heygrc
ISO 27001 in code

ISO 27001, reviewed in the pull request.

ISO/IEC 27001:2022 Annex A lists 93 controls across four themes, organizational, people, physical, and technological. Most are policy, process, and paperwork. The technological theme (A.8, 34 controls) is where the standard meets a codebase, and even there only a subset ever shows up in a diff. Those are the ones heygrc reviews.

Get early accessby ISMS Copilot
Controls that surface in a diff

The Annex A controls a review can actually catch.

Each row is a real control reference and the kind of change that trips it. heygrc cites the clause on the finding, not a vague posture note.

  • A.8.15audit logging

    A change removes, downgrades, or stops emitting a security-relevant log, an authentication event, a privileged action, a config change.

  • A.8.16monitoring and alerting

    A pull request deletes an alert rule, a metric, or a detection path, quietly shrinking what gets noticed in production.

  • A.8.24use of cryptography

    A TLS floor drops to an older version, a hash or cipher is weakened, or a key lands hardcoded instead of in a secret store.

  • A.8.3restricting access to information

    An IAM role broadens, a scope check is dropped, or a new code path reaches data it previously could not.

  • A.8.5authentication strength

    A password rule is relaxed, an MFA check is skipped on a path, or a session is given a much longer lifetime.

  • A.8.9configuration management

    An insecure default ships: a public storage bucket, a wildcard CORS policy, debug mode left on in a production config.

  • A.8.28secure coding

    A query is built by string concatenation, output is rendered unescaped, or a security lint rule is disabled to make a change pass.

  • A.8.32change management

    A release or migration path skips the review or approval step that the control expects for changes to a controlled system.

Worked example

A two-line change that weakens A.8.15.

A pull request tidies up a noisy log. It also deletes the audit record for a privileged role change, the kind of security-relevant event A.8.15 expects you to log and retain.

access/roles.ts+0 −1
async function updateRole(actor, target, role) {
  await db.roles.set(target, role)
- await audit.log("role.update", { actor, target, role })  return ok()
}
heygrcISO 27001:2022 A.8.15

This removes the audit record for a change to access rights. A.8.15 (logging) expects security-relevant events, including changes to privileges, to be recorded and retained, and A.8.16 (monitoring) depends on that record existing. Keep the line, or route the event to your audit sink so the trail survives.

What this is, and is not

A review, not a certificate.

heygrc flags control-relevant changes and cites the clause so the fix happens in the pull request. It does not certify you against ISO 27001, and it does not replace an auditor or your ISMS. It catches the change early so the audit has less to find later. heygrc is in early access.

Get early access← All frameworks