ISO/IEC 27001:2022 Compliance
ISO/IEC 27001:2022 is the international standard for an information security management system.Learn how ImmuniWeb helps you evidence its Annex A application-security controls.
Conformité ISO 27001
What Is ISO/IEC 27001?
ISO/IEC 27001 specifies how to establish, implement, maintain and continually improve an ISMS. Its main clauses (4-10) cover organizational context, leadership, planning, support, operation, performance evaluation and improvement, driven by risk assessment and treatment.
Annex A provides a catalogue of controls that organizations select via a Statement of Applicability. The 2022 edition reorganized these into 93 controls across four themes, including a modern set of technological controls covering secure development and vulnerability management. Certification is achieved through an external audit.
Découvrez comment ImmuniWeb vous aide à prouver la conformité aux contrôles de l’Annexe A de l’ISO 27001 (A.8.25 à A.8.29 et A.8.8) – développement sécurisé et tests de sécurité de vos applications. Demandez une démo · ou lancez un test Community Edition gratuit.
Who Must Comply with ISO 27001?
ISO/IEC 27001 is voluntary but widely expected:
- Organizations seeking certification to demonstrate information security maturity.
- Suppliers and vendors required by enterprise customers or tenders to be certified.
- Any sector and size - the standard is technology- and industry-neutral.
Where the ISMS scope includes software development or internet-facing applications, the Annex A application-security controls apply.
Key ISO 27001 Controls for Application Security
Several Annex A (2022) controls drive application-security work:
- A.8.25 - Secure development life cycle: establish and apply rules for the secure development of software and systems.
- A.8.26 - Application security requirements: identify and apply security requirements when developing or acquiring applications.
- A.8.28 - Secure coding: apply secure coding principles to software development.
- A.8.29 - Security testing in development and acceptance: define and perform security testing across the development life cycle.
- A.8.8 - Management of technical vulnerabilities: obtain information about and address technical vulnerabilities in a timely way.
ISO 27001 Application-Security Controls in Depth
A.8.29 - Security Testing in Development and Acceptance
This control expects security testing to be defined and performed during development and before acceptance. Penetration testing and vulnerability scanning of web and mobile applications provide exactly this evidence, and re-testing after changes shows the control operates over time.
A.8.8 - Management of Technical Vulnerabilities
A.8.8 requires organizations to identify technical vulnerabilities, evaluate exposure and take appropriate action. Regular vulnerability scanning and attack-surface management feed this control directly.
A.8.25 & A.8.28 - Secure Development and Coding
Embedding security into the development life cycle and applying secure coding principles are best evidenced by testing in CI/CD - shifting security left so applications stay secure release after release.
Risques courants des applications Web et mobiles à remédier
The application risks these Annex A controls aim to prevent map closely to the OWASP Top 10:
- Contrôle d'accès cassé — des utilisateurs accédant à des données ou actions interdites.
- Échecs cryptographiques — chiffrement faible ou absent exposant des données sensibles.
- Injection — Injection SQL, de commande ou autre via des entrées non validées.
- Insecure Design — des contrôles de sécurité manquants par conception, et non pas seulement par bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Échecs d'identification et d'authentification —gestion faible des connexions, des sessions ou des identifiants.
- Échecs d'intégrité des logiciels et des données — mises à jour non fiables, pipelines CI/CD non sécurisés.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Evidence ISO 27001 Application Controls with ImmuniWeb
- Define scope.Map in-scope applications and assets with ImmuniWeb Discovery.
- Test in development & acceptance (A.8.29) with On-Demand and Neuron.
- Manage vulnerabilities (A.8.8) with Neuron scanning and Discovery attack-surface management.
- Secure the SDLC (A.8.25 / A.8.28) with Continuous in CI/CD.
- Corrigez et retestez grâce à des rapports clairs, sans faux positifs, servant de preuves d’audit.
- Conservez les preuves grâce à des retests périodiques entre les audits de surveillance.
How ImmuniWeb Helps You Achieve ISO 27001 Compliance
ImmuniWeb provides the testing that evidences ISO 27001's application-security controls for your auditor.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| A.8.29 | Security testing in development and acceptance. | On-Demand, Neuron, Continuous |
| A.8.8 | Management of technical vulnerabilities. | Neuron, Discovery, On-Demand |
| A.8.25 / A.8.26 / A.8.28 | Secure development life cycle, requirements and coding. | Continuous, On-Demand |
ImmuniWeb On-Demand delivers manual web application penetration testing; Neuron and Neuron Mobile provide automated scanning; MobileSuite covers mobile apps; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - together producing audit-ready evidence for Annex A.
ISO 27001 vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| ISO/IEC 27001:2022 | Annex A technical controls (A.8.x) | Web/mobile pentest, scanning, ASM as control evidence |
| SOC 2 | Security trust services criteria | Tests comme preuve de contrôle |
| NIST CSF 2.0 | Protect / Detect functions | Tests et surveillance des applications |
| PCI DSS 4.0.1 | Exigences 6 et 11 | Web app pentest + scanning |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- In-scope applications and assets inventoried
- Security testing defined and performed in development/acceptance (A.8.29)
- Technical vulnerabilities managed and remediated (A.8.8)
- Application d’un cycle de vie de développement sécurisé et de pratiques de codage sécurisé (A.8.25 / A.8.28)
- Findings remediated and re-tested; evidence retained
- Re-testing maintained between surveillance audits
- Statement of Applicability reflects the controls in use
Pourquoi la conformité ISO 27001 est importante
ISO/IEC 27001 certification is frequently a precondition for enterprise contracts, tenders and partnerships, and signals a mature security posture to customers and regulators. Auditors expect demonstrable evidence that controls operate, not just policies.
Application-security controls are among the most scrutinised in modern audits, so regular testing of web and mobile applications is one of the clearest ways to evidence Annex A and pass surveillance audits.