CRA vs ISO 27001: How Your ISMS Supports Product Security Compliance

Many manufacturers already have ISO 27001 certification for their information security management system. Does this help with CRA compliance? The short answer: yes, but it's not sufficient. ISO 27001 focuses on organizational security, while CRA focuses on product security. They complement each other but don't substitute.

This guide explains the relationship between ISO 27001 and CRA.

Understanding the Different Scopes

What ISO 27001 Covers

ISO 27001 is an information security management system (ISMS) standard covering:

Organization-level controls:

• Information security policies
• Asset management
• Access control (to systems and data)
• Cryptography use
• Physical security
• Operations security
• Communications security
• Supplier relationships
• Incident management
• Business continuity
• Compliance management

Focus: Protecting your organization's information assets

What CRA Covers

CRA is a product regulation covering:

Product-level requirements:

• Security-by-design in products
• No known exploitable vulnerabilities
• Secure default configuration
• Protection from unauthorized access (in product)
• Data protection (by product)
• Update capability (of product)
• Vulnerability handling (for product)
• SBOM for product components
• CE marking and conformity assessment

Focus: Ensuring products you sell are secure

The Fundamental Difference

ISO 27001 vs CRA SCOPE

ISO 27001:
"How does your ORGANIZATION manage security?"
┌─────────────────────────────────────────────┐
│ Your Company                                │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐        │
│ │ Systems │ │ Data    │ │ People  │        │
│ └─────────┘ └─────────┘ └─────────┘        │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐        │
│ │ Process │ │ Network │ │ Facilit │        │
│ └─────────┘ └─────────┘ └─────────┘        │
└─────────────────────────────────────────────┘

CRA:
"How secure are the PRODUCTS you sell?"
┌─────────────────────────────────────────────┐
│ Your Products (sold to customers)           │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐        │
│ │Product A│ │Product B│ │Product C│        │
│ └─────────┘ └─────────┘ └─────────┘        │
│                                             │
│ Each product must meet CRA requirements     │
└─────────────────────────────────────────────┘

Detailed Requirements Mapping

Where ISO 27001 Helps CRA

Where ISO 27001 Falls Short

Gap Analysis Summary

ISO 27001 → CRA GAP ANALYSIS

STRONG FOUNDATION (ISO 27001 helps significantly):
✓ Security culture and awareness
✓ Risk management methodology
✓ Incident response capability
✓ Supplier security management
✓ Secure development lifecycle policies
✓ Access control framework
✓ Documentation practices

PARTIAL COVERAGE (ISO 27001 helps but not sufficient):
◐ Vulnerability management (org vs. product focus)
◐ Cryptography (policy vs. implementation)
◐ Security testing (enterprise vs. product)
◐ Change management (IT vs. product)

GAPS (CRA-specific, not in ISO 27001):
✗ SBOM generation and maintenance
✗ Product conformity assessment
✗ CE marking process
✗ ENISA vulnerability reporting
✗ Product-specific technical file
✗ 5-year support period commitment
✗ Secure default configuration verification
✗ Product update mechanism requirements

How to Leverage ISO 27001 for CRA

Use Your ISMS as Foundation

If you're ISO 27001 certified, you have strong foundations to build on:

LEVERAGING ISO 27001 FOR CRA

1. EXTEND EXISTING PROCESSES:

   ISO 27001 Process          →  CRA Extension
   ─────────────────────────────────────────────
   Risk Assessment (6.1)      →  Product risk assessment
   Vulnerability Mgmt (A.8.8) →  Product vulnerability handling
   Supplier Mgmt (A.5.19-22)  →  SBOM from suppliers
   Incident Mgmt (A.5.24-26)  →  ENISA reporting
   Secure Dev (A.8.25-28)     →  Product security testing

2. ADD CRA-SPECIFIC ELEMENTS:

   New Process                    Purpose
   ─────────────────────────────────────────────
   SBOM generation               Component tracking
   Conformity assessment         CE marking
   Product technical file        Regulatory documentation
   Support period management     5-year commitment
   ENISA reporting               Vulnerability notification

Practical Integration Steps

ISO 27001 + CRA INTEGRATION

STEP 1: SCOPE EXTENSION
- Add "product security" to ISMS scope
- Include product development in risk assessment
- Extend asset inventory to include product components

STEP 2: PROCESS UPDATES
- Update vulnerability procedure for product reporting
- Add SBOM to change management
- Include ENISA in incident response

STEP 3: DOCUMENTATION ADDITIONS
- Product technical files
- SBOM records
- Conformity assessment evidence
- Support period documentation

STEP 4: ROLES AND RESPONSIBILITIES
- Assign product security ownership
- Define ENISA reporting responsibility
- Establish SBOM maintenance ownership

ISO 27001 Annex A Controls and CRA

Most Relevant Controls

A.8.25 Secure development lifecycle

• ISO 27001: Policies for secure development
• CRA use: Foundation for product security requirements

A.8.26 Application security requirements

• ISO 27001: Security requirements in development
• CRA use: Basis for product essential requirements

A.8.27 Secure system architecture

• ISO 27001: Secure architecture principles
• CRA use: Product security architecture

A.8.28 Secure coding

• ISO 27001: Secure coding practices
• CRA use: Product code security

A.8.8 Management of technical vulnerabilities

• ISO 27001: Organizational vulnerability handling
• CRA use: Extend to product vulnerabilities + ENISA reporting

A.5.19-22 Supplier relationships

• ISO 27001: Supplier security management
• CRA use: SBOM collection from suppliers, supply chain security

Control Implementation for CRA

EXTENDING ISO 27001 CONTROLS FOR CRA

A.8.8 VULNERABILITY MANAGEMENT EXTENSION:

ISO 27001 Requirement:
"Information about technical vulnerabilities of
information systems in use shall be obtained..."

CRA Extension:
- Monitor for vulnerabilities in YOUR PRODUCTS
- Maintain process for customer notification
- Implement ENISA reporting (24h/72h)
- Track vulnerability status per product
- Generate VEX documents

A.8.25-28 SECURE DEVELOPMENT EXTENSION:

ISO 27001 Requirement:
"Rules for the development of software and systems
shall be established and applied..."

CRA Extension:
- Include SBOM generation in build process
- Verify "secure by default" configuration
- Test product security requirements
- Document for technical file
- Maintain evidence for conformity assessment

Certification Considerations

ISO 27001 Certification ≠ CRA Compliance

Critical understanding:

• ISO 27001 certification shows organizational security maturity
• CRA compliance is per-product regulatory requirement
• Having ISO 27001 does NOT exempt you from CRA
• ISO 27001 auditors don't assess CRA compliance

Using ISO 27001 in CRA Context

HOW TO REFERENCE ISO 27001 IN CRA DOCUMENTATION

IN TECHNICAL FILE:
"[Company] maintains an ISO/IEC 27001:2022 certified
Information Security Management System (Certificate
No. XXX, issued by [Certification Body]).

The ISMS provides the organizational foundation for
product security, including:
- Secure development lifecycle (A.8.25-28)
- Vulnerability management process (A.8.8)
- Supplier security requirements (A.5.19-22)

Product-specific CRA compliance is documented in
this technical file, building on these ISMS controls."

WHAT THIS SHOWS:
- Security management maturity
- Process foundation exists
- Not a substitute for product evidence

Audit Synergies

ISO 27001 AND CRA AUDIT ALIGNMENT

ISO 27001 SURVEILLANCE AUDIT:
- Annual assessment of ISMS
- Can include product security scope
- Evidence reusable for CRA

CRA CONFORMITY ASSESSMENT:
- Product-specific evaluation
- References ISMS for process evidence
- Needs additional product evidence

SYNERGY OPPORTUNITIES:
- Align audit schedules
- Reuse evidence where applicable
- Integrated management system approach
- Single documentation repository

Common Scenarios

Scenario 1: ISO 27001 Certified, Starting CRA

SCENARIO: EXISTING ISO 27001, NEW TO CRA

ADVANTAGES:
✓ Risk methodology exists
✓ Security culture established
✓ Documentation practices in place
✓ Supplier management exists
✓ Incident response capability

WHAT TO ADD:
[ ] Product classification per CRA
[ ] SBOM generation capability
[ ] ENISA reporting process
[ ] Product technical files
[ ] Conformity assessment process
[ ] Support period management
[ ] Product-specific testing

APPROACH:
1. Gap assessment against CRA requirements
2. Extend ISMS scope to include products
3. Add CRA-specific processes
4. Update documentation
5. Train relevant teams

Scenario 2: No ISO 27001, Approaching CRA

SCENARIO: NO ISO 27001, NEED CRA COMPLIANCE

OPTIONS:

OPTION A: CRA Only
- Implement CRA requirements directly
- Product-focused approach
- May miss organizational security benefits
- Faster to CRA compliance

OPTION B: ISO 27001 + CRA
- Implement both frameworks
- Stronger overall security
- More work upfront
- Better long-term position

RECOMMENDATION:
For product manufacturers, consider:
- Start with CRA requirements (regulatory deadline)
- Build toward ISO 27001 over time
- Align approaches from the beginning

