All comparisons

Cyber Resilience Act (CRA)

VS

ISO/IEC 27001

Cyber Resilience Act vs. ISO 27001

Legal obligation and international standard working together

Binding EU Product Regulation

Legal obligation: Defines cybersecurity requirements for products — regardless of whether the manufacturer operates an ISMS

Voluntary Management System Standard

Certifiable standard: Defines how an organization systematically manages information security — says nothing about product security

ISO 27001 is not a substitute for the CRA. A certified ISMS demonstrates organizational maturity but does not fulfill a single CRA product requirement from Annex I.

0 Covered3 Partial6 Not covered

You have ISO 27001 — what else do you need for CRA?

An ISO 27001 certification gives you a strong methodological foundation. But the CRA imposes product-specific requirements that go beyond an ISMS. This gap analysis shows where your existing certification helps — and where you need to do additional work.

036
CRA RequirementCoverage by ISO/IEC 27001
Security awareness & training
Partial

ISO 27001 Section 7.2/7.3 and A.7.2.2 establish training programs. The CRA requires specific knowledge of product security, secure development, and vulnerability handling — not just organizational awareness.

Risk assessment methodology
Partial

ISO 27001 Section 6.1 provides a proven risk methodology. The CRA requires a product-specific cyber risk assessment (Art. 13(2)) — your existing methodology must be extended with product threat scenarios.

Documentation discipline
Partial

ISO 27001 Section 7.5 establishes systematic documentation. The CRA requires extensive technical product documentation (Annex VII) — your documentation culture is an advantage, but the content must be extended to product specifics.

Product security requirements (vs. organizational)
Not covered

ISO 27001 secures the organization. CRA Annex I requires concrete technical security properties in the product itself: protection against unauthorized access, data integrity, secure default configuration.

SBOM obligation
Not covered

ISO 27001 has no requirement for Software Bills of Materials. The CRA requires a machine-readable SBOM for every product (Annex I Part II in conjunction with Art. 13).

ENISA vulnerability reporting (24h/72h)
Not covered

ISO 27001 A.16 governs internal incident management. The CRA requires reporting actively exploited vulnerabilities to ENISA within 24/72 hours — an entirely new external reporting process.

CE marking & EU Declaration of Conformity
Not covered

ISO 27001 has no equivalent to CE marking. The CRA requires a formal conformity assessment (Annex VIII) and an EU Declaration of Conformity as a market access prerequisite.

Product support period
Not covered

ISO 27001 has no product support obligation. The CRA obliges manufacturers to define a support period (minimum 5 years) and provide free security updates.

Product-specific vulnerability handling
Not covered

ISO 27001 A.12.6 governs patch management for own systems. The CRA requires vulnerability handling for distributed products throughout their entire lifecycle.

01

Product Security vs. Management System

The CRA asks: What does the product do? ISO 27001 asks: How does the organization manage information security? An ISMS can look excellent on paper without a single product being secure.

  • CRA (Annex I): Technical and measurable — access control, data integrity, availability, secure defaults, attack surface minimization
  • ISO 27001: Organizational — policies, roles, risk assessment, PDCA improvement cycle
  • CRA closes the gap: Security must be embedded in the product itself, not just in management processes
02

ISO 27001 as a Basis for Harmonized CRA Standards

CEN, CENELEC, and ETSI are developing harmonized CRA standards expected to build on the ISO 27000 family. ISO 27001-certified companies have a favorable starting position — but existing processes alone are not sufficient.

  • Foundation: ISO 27001 (ISMS), ISO 27002 (controls), ISO 27036 (supply chain) as basis for CRA hENs
  • Reusable: Risk management, access control, incident management as starting points
  • Additionally required: SBOM creation, vulnerability handling across the product lifecycle, security updates
Risk Management (ISO 27001 A.8 → CRA Art. 13(2))The ISO 27001 risk methodology can serve as a foundation for the CRA cyber risk assessment. However, the assessment must be extended with product-specific considerations.
Access Control (ISO 27001 A.9 → CRA Annex I No. 3)ISO 27001 access controls address organizational systems. The CRA requires access control mechanisms in the product itself — including protection against unauthorized access out of the box.
Incident Management (ISO 27001 A.16 → CRA Art. 14)ISO 27001 requires processes for security incidents. The CRA goes further and mandates reporting of actively exploited vulnerabilities to ENISA within 24 hours.
03

Gap Analysis: What ISO 27001 Does Not Cover

The CRA demands concrete technical product properties that go beyond management processes. Several CRA obligations have no equivalent in ISO 27001.

  • SBOM (Annex I Part II): Machine-readable Software Bill of Materials for every product — not part of an ISMS
  • Vulnerability handling (Art. 13(6)): Documented policy and security updates throughout the entire support period
  • Conformity assessment (Annex VIII): Modules A, B+C, and H — CRA-specific procedures with no ISO 27001 equivalent
  • CE marking and Annex II information: Regulatory product marking far beyond ISMS scope
Software Bill of Materials (SBOM)The CRA requires a machine-readable SBOM listing all dependencies down to the package level. ISO 27001 contains no comparable requirement for software transparency.
Security Updates Across the LifecycleManufacturers must provide security updates 'without undue delay' and free of charge for the entire support period (minimum 5 years). ISO 27001 governs patch management of the organization's own systems, not of distributed products.
Conformity Assessment and CE MarkingThe CRA conformity assessment (Annex VIII) and the resulting CE marking are regulatory procedures with no equivalent in ISO 27001.
04

Strategic Positioning: ISO 27001 + CRA

ISO 27001 certification is a valuable building block, but not a substitute for CRA compliance. The optimal strategy: purposefully extend the existing ISMS with CRA-specific processes.

  • SBOM management — integrate into the software development lifecycle
  • Risk management — extend to product-related cyber risks
  • Vulnerability handling — establish CRA-compliant processes (Art. 13(6))
  • ENISA reporting — integrate into incident response processes

Synergies Between the CRA and ISO 27001

Companies with existing ISO 27001 certification can reuse numerous processes and structures for CRA compliance.

Risk Management Methodology

The risk-based methodology per ISO 27001 Section 6.1 provides a proven framework for the CRA cyber risk assessment pursuant to Art. 13(2). The assessment merely needs to be extended with product-specific threat scenarios.

Documentation Culture

ISO 27001 establishes a systematic documentation culture (Section 7.5). The CRA requires extensive technical documentation (Art. 31, Annex VII). Existing documentation processes significantly accelerate CRA compliance.

Internal Audits and Management Review

The ISO 27001 audit structures (Sections 9.2/9.3) can be extended to integrate CRA conformity checks. This creates a unified assurance framework.

Supplier Evaluation

ISO 27001 Annex A.15 addresses information security in supplier relationships. This complements the CRA requirement for due diligence regarding third-party components (Art. 13(5)) and can serve as a process foundation.

Your Next Steps

1High priority

Shift focus from organization to product

Extend your ISMS with product-specific security requirements. Define CRA Annex I requirements for each product and integrate them into your development process.

2High priority

Implement SBOM processes

Integrate automated SBOM generation into your CI/CD pipeline. Use CycloneDX or SPDX and establish continuous dependency monitoring.

3High priority

Set up ENISA reporting process

Extend your existing incident response process with the CRA-specific reporting channel to ENISA. Define trigger criteria, responsibilities, and deadlines.

4Medium priority

Prepare conformity assessment

Leverage your existing audit experience and documentation culture to prepare the CRA conformity assessment per Annex VIII.

