Compliance › ISO 27001

Compliance Framework

ISO 27001:2022 Annex A

The international standard for information security management. The 2022 revision added four technology controls (A.8.23–A.8.26) directly targeting web application and cryptography security.

Official reference: iso.org/standard/27001

What is ISO 27001?

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information through people, processes, and technology. Annex A contains a reference set of 93 controls across 4 themes that organisations must consider when building their ISMS.

The 2022 revision (ISO 27001:2022) restructured controls from 14 domains to 4 themes and added 11 new controls. The four new Technological Controls (A.8.23–A.8.26) are directly relevant to web application security teams:

A.8.23
Web Filtering
A.8.24
Use of Cryptography
A.8.25
Secure Dev Lifecycle
A.8.26
App Security Requirements
Certification note: ISO 27001 certification is conducted by accredited external auditors and covers the entire ISMS, not just web security headers. WebAudit provides evidence for the technical web controls; organisational controls (policies, access reviews, incident management) require additional documentation.
OWASP Top 10 PCI-DSS v4.0 GDPR Art. 32 ISO 27001:2022

Requirements WebAudit checks

A.8.23 New in 2022 Web Filtering
Access to external websites must be managed to reduce exposure to malicious content. Applied to your own web application as a server: Content Security Policy restricts which external resources (scripts, styles, images, fonts) your application is permitted to load — providing outbound filtering at the browser level. A CORS wildcard (*) undermines this by allowing any origin to read your API responses.
CSP present CSP no unsafe-inline/eval CORS no wildcard
Fix: Implement a CSP with a strict allowlist for script, style, image, and font sources — avoid wildcards. Remove Access-Control-Allow-Origin: * and replace with an explicit origin allowlist.
A.8.24 New in 2022 Use of Cryptography
Rules for the effective use of cryptography, including key management, must be defined and implemented. For web applications this means: using TLS 1.2 or 1.3 (not deprecated protocols), deploying HSTS to prevent negotiation downgrade, and protecting session cookies with the Secure flag to prevent transmission over unencrypted connections.
TLS valid HSTS present Cookies Secure flag
Fix: Use TLS 1.2+ with strong cipher suites (ECDHE, AES-GCM). Enforce HSTS with minimum 1-year max-age. Protect all session cookies with Secure flag. Document cipher suite and certificate renewal policy.
A.8.25 New in 2022 Secure Development Life Cycle
Rules for the secure development of software must be established and applied across the development lifecycle, including supply-chain integrity. Subresource Integrity directly addresses third-party supply-chain risk: if a CDN-hosted library is compromised, SRI hashes ensure the browser rejects the tampered version. Mixed content on HTTPS pages indicates a failure to apply secure development practices consistently.
SRI present No mixed content
Fix: Add integrity="sha384-..." and crossorigin="anonymous" to all external <script> and <link> tags loading from CDNs. Eliminate all http:// resource loads from HTTPS pages.
A.8.26 New in 2022 Application Security Requirements
Information security requirements must be identified, specified, and approved when developing or acquiring applications. The full baseline set of security headers — CSP (injection prevention), X-Frame-Options (clickjacking), X-Content-Type-Options (MIME confusion), Referrer-Policy (data leakage), and Permissions-Policy (browser API restriction) — represents the minimum application security requirements for any web-facing system.
CSP present X-Frame-Options X-Content-Type-Options Referrer-Policy Permissions-Policy
Fix: Deploy the complete set of recommended security headers: Content-Security-Policy, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy restricting camera, microphone, geolocation.
A.8.16 Monitoring Activities
Networks, systems, and applications must be monitored for anomalous behaviour and appropriate actions taken. SPF and DMARC provide email domain monitoring: DMARC rua aggregate reports deliver daily data on who is sending email as your domain, enabling detection of spoofing activity. DMARC p=none only monitors; p=quarantine or p=reject enforces and acts.
DMARC present DMARC enforced (p=quarantine/reject) SPF present
Fix: Configure SPF with -all (hard fail for unlisted senders). Set DMARC p=quarantine or p=reject and include rua=mailto:dmarc@yourdomain.com to receive aggregate reports for monitoring.
A.5.14 Information Transfer
Information transfer rules, procedures, and controls must be in place for all types of transfer facilities — including web application data transmission. HSTS prevents information transfer over unencrypted HTTP. Mixed content allows HTTP-loaded resources on HTTPS pages. SameSite cookies prevent session data from being transferred in cross-site requests initiated by third-party origins.
HSTS present No mixed content Cookies SameSite
Fix: Enforce HSTS to prevent any plaintext transfer. Eliminate all mixed HTTP/HTTPS content. Set SameSite=Lax or SameSite=Strict on session cookies to prevent cross-site data transfer.

Using WebAudit evidence in your ISMS

ISO 27001 certification auditors expect documented evidence that controls are implemented and effective. The WebAudit compliance PDF provides:

Dated scan evidence — each report records the scan timestamp, domain, and specific findings, providing a point-in-time record suitable for inclusion in your ISMS evidence pack.

Control mapping — each finding is mapped to the specific Annex A control number, making it easy to cross-reference against your Statement of Applicability (SoA).

Remediation tracking — the report's remediation section can be used as an input to your corrective action log, demonstrating continual improvement — a core ISO 27001 requirement.

Get your ISO 27001 compliance report

Instant PDF mapping your domain's security posture to ISO 27001:2022 Annex A controls — suitable for inclusion in your ISMS evidence pack.

Generate compliance PDF → Free scan first