Scenario 3: Multiple Products, Central ISMS

SCENARIO: ISMS SUPPORTING MULTIPLE PRODUCTS

APPROACH:

CENTRALIZED (ISMS):
- Risk methodology
- Vulnerability handling process
- Supplier management
- Incident response
- Development standards

PER-PRODUCT (CRA):
- Technical file
- SBOM
- Conformity assessment
- Product documentation
- Support period

BENEFITS:
- Efficient process reuse
- Consistent security approach
- Centralized expertise
- Product-specific compliance

Integration Framework

Governance Model

INTEGRATED GOVERNANCE MODEL

ORGANIZATIONAL LEVEL (ISO 27001):
┌─────────────────────────────────────────────┐
│ Information Security Management System      │
│                                             │
│ - Security policies                         │
│ - Risk management framework                 │
│ - Security organization                     │
│ - Awareness and training                    │
└─────────────────────────────────────────────┘
            │
            ▼
PRODUCT LEVEL (CRA):
┌─────────────────────────────────────────────┐
│ Product Security Compliance                 │
│                                             │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐        │
│ │Product A│ │Product B│ │Product C│        │
│ │- Tech   │ │- Tech   │ │- Tech   │        │
│ │  file   │ │  file   │ │  file   │        │
│ │- SBOM   │ │- SBOM   │ │- SBOM   │        │
│ │- DoC    │ │- DoC    │ │- DoC    │        │
│ └─────────┘ └─────────┘ └─────────┘        │
└─────────────────────────────────────────────┘

Documentation Structure

INTEGRATED DOCUMENTATION

ISMS DOCUMENTATION (ISO 27001):
├── Information Security Policy
├── Risk Assessment Procedure
├── Statement of Applicability
├── Secure Development Policy
├── Vulnerability Management Procedure
├── Incident Response Procedure
└── Supplier Security Policy

CRA DOCUMENTATION (Per Product):
├── Product Technical File
│   ├── Product description
│   ├── Risk assessment
│   ├── Security architecture
│   ├── Test reports
│   └── SBOM
├── EU Declaration of Conformity
├── User Documentation
└── Support Period Statement

CROSS-REFERENCES:
- Technical file references ISMS procedures
- ISMS procedures include CRA requirements
- Single source of truth where possible

Checklist: ISO 27001 Organization Adding CRA

ISO 27001 → CRA COMPLIANCE CHECKLIST

ASSESSMENT:
[ ] Review current ISMS scope
[ ] Identify products with digital elements
[ ] Classify products per CRA categories
[ ] Gap analysis: ISMS vs. CRA requirements

SCOPE EXTENSION:
[ ] Add product security to ISMS scope
[ ] Update risk assessment to include products
[ ] Extend Statement of Applicability

PROCESS ADDITIONS:
[ ] SBOM generation process
[ ] ENISA reporting procedure
[ ] Conformity assessment process
[ ] Support period management
[ ] Product technical file procedure

DOCUMENTATION:
[ ] Technical file templates
[ ] Product risk assessment template
[ ] SBOM format and storage
[ ] Declaration of Conformity template

CONTROL EXTENSIONS:
[ ] A.8.8 - Add product vulnerabilities
[ ] A.8.25-28 - Add product security testing
[ ] A.5.19-22 - Add SBOM from suppliers

ROLES:
[ ] Assign product security owner
[ ] Define ENISA reporting responsibility
[ ] Establish conformity assessment role

TRAINING:
[ ] CRA awareness for development teams
[ ] SBOM tools training
[ ] Conformity assessment training

Key Resources

STANDARDS AND GUIDANCE

ISO 27001:
ISO/IEC 27001:2022 - Information security management
ISO/IEC 27002:2022 - Information security controls

CRA:
Regulation (EU) 2024/2847 - Cyber Resilience Act

INTEGRATION GUIDANCE:
ISO 27001 + Product Development
- Consider ISO/IEC 27034 (Application security)
- Consider IEC 62443 (Industrial security)
- Consider ISO/SAE 21434 (Automotive security)

CERTIFICATION BODIES:
Can certify ISO 27001 and potentially
assess CRA alignment as part of scope

Related guides:

• The CRA Technical File: What Goes in Each Section (Annex VII Breakdown)
• CRA Conformity Assessment: Module A vs B+C vs H Decision Guide

How CRA Evidence Helps

CRA Evidence complements your ISO 27001 ISMS:

• Gap analysis: Identify what your ISMS doesn't cover
• Product focus: Manage per-product CRA compliance
• SBOM integration: Component tracking your ISMS doesn't provide
• Technical files: CRA-specific documentation
• Evidence linking: Reference ISMS controls in CRA documentation

Start your CRA compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.