Frequently Asked Questions

Does ISO 27001 certification replace CRA compliance?
No. ISO 27001 is a voluntary international standard for the information security management system. The CRA is a binding EU regulation with concrete technical requirements for products. An ISO 27001 certification confirms that the organization systematically manages information security — but it says nothing about whether the products meet the CRA requirements from Annex I. An ISMS can function excellently on paper without a single product meeting the CRA security requirements.
Can ISO 27001 facilitate CRA compliance?
Yes, significantly. Companies with ISO 27001 certification already have established processes for risk management, access control, incident handling, and documentation. These processes form a solid foundation on which CRA-specific requirements can be built. In particular, the risk management methodology, documentation culture, and audit structures can be directly leveraged for CRA compliance. However, significant gaps remain — particularly SBOM management, vulnerability handling across the product lifecycle, and the conformity assessment.
Will ISO 27001 be referenced in harmonized CRA standards?
It is expected that the harmonized standards for the CRA, currently being developed by CEN, CENELEC, and ETSI, will build on the ISO 27000 family. In particular, ISO 27002 (controls catalog), ISO 27034 (application security), and ISO 27036 (supply chain security) are being discussed as relevant foundations. Compliance with harmonized standards will establish a presumption of conformity with the corresponding CRA requirements. For ISO 27001-certified companies, this could facilitate demonstrating CRA conformity, provided the harmonized standards are indeed based on ISO standards.
What are the biggest gaps between ISO 27001 and the CRA?
The main gaps lie in three areas: First, the SBOM obligation — ISO 27001 has no requirement for Software Bills of Materials, while the CRA requires a machine-readable SBOM for each product (Annex I Part II in conjunction with Art. 13). Second, product-related vulnerability handling — ISO 27001 governs patch management of the organization's own IT systems, the CRA requires vulnerability handling for distributed products throughout the entire support period. Third, conformity assessment and CE marking — these are EU-specific regulatory procedures with no equivalent in the ISO standards world.
How should ISO 27001-certified companies approach CRA compliance?
The recommended strategy is a targeted extension of the existing ISMS with CRA-specific processes: 1) Conduct a gap analysis mapping existing ISO 27001 controls to CRA requirements. 2) Integrate SBOM management into the software development process. 3) Extend vulnerability handling from the organization to the product. 4) Integrate CRA-specific reporting obligations into the incident response process. 5) Plan and implement conformity assessment procedures. Kunnus supports each of these steps with automated requirements capture and actionable recommendations.
Is ISO 27001 the better choice for non-CRA-obligated companies?
This is not an either-or question. ISO 27001 addresses organizational information security and is valuable for any company processing sensitive data or operating in regulated industries. The CRA, in contrast, is only relevant for companies placing products with digital elements on the EU market. A pure service provider without its own software products does not need CRA compliance but benefits from ISO 27001. A manufacturer, however, needs CRA compliance mandatorily — and ISO 27001 as a complementary management system.
What is the current status of harmonized standards for the CRA?
As of March 2026, the harmonized European standards for the CRA are still under development. CEN/CENELEC and ETSI have been mandated to develop them. Until publication in the Official Journal of the EU, existing standards such as ISO/IEC 27001 can support conformity but do not establish a presumption of conformity.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA Full Text (EUR-Lex)

Regulation (EU) 2024/2847 — Cyber Resilience Act in the Official Journal of the European Union

ISO/IEC 27001:2022

Official ISO page for the Information Security Management Systems standard

More on Kunnus

CRA Knowledge Base

Complete legal text with explanations, articles, and annexes of the Cyber Resilience Act

CRA Explained

Accessible introduction to the Cyber Resilience Act for decision-makers and product managers

Kunnus Features

SBOM management, vulnerability monitoring, and compliance documentation in one platform

CRA Compliance Assessment

Free initial assessment: Determine your CRA maturity level and identify action items

CRA vs. IEC 62443 — Industrial Standard

Comparison of CRA and IEC 62443 for manufacturers of industrial automation systems

CRA vs. NIS 2 — EU Cybersecurity Strategy

Product security vs. organizational security: The two pillars of EU cybersecurity compared

From ISO 27001 to CRA Compliance — systematic and efficient

Kunnus helps you bridge the gap between your existing ISMS and CRA requirements. Start with a free gap analysis.

Discover Features