Disclaimer: Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program. Last updated: November 2025 ISO 27001 is the international standard for information security management systems. Organizations must demonstrate continuous security testing and risk management, not just point-in-time assessments. Semgrep helps address multiple ISO 27001:2022 Annex A controls:Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
- Control A.8.8 (management of technical vulnerabilities): Semgrep provides continuous vulnerability scanning on every code change. Audit logs document vulnerability detection and remediation timelines, giving auditors automated proof that controls are operational rather than requiring manual evidence collection during audit season.
- Controls A.8.25 through A.8.32 (secure development lifecycle): When properly configured with CI/CD systems, policy enforcement can help demonstrate active enforcement of secure coding practices. Auditors can see documented evidence that security policies were run on every code change. Note that developers with appropriate permissions can override policy blocks when necessary. For details around proper configuration, please chat with the Semgrep team.
- Controls A.8.9 and A.8.32 (configuration management and change management): Jira integration documents how security issues are tracked and remediated through your change management process with timestamps, assignments, and resolution status.
- Controls A.5.19 through A.5.23 (information security in supplier relationships): SBOM generation provides a documented inventory of third-party components and their vulnerabilities, proving you have visibility into supply chain risk.