ISO 27001 Controls - Annex A

A.8 Technological measures

Symbol	Meaning
✅	DevGuard covers this control for the monitored applications, so you could use DevGuard to prove your compliance
🔵	Devguard partially covers this control

Control	DevGuard	Description
A.8.4 Access to source code	🔵	The measure requires appropriate management of read and write access to source code, development tools and software libraries to prevent unauthorized functions, unintended or malicious changes and to protect the confidentiality of intellectual property.
A.8.7 Protection against malware	🔵	Protective measures against malware must be implemented and supported by appropriate user education.
A.8.8 Management of technical vulnerabilities	✅	The measure includes identifying technical vulnerabilities, assessing their risks for the organization and implementing suitable countermeasures to prevent their exploitation.
A.8.19 Installation of software on operational systems	🔵	The measure includes the implementation of procedures and measures for the secure management of software installation on systems in operation in order to ensure system integrity and prevent the exploitation of technical vulnerabilities.
A.8.25 Secure development life cycle	✅	The measure requires the definition and application of rules for the secure development of software and systems to ensure that information security is considered and implemented throughout the development cycle.
A.8.26 Application security requirements	🔵	The measure requires that information security requirements are identified, specified and approved during the development or procurement of applications to ensure their consideration throughout the process.
A.8.28 Secure Coding	✅	The measure requires the application of the principles of secure coding in software development to ensure the security of the software and minimize potential security vulnerabilities.
A.8.29 Security Testing in Development and Acceptance	✅	The measure requires the definition and integration of security testing procedures into the development lifecycle to ensure that information security requirements are met when applications or code are deployed in the production environment.
A.8.30 Outsourced Development	🔵	The measure requires the organization to manage, monitor and review the activities of outsourced system development to ensure that the required information security measures are implemented.

How DevGuard helps you with the ISO 27001 compliance

✅ DevGuard covers your controls through the following features

A.8.8 Management of Technical Vulnerabilities

Identification and documentation of vulnerabilities in your codebase through static code analysis and dynamic code analysis.
Identification and documentation of software components and libraries in your codebase through SBOM (Software Bill of Materials) generation, listing all software components with their versions.
Automatic generation and documentation of an SBOM (Software Bill of Materials) with versions for each new change in the codebase.
Identification and documentation of vulnerabilities in the dependencies of your codebase through dependency scanning with software composition analysis (SCA) and container images.
Verification of available patches for the vulnerabilities in dependencies, along with guidance on how to apply them.
Calculation and documentation of the risk of vulnerabilities in your codebase and dependencies through risk analysis.
Prioritization of vulnerabilities in your codebase and dependencies, enabling you to address the most critical issues first.
Continuous monitoring of vulnerabilities in your codebase and dependencies to track whether they have been resolved.
Documentation of the vulnerabilities in your codebase and dependencies, along with the fixes applied to address them.

A.8.25 Secure Development Life Cycle

The pipeline is designed to be secure by default, adhering to best practices outlined by OWASP DevSecOps Guideline.
Monitoring the software development lifecycle by displaying which threats are mitigated and which are not, based on SLSA(Supply Chain Levels for Software Artifacts) Model.
Ensuring the integrity of the codebase and protecting it from unauthorized changes through in-toto.

A.8.28 Secure Coding

Identification and documentation of secrets and credentials in your codebase through secret scanning.
Identification and documentation of software components and libraries in your codebase through SBOM (Software Bill of Materials) generation, listing all software components with their versions.
Automatic generation and documentation of an SBOM with versions for each new change in the codebase.
Identification and documentation of vulnerabilities in the dependencies of your codebase through dependency scanning with software composition analysis (SCA) and container images.
Calculation and documentation of the risk of vulnerabilities in your codebase and dependencies through risk analysis.
Ensuring the integrity of the codebase and protection from unauthorized changes through in-toto.
Prioritization of vulnerabilities in your codebase and dependencies, enabling you to address the most critical issues first.
Identification and documentation of licenses in your codebase through license scanning.

A.8.29 Security Testing in Development and Acceptance

The requirements for information security—integrity, availability, and confidentiality—can be customized. Based on these requirements, the risks of vulnerabilities are calculated and documented through risk analysis.
Adherence to secure coding principles. See A.8.28 Secure Coding.

🔵 DevGuard covers parts of the control through the following features

A.8.4 Access to source code

Ensuring the integrity of the codebase and protection from unauthorized changes through in-toto.

A.8.7 Protection against malware

Identification and fix of vulnerabilities in your codebase and dependencies through management of technical vulnerabilities. see A.8.8 Management of Technical Vulnerabilities.

A.8.19 Software installation

Automatic generation and documentation of an SBOM (Software Bill of Materials) with versions for each new change in the codebase. so can check all updating the liberaries

A.8.26 Application security requirements

The requirements for information security—integrity, availability, and confidentiality—can be customized. Based on these requirements, the risks of vulnerabilities are calculated and documented through risk analysis.

A.8.30 Outsourced Development

If DevGuard is integrated into the outsourced development process:

Identification and documentation of vulnerabilities in the dependencies of the outsourced codebase can be performed. see A.8.8 Management of Technical Vulnerabilities.
Ensuring the integrity of the codebase and protection from unauthorized changes through in-toto.

Container Scanning Cyber Resiliance Act