level dependencies, e.g. CycloneDX or SPDX (Annex I, Part II(1))
CE marking Not covered Conformity assessment process
Product security testing Limited Product-specific test evidence for technical file
Secure by default Not product-focused Product configuration requirements
Support period Not covered At least 5 years, or expected product lifetime if shorter (Art. 13(8))
ENISA reporting Not covered 24h/72h notification + final report to national CSIRT via Single Reporting Platform (Art. 14)
CVD policy Not covered Documented coordinated vulnerability disclosure policy (Annex I, Part II(5))
Public vulnerability contact Not covered Public contact point for vulnerability reports, e.g., security.txt (Annex I, Part II(6))
User documentation Limited Product security instructions
Technical file Not covered CRA documentation format per Annex VII

Gap Analysis Summary

Strong Foundation (ISO 27001 helps significantly):

  • Security culture and awareness
  • Risk management methodology
  • Incident response capability
  • Supplier security management
  • Secure development lifecycle policies
  • Access control framework
  • Documentation practices

Partial Coverage (ISO 27001 helps but is not sufficient):

  • Vulnerability management (organizational scope vs. product scope)
  • Cryptography (policy vs. product implementation)
  • Security testing (enterprise systems vs. product testing)
  • Change management (IT change vs. product modification)
  • SBOM (component awareness in A.8.26/A.8.28 vs. machine-readable SBOM format)

Gaps (CRA-specific, not covered by ISO 27001):

  • SBOM generation and maintenance in a standardized format
  • Product conformity assessment
  • CE marking process
  • Vulnerability reporting to national CSIRT via Single Reporting Platform (Art. 14)
  • Product-specific technical file (Annex VII)
  • Support period commitment (Art. 13(8))
  • Secure default configuration verification
  • Product update mechanism requirements
  • Coordinated vulnerability disclosure policy (Annex I, Part II(5))
  • Public vulnerability reporting contact (Annex I, Part II(6))

How to Leverage ISO 27001 for CRA

Use Your ISMS as Foundation

If you are ISO 27001 certified, you have strong foundations to build on. The key is extending existing processes toward product obligations rather than starting from scratch.

Extend existing processes:

ISO 27001 Process CRA Extension
Risk Assessment (6.1) Product risk assessment
Vulnerability Mgmt (A.8.8) Product vulnerability handling + CSIRT reporting
Supplier Mgmt (A.5.19-22) SBOM collection from suppliers
Incident Mgmt (A.5.24-26) CSIRT reporting per Art. 14
Secure Dev (A.8.25-28) Product security testing and technical file

New processes to add:

New Process Purpose
SBOM generation Component tracking per Annex I, Part II(1)
Conformity assessment CE marking
Product technical file Regulatory documentation per Annex VII
Support period management Commitment per Art. 13(8)
ENISA reporting procedure Vulnerability notification via national CSIRT
CVD policy Coordinated disclosure per Annex I, Part II(5)

Practical Integration Steps

Step 1: Scope Extension

  • Add product security to your ISMS scope
  • Include product development in risk assessment
  • Extend asset inventory to include product components

Step 2: Process Updates

  • Update vulnerability procedure for product reporting to national CSIRT via the Single Reporting Platform
  • Add SBOM to change management
  • Include the 24h early warning, 72h initial notification, and final report cadence in your incident response process

Step 3: Documentation Additions

  • Product technical files
  • SBOM records
  • Conformity assessment evidence
  • Support period documentation

Step 4: Roles and Responsibilities

  • Assign product security ownership
  • Define CSIRT reporting responsibility
  • Establish SBOM maintenance ownership
  • Assign CVD policy ownership

ISO 27001 Annex A Controls and CRA

Most Relevant Controls

Control ISO 27001 role CRA use
A.8.25 Secure development lifecycle

ISO 27001 rolePolicies for secure development.

CRA useFoundation for product security requirements (Annex I, Part I).

A.8.26 Application security requirements

ISO 27001 roleSecurity requirements in development.

CRA useBasis for product essential requirements; partial foundation for SBOM component inventory.

A.8.27 Secure system architecture

ISO 27001 roleSecure architecture principles.

CRA useProduct security architecture.

A.8.28 Secure coding

ISO 27001 roleSecure coding practices, including dependency tracking.

CRA useProduct code security; partial foundation for SBOM component awareness.

A.8.8 Management of technical vulnerabilities

ISO 27001 roleOrganizational vulnerability handling.

CRA useExtend to product vulnerabilities and reporting to the national CSIRT via the Single Reporting Platform (Art. 14).

A.5.19-22 Supplier relationships

ISO 27001 roleSupplier security management.

CRA useSBOM collection from suppliers and supply chain security.

Control Implementation for CRA

EXTENDING ISO 27001 CONTROLS FOR CRA

A.8.8 VULNERABILITY MANAGEMENT EXTENSION:

ISO 27001 Requirement:
"Information about technical vulnerabilities of
information systems in use shall be obtained..."

