[ SOLUTIONS ] / [ ISO27001 ALIGNED SOFTWARE ]

Software aligned with your company's ISO 27001 system.

For companies already ISO 27001-certified or on the path to certification: software entering production must respect the ISMS controls. We build it aligned from design to the applicable controls (A.8 access control, A.12 operations, A.14 acquisition/development), with audit-ready evidence.

Let's talk
[ THE PROBLEM ]

What happens today.

An ISO 27001 certification is an Information Security Management System (ISMS): it involves policies, processes, technical controls. When new software enters the certified scope, the software must be compatible with the ISMS controls, otherwise it becomes a non-conformity at the surveillance audit.

Building ISO 27001-aligned software means implementing the applicable controls (A.8 access control, A.12 operations security, A.14 system acquisition/development) and producing the required evidence (logging, audit trail, vulnerability management, segregation of duties, change management).

New software in an ISO 27001 company is never a surprise to the auditor. It is a chapter of the ISMS already prepared.

[ HOW IT WORKS ]

The solution, broken into parts.

  • Mapping ISO 27001 controls → software

    We map the ISO 27001 Annex A controls applicable to the software (access control, cryptography, operations, secure development, incident management) and translate them into concrete technical requirements.

  • Secure SDLC

    Development following the Secure Software Development Lifecycle: mandatory code review, automatic SAST and DAST, continuous dependency scanning, pre-implementation threat modeling, pre-release penetration testing.

  • Audit-ready evidence

    All ISMS-required documentation: ADRs, threat model, change log, security-test evidence, exportable audit logs. Structured to align with the chapters of the company's ISMS manual.

[ WHO IT'S FOR ]

The typical profiles who benefit.

  • Companies already ISO 27001-certified

    ICT, fintech, healthcare, B2B-service companies ISO 27001-certified that need to introduce new software without generating non-conformities.

  • Companies on the certification path

    Companies preparing the ISO 27001 certification (typically a 12-18 month path). Building compatible software from the start eases the final certification.

[ WHAT WE NEED ]

Transparency on what the client does.

Before we start we need a few accesses and decisions. All reasonable, no surprise asks.

  • Existing ISMS

    • Current Statement of Applicability (SoA)
    • Internal policies applicable to the software
    • CISO/ISMS owner as technical interlocutor

  • Software to build

    • Functional scope and classification of data processed
    • Existing systems and integrations within the certified scope
[ TIME AND COST ]

Indicative numbers, not quotes.

TIME
Typically 4-9 months for medium software. ISO 27001 compliance adds 15-25% to the time of an equivalent non-regulated project.
COST
Range €50,000-250,000 depending on complexity.
MODEL
Fixed milestones with go/no-go gates after threat modeling and after penetration testing.

Indicative numbers. For an accurate quote, let's talk.

[ FREQUENTLY ASKED ]

Answers to the most common questions.

Are you ISO 27001-certified?

Our company is currently not ISO 27001-certified (the path is under evaluation for 2026). However, we build software that enters the certified scope of clients already ISO 27001, applying the required controls. The client remains responsible for overall certification, we for compliant software.

Which ISO 27001 controls do you implement in the software?

Typically: A.5 (Information Security Policies, through documentation), A.8 (Access Control: RBAC, MFA, least privilege), A.10 (Cryptography), A.12 (Operations Security: logging, monitoring, change management), A.13 (Communications Security), A.14 (System Acquisition/Development: secure SDLC, code review), A.16 (Incident Management). The client's SoA defines exactly which controls are applicable.

How do you handle vulnerability management?

Automatic dependency scanning in CI (npm audit, Snyk, Dependabot). SAST with SonarQube or equivalents, pre-release DAST. Automatic patch policy for low-risk dependencies, formal review process for high-risk ones. All evidence logged for audit.

[ LET'S TALK ]

Recognize your case?

Write a couple of lines about your context. We'll reply within 24-48 hours with an initial assessment and a first orientation on time and cost.

Let's talk
[ RELATED SOLUTIONS ]
[ WHERE IT WORKS BEST ]
[ PARENT PILLAR ]
Custom software for regulated industries Custom software for those who can't afford to get security wrong.