Skip to content

ISO/IEC 27001:2022

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS), published by the International Organization for Standardization. The 2022 revision restructured Annex A controls; it is the current version for new certifications and recertifications.

Certification scope

ISO/IEC 27001 certification is issued by an accredited certification body following an audit. The guidance on this page supports your preparation for that audit; it does not constitute certification advice.

Relevant control

Annex A, Control 8.29 — Security Testing in Development and Acceptance requires that organisations define and implement security testing processes throughout the software development life cycle (SDLC) and before systems are accepted into production.

Publicly available guidance on this control identifies three areas that certification auditors typically examine:

  1. A documented security testing plan that defines acceptance criteria — i.e., what security tests must pass before a release is accepted.
  2. Test results traceable to specific security requirements — not just that tests ran, but that the tests address known security properties of the application.
  3. Evidence that testing was repeated at each relevant development stage or release cycle.

Control mapping

Control 8.29 objective MethodAtlas feature Evidence produced
Documented security testing plan with acceptance criteria Baseline CSV from main branch; release gate blocks merges when count regresses baseline.csv archived as release artefact; gate job failure in CI logs
Test results traceable to security requirements ai_tags column maps each test to a security control category ai_tags values (e.g. auth, crypto, injection) in every CSV/SARIF row
Traceability to source revision -content-hash SHA-256 fingerprint per class content_hash column in CSV/SARIF; correlate with git commit SHA
Repeated testing across SDLC stages CI integration runs MethodAtlas on every push to main and on release builds Timestamped SARIF artefacts per build in CI artifact store
Human override and review trail -override-file records manual decisions with rationale Override file diff in version control; override_applied column in CSV

Context: Control 8.29 requires the artefact to be traceable to a specific source revision and to carry evidence of when the scan was run.

MethodAtlas capability: -content-hash and -emit-metadata together satisfy both traceability requirements.

java -jar methodatlas.jar \
  -ai -ai-provider <provider> -ai-api-key-env <ENV_VAR> \
  -sarif \
  -content-hash \
  -emit-metadata \
  src/test/java \
  > security-tests-$(git rev-parse --short HEAD).sarif

Evidence output: the commit SHA embedded in the file name makes the correlation between artefact and source revision explicit without relying on file metadata.

Artefact package for the ISMS evidence file

For each review cycle (typically annual or per-release), retain:

Artefact Flags used Purpose
SARIF output -sarif -content-hash -emit-metadata Machine-readable, tool-importable finding record
CSV output -content-hash -emit-metadata Human-readable inventory for auditor review
Override file -override-file Documents manual classification decisions
Git commit reference CI environment Ties the artefact to a specific source revision

Statement of Applicability (SoA) entry

If your organisation maintains a Statement of Applicability for ISO/IEC 27001, the following text can serve as a basis for the Control 8.29 entry:

Control 8.29 is applicable. Security testing in development is implemented through a combination of automated security test classification (MethodAtlas), static analysis (SpotBugs, PMD), and structured code review. MethodAtlas produces a per-release SARIF artefact classifying test methods by security taxonomy. Content hashes provide traceability to source revisions. Results are retained for [retention period] and reviewed by [role] before each production deployment.

Adjust the italicised fields to match your organisation's processes.

Further reading