CRA Extension (Art. 14):
- Monitor for vulnerabilities in YOUR PRODUCTS
- Maintain process for customer notification
- Report to national CSIRT via Single Reporting Platform:
  24h early warning, 72h initial notification,
  14-day final report (active exploit) or
  1-month final report (severe incident)
- Track vulnerability status per product
- Optionally produce VEX or an equivalent applicability record

A.8.25-28 SECURE DEVELOPMENT EXTENSION:

ISO 27001 Requirement:
"Rules for the development of software and systems
shall be established and applied..."

CRA Extension:
- Include SBOM generation in build process (Annex I, Part II(1))
- Verify "secure by default" configuration
- Test product security requirements
- Document for technical file (Annex VII)
- Maintain evidence for conformity assessment

Does ISO 27001 Certification Count Toward CRA Conformity Assessment?

Does ISO 27001 Certification Cover CRA Compliance?

Critical understanding:

  • ISO 27001 certification shows organizational security maturity
  • CRA compliance is a per-product regulatory requirement
  • Having ISO 27001 does not exempt you from CRA
  • ISO 27001 auditors do not assess CRA compliance

Article 14 reporting obligations start September 11, 2026. Full compliance is required by December 11, 2027. Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover (Art. 64).

Using ISO 27001 in CRA Context

HOW TO REFERENCE ISO 27001 IN CRA DOCUMENTATION

IN TECHNICAL FILE:
"[Company] maintains an ISO/IEC 27001:2022 certified
Information Security Management System (Certificate
No. XXX, issued by [Certification Body]).

The ISMS provides the organizational foundation for
product security, including:
- Secure development lifecycle (A.8.25-28)
- Vulnerability management process (A.8.8)
- Supplier security requirements (A.5.19-22)

Product-specific CRA compliance is documented in
this technical file, building on these ISMS controls."

WHAT THIS SHOWS:
- Security management maturity
- Process foundation exists
- Not a substitute for product evidence

Audit Synergies

ISO 27001 surveillance audit:

  • Annual assessment of ISMS
  • Can include product security scope
  • Evidence reusable for CRA

CRA conformity assessment:

  • Product-specific evaluation
  • References ISMS for process evidence
  • Needs additional product evidence

Synergy opportunities:

  • Align audit schedules
  • Reuse evidence where applicable
  • Integrated management system approach
  • Single documentation repository

Three Common ISO 27001 + CRA Scenarios

Scenario 1 ISO 27001 certified, starting CRA

Use the ISMS as process evidence. Do not treat the certificate as product conformity evidence.

Use from ISO 27001

Risk methodology, supplier management, incident response, secure development governance.

CRA-specific evidence

Product classification, SBOM generation, Article 14 reporting, Annex VII technical files.

Decision rule: reuse ISMS controls only where they create product-level evidence.

Scenario 2 No ISO 27001, approaching CRA

Prioritize the regulation with the fixed deadline. Build ISO 27001 discipline around it instead of delaying product work.

Deadline facts

Article 14 reporting starts on 11 September 2026. Full CRA application starts on 11 December 2027.

CRA-first work

Classification, SBOM, technical file, CVD policy, public contact, and reporting workflow.

Decision rule: start with the regulatory product duties, then mature the operating model toward ISO 27001. See the CRA startups guide.

Scenario 3 Multiple products, central ISMS

Centralize common controls, but keep conformity evidence separate for each product family.

Centralize

Risk method, vulnerability handling, supplier requirements, and development standards.

Keep per product

Technical file, SBOM, conformity route, support period, and release evidence.

Decision rule: one shared product-security procedure, one evidence register per product family.

How to Integrate CRA Into Your Existing ISMS

Governance Model

INTEGRATED GOVERNANCE MODEL

ORGANIZATIONAL LEVEL (ISO 27001):
+---------------------------------------------+
| Information Security Management System      |
|                                             |
| - Security policies                         |
| - Risk management framework                 |
| - Security organization                     |
| - Awareness and training                    |
\---------------------------------------------+
            |
            ▼
PRODUCT LEVEL (CRA):
+---------------------------------------------+
| Product Security Compliance                 |
|                                             |
| +---------+ +---------+ +---------+         |
| |Product A| |Product B| |Product C|         |
| |- Tech   | |- Tech   | |- Tech   |         |
| |  file   | |  file   | |  file   |         |
| |- SBOM   | |- SBOM   | |- SBOM   |         |
| |- DoC    | |- DoC    | |- DoC    |         |
| \---------+ \---------+ \---------+         |
\---------------------------------------------+

Documentation Structure

INTEGRATED DOCUMENTATION

ISMS DOCUMENTATION (ISO 27001):
+-- Information Security Policy
+-- Risk Assessment Procedure
+-- Statement of Applicability
+-- Secure Development Policy
+-- Vulnerability Management Procedure
+-- Incident Response Procedure
\-- Supplier Security Policy

CRA DOCUMENTATION (Per Product):
+-- Product Technical File (Annex VII)
|   +-- Product description
|   +-- Risk assessment
|   +-- Security architecture
|   +-- Test reports
|   \-- SBOM
+-- EU Declaration of Conformity
+-- User Documentation
\-- Support Period Statement

CROSS-REFERENCES:
- Technical file references ISMS procedures
- ISMS procedures include CRA requirements
- Records retained for 10 years or support period,
  whichever is longer (Art. 23(2))

ISO 27001 to CRA Integration Workstreams

Product scope and classification

Goal

Decide which products are in CRA scope and which tier applies.

