ISO 27001
What it is — ISO/IEC 27001 is the international standard for information security management systems (ISMS), published by ISO . It provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement. The current version is ISO/IEC 27001:2022, which restructured the Annex A controls.
Appsec relevance — Annex A of ISO 27001:2022 includes controls directly related to vulnerability management (A.8.8), configuration management (A.8.9), secure development (A.8.25–A.8.31), and monitoring (A.8.16). Organizations seeking or maintaining ISO 27001 certification must demonstrate they manage technical vulnerabilities in their web applications and APIs.
How Detectify Supports ISO 27001
| Control | What it requires | Detectify Capability | Coverage |
|---|---|---|---|
| A.8.8 — Technical vulnerability management | Obtain information about technical vulnerabilities of information systems in use, evaluate the organization’s exposure, and take appropriate measures | Application Scanning, API Scanning, Internal Scanning, and Surface Monitoring provide continuous vulnerability identification across multiple CWEs, with CVSS-based prioritization. Covers web application, API, and external infrastructure vulnerabilities | Partial |
| A.8.9 — Configuration management | Establish, document, implement, monitor, and review security configurations across the technology stack | Security misconfiguration detection (CWE-16 ), default credential testing, HTTP security header validation | Full |
| A.5.9 — Inventory of assets | Identify and maintain an inventory of information and other associated assets, including owners | Surface Monitoring discovers and catalogs internet-facing assets (domains, subdomains, IPs, ports, technologies) | Partial |
| A.8.16 — Monitoring activities | Monitor networks, systems, and applications for anomalous behaviour and take appropriate action | 24/7 Surface Monitoring with change detection and alerting via integrations (Slack, PagerDuty, Teams) | Partial |
| A.8.25 — Secure development lifecycle | Establish and apply rules for the secure development of software and systems | API-triggered scanning in CI/CD pipelines and Internal Scanning for pre-production testing support secure development practices | Partial |
| A.8.28 — Secure coding | Apply secure coding principles to software development | Detects coding-related vulnerabilities (injection, XSS, path traversal) but does not perform static code analysis | Partial |
| A.8.12 — Data leakage prevention | Apply data leakage prevention measures to systems, networks, and devices that process or store sensitive information | Information exposure detection (CWE-200 ) identifies data leakage in web applications | Partial |
| A.5.23 — Cloud services | Establish processes for acquiring, using, managing, and exiting cloud services in line with security requirements | Surface Monitoring discovers cloud-hosted assets; scanning tests cloud-hosted applications for vulnerabilities | Partial |
| A.5.7 — Threat intelligence | Collect and analyse information about information security threats to produce threat intelligence | Crowdsource network of over 400 ethical hackers provides real-world vulnerability research; Alfred AI generates test modules from public CVE disclosures | Partial |
What Detectify Covers
Detectify provides strong support for the web application and API components of ISO 27001’s technical vulnerability management (A.8.8) and configuration management (A.8.9) controls, which are among the most frequently cited during audits. Note that A.8.8 covers all technical vulnerabilities — OS, database, network device, and infrastructure vulnerabilities require additional scanning tools. Surface Monitoring supports asset inventory (A.5.9) and monitoring (A.8.16) requirements. CI/CD integration supports secure development lifecycle controls (A.8.25).
ISO 27001 is a broad management system standard — the majority of Annex A controls address organizational, people, and physical security measures outside DAST scope. Detectify addresses the application security and vulnerability management components within a broader ISMS implementation.
Complementary Tools You May Need
- Infrastructure vulnerability scanner — For OS, database, and network device vulnerabilities under A.8.8
- GRC platform — For ISMS documentation, risk treatment plans, and audit management
- SAST / SCA — For A.8.28 secure coding verification at the source code level
- Endpoint protection — For A.8.1 user endpoint device controls
- Network security — For A.8.20–A.8.22 network controls
- IAM — For A.8.2–A.8.5 access management controls
- Security awareness training — For A.6.3 training requirements
- Incident response platform — For A.5.24–A.5.28 incident management