ISO 27001 Security Robots: Annex A Mapping for ISOs

ISO 27001 security robots: why the mapping becomes mandatory

ISO/IEC 27001:2022 is the governing standard for information security management systems. It contains the binding Annex A with 93 controls across four themes: organizational, people, physical, technological (ISO 27001:2022). Block A.7 lists 14 physical controls (A.7.1 to A.7.14) that auditors examine in detail at every recertification audit. A gap here triggers a major non-conformity.

Patrol robots produce continuous, tamper-resistant telemetry. Track logs, sensor events and movement paths are documented reproducibly. A human guard does not deliver this data quality. Guard books are handwritten, incomplete and often back-filled.

ISMS owners require a 1:1 mapping from control number to technical measure. Without that mapping every robot deployment remains an audit risk, because the auditor cannot attribute effectiveness. Quarero delivers the mapping as an appendix to the Service Description Document, not as a marketing handout. The table is part of the contract.

The mapping is the precondition for crediting the robot in the Statement of Applicability (SoA). Without an SoA entry the measure does not exist from the ISMS perspective.

Next step: review the QR-2 outdoor patrol with thermal camera.

Annex A.7 physical controls: the hard mapping

A.7.1 Physical security perimeters: QR-2 and QR-3 patrol the defined perimeter with GPS tracking. Every round is stored as a track log, timestamp and waypoint deviation are visible in the report.

A.7.2 Physical entry: thermal camera and person detection identify intruders at the fence and gate. The event reaches the control room within 8 seconds, including image attachment and coordinates.

A.7.4 Physical security monitoring: 24/7 live stream and event-based recording. Retention 90 days, accesses logged. Every streaming request is documented in the audit log with user ID.

A.7.5 Protecting against physical and environmental threats: the robot detects smoke, temperature anomalies and water levels. QR-3 for KRITIS with LiDAR and drone detection additionally performs volume scans that capture changes to building geometry and stock levels.

A.7.6 Working in secure areas: the robot replaces the human walk-through in high-security zones. No personnel risk in restricted areas, no four-eyes problem on night shifts.

What is not covered here: A.7.7 Clear desk and A.7.9 Security of assets off-premises. These controls remain the customer's responsibility. The robot does not replace the entire A.7 block.

A.8 technological controls: the digital side of the robot

A.8.1 User endpoint devices: every robot is listed as an ISMS asset in the inventory. MAC address, serial number, firmware version, location and owner are documented.

A.8.5 Secure authentication: operator access via MFA. No shared accounts, session logs retained for 12 months. Privileged access runs through a separate account with a second factor.

A.8.9 Configuration management: golden image per model, changes via Change Advisory Board. OTA updates are signed, hash verification before installation.

A.8.15 Logging: all movements, detections and commands in an immutable log. Hash chain per 24-hour block, tampering becomes visible immediately on verification.

A.8.16 Monitoring activities: SOC connection via syslog or SIEM connector. Anomalies (robot offline longer than 5 minutes, atypical movement pattern, authentication errors) trigger an incident ticket.

A.8.24 Use of cryptography: TLS 1.3 for communication, AES-256 for storage. Key rotation every 90 days, documented in the crypto concept.

What remains unsolved in the A.8 block: A.8.28 Secure coding sits with the manufacturer. The customer receives penetration test reports but has no direct view into the source code. This gap must be documented in the residual risk.

Statement of Applicability: how the robot lands there

Per control the measure is documented. Sample SoA text: "A.7.4 Physical security monitoring: implemented through Quarero QR-2 patrol, 4 rounds per hour, service ID QR2-2024-0117, owner site security manager, evidence in the telemetry portal."

The Service Description Document contains version number, sensor specification, data flow diagram and supplier certificates (ISO 27001 of the supplier, C5 attestation of the hosting provider). This document is provided to the auditor before the start of the Stage 2 audit.

Residual risk is quantified: blind spots from topography, weather outage at storms above 80 km/h, battery change time (12 minutes autonomous docking). These figures are not whitewashed. Hiding them costs credibility at the first audit.

Effectiveness measurement via KPIs: Mean Time to Detect (MTTD) below 15 seconds, false-positive rate documented per quarter. Both values are exportable from the system and form part of the management review input.

The auditor receives read-only access to the telemetry portal during the audit. Not on request and not via email screenshots. Direct access shortens sample testing by hours.

Supplier security: A.5.19 to A.5.23

Quarero is a supplier in the sense of A.5.19. The contract contains security clauses, a DPA under Art. 28 GDPR and a disclosed subcontractor list with country of seat and processing purpose.

A.5.20 Addressing information security within supplier agreements: SLA with 99.5 percent availability, response time 4 hours for critical incidents, penalty clause for repeated breach.

A.5.21 Managing information security in the ICT supply chain: SBOM (Software Bill of Materials) for the robot firmware on request. Third-party components are listed with version and license. CVE monitoring by the manufacturer.

A.5.22 Monitoring, review and change management of supplier services: quarterly service review with the customer's ISO, minutes mandatory. Topics: SLA compliance, incidents, patch status, planned changes.

A.5.23 Information security for use of cloud services: hosting in data centers in Germany and Switzerland with C5 attestation. No data export outside EU/EEA. Contract clause prohibits subprocessor changes without 30 days' prior notice.

For KRITIS operators the supply chain documentation is not optional. The KritisV defines thresholds and sectors for which physical and IT protection measures are mandatory. The BBK is the competent federal authority for registration and advice. Overview: KRITIS requirements.

Incident management: A.5.24 to A.5.28

Robot detections are classified as security events. Escalation tiers are set in the runbook: information, warning, alarm, critical. Each tier has a defined response.

A.5.25 Assessment of and decision on information security events: the control room operator classifies within 60 seconds. The decision tree is documented and available at the workstation. Dual classification at alarm tier and above.

A.5.26 Response to information security incidents: defined actions per event type (drone, person intrusion, fire, technical failure) including police notification and internal escalation chain.

A.5.27 Learning from information security incidents: monthly lessons-learned meeting. Patrol route and detection thresholds are adjusted when an incident exposes a gap. Changes are traceable in the change log.

A.5.28 Collection of evidence: video and sensor raw data are forensically preserved, chain of custody documented. Hash values of the original files are recorded in the handover protocol when handed to law enforcement.

Concrete example from the field: perimeter protection in the industrial park shows how a drone detection by QR-3 became a documented incident with police handover.

Audit preparation: what the ISO concretely needs

Mapping table in Excel or the ISMS tool with the following columns: control number, original title, concrete measure, owner, evidence path, review frequency, last review date. This table is the entry point for the auditor.

Three sample incidents from the last quarter with full documentation. The auditor pulls samples. A team that prepares only one incident looks selective.

Access log on the telemetry portal for the last 12 months, filtered for administrative actions: create user, change role, change configuration, export data.

Firmware version history with change tickets. Patch SLA is documented: critical CVE below 14 days, high CVE below 30 days. Deviations with justification in the risk register.

Penetration test report of the robot backend, annual, by an external provider. Findings with severity, measure, implementation date and verification date.

Risk analysis per ISO 27005 with the robot as asset. Threat catalog (physical tampering, GPS spoofing, radio jamming, cyberattack on backend) and residual risk assessment by damage level and likelihood.

A team that prepares these six points passes the Stage 2 audit without a major non-conformity on the robot deployment.

Economic effect: ISMS maturity rises, guard costs drop

A 24/7 guard post costs 15,000 to 25,000 euros per month, depending on pay grade, allowances and region. The personnel cost structure is documented in the BDSW industry statistics. A QR-2 in the RaaS model is around 3,500 euros per month.

Audit effort drops: machine-generated evidence replaces handwritten guard books. The ISO saves an estimated 8 to 12 person-days per recertification. Samples are exportable digitally instead of being pieced together from paper folders.

Insurance premiums for cyber and property cover are negotiable when ISO 27001 plus robot monitoring is evidenced. The concrete discount rates depend on the insurer and sit between 5 and 12 percent.

KRITIS operators meet NIS-2 Art. 21 requirements in parallel. The directive obliges essential and important entities to take technical, operational and organizational measures to protect their network and information systems. Basis: NIS-2 Directive 2022/2555. Dual benefit per euro of RaaS fee: ISO 27001 Annex A.7/A.8 and NIS-2 Article 21 requirements are covered by the same measure.

ROI threshold: the mapping pays off from shift 2 of 3 replaced posts. Hard numbers come from the TCO comparison of classical guard service. Replacing only one post means paying extra. Replacing two or three posts funds the robot solution from the personnel cost saving. The Robotics-as-a-Service without CapEx model shifts the spend from investment to operating cost, which eases the balance sheet metrics.

Concrete next step for the ISO: request the Service Description Document and Annex A mapping table at QR-2 outdoor patrol with thermal camera. Both documents are delivered before contract signing and are part of the annex to the main agreement.