Output

Classification record per product family.

Evidence

Annex III/IV rationale and conformity route.

Product security risk model

Goal

Extend the ISMS risk method to product abuse cases and lifecycle risk.

Output

Product risk assessment.

Evidence

CRA Annex I requirement mapping.

SBOM and supplier evidence

Goal

Make component visibility repeatable for every product release.

Output

SBOM process and supplier intake requirements.

Evidence

Annex I, Part II(1), Article 13(5), A.5.19-22, and release-linked SBOM records.

Vulnerability handling and reporting

Goal

Connect ISO vulnerability management to CRA product reporting.

Output

CVD policy, public contact, and CSIRT reporting runbook.

Evidence

Annex I, Part II(5) and (6), Article 14 ownership, and notification timelines.

Technical file and conformity route

Goal

Convert process maturity into product-specific conformity evidence.

Output

Annex VII technical file, EU Declaration of Conformity, and module decision.

Evidence

Security architecture, test reports, support period, and conformity assessment record.

Ownership and training

Goal

Make product compliance operational, not a one-off project.

Output

Named owners and team training.

Evidence

Ownership table, training records, and internal audit cadence.

Frequently Asked Questions

Does ISO 27001 certification exempt a company from CRA conformity assessment?

No. ISO 27001 certification demonstrates organisational information security maturity but does not constitute CRA conformity assessment. CRA requires per-product evidence: SBOM, technical file, Declaration of Conformity, and where applicable, a Notified Body assessment. A certifier auditing your ISMS is not assessing CRA compliance. See CRA conformity assessment routes.

Which ISO 27001 Annex A controls are most directly relevant to CRA Annex I?

The highest-overlap controls are A.8.25-28 (secure development lifecycle), A.8.8 (technical vulnerability management), and A.5.19-22 (supplier relationships). These map to CRA's secure-by-design requirement, vulnerability handling obligation, and SBOM supply chain provisions. A.8.8 needs extension to cover product vulnerability reporting to the national CSIRT via the ENISA Single Reporting Platform (Article 14).

Can ISO 27001 audit evidence be reused in a CRA technical file?

Yes, selectively. Evidence from your ISMS covering secure development (A.8.25-28), vulnerability management (A.8.8), and supplier controls (A.5.19-22) can be referenced in the CRA technical file. However, the technical file also requires product-specific evidence, including security architecture, test reports, SBOM, and support period documentation, that ISO 27001 audits do not generate.

Is ISO 27001:2022 better aligned with CRA than ISO 27001:2013?

Yes. ISO 27001:2022 added controls more relevant to CRA, particularly A.8.25-28 (secure development lifecycle, application security requirements, secure architecture, secure coding). The 2013 version had weaker coverage of these areas. If you are using 2013, a gap analysis against the 2022 controls is worth running specifically for CRA purposes.

Does ISO 27001 cover the CRA SBOM requirement?

Partially. A.8.26 (application security requirements) and A.8.28 (secure coding) include component awareness and dependency tracking concepts. However, ISO 27001 does not require a machine-readable SBOM covering at least the top-level dependencies, which is what the CRA requires (Annex I, Part II(1)). The CRA names no specific format; CycloneDX and SPDX are common, practical choices, and Article 13(24) lets the Commission specify the format and elements later. The organisational awareness is a foundation, not a substitute.

Can CRA compliance work be integrated with an ongoing ISO 27001 programme?

Yes, and it is the recommended approach for companies already certified. Extend the ISMS scope to include product security, add product-specific procedures for SBOM and CSIRT reporting, and reference ISMS evidence in your CRA technical files. The key is to add rather than duplicate: CRA evidence lives in technical files, not in the ISMS statement of applicability.

Next Steps

What to do in the next quarter

  1. Run a gap analysis of your ISMS Annex A controls against CRA Annex I. Start with A.8.8, A.8.25-28, and A.5.19-22. These carry most of the weight.
  2. Classify each product under Annex III and IV. The conformity assessment route depends on this, not on your ISO 27001 certification status.
  3. Extend your ISMS scope statement to include product security. Update the Statement of Applicability so product obligations are visible to auditors.
  4. Add SBOM generation (Annex I, Part II(1)) to your change management process. CycloneDX or SPDX, machine-readable, tied to each release.
  5. Create or update the CSIRT reporting procedure for Article 14: 24h early warning, 72h initial notification, final report within 14 days or 1 month depending on incident type. See the Single Reporting Platform guide.
  6. Assign a product security owner and a CVD policy owner (Annex I, Part II(5) and (6)). These cannot be the same ambiguous "security team" slot.
  7. Schedule a combined internal audit covering both ISO 27001 surveillance and CRA technical file readiness. Reuse evidence where it applies.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

CRA Security Standards Compliance
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Products

How the CRA classifies products by risk level, with product-specific classification guides.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide