ISO 27001 primer for SaaS
A practical, no-theater walkthrough of how a small SaaS team can stand up an ISO 27001 information security management system (ISMS) without drowning in auditor jargon. Covers scope definition, the Annex A controls that actually matter for cloud-native products, and the evidence trail your Stage 2 auditor will ask for on day one.
1. Scope your ISMS before you touch a control
Most failed certifications die at scope. Write a one-page Statement of Applicability that names the product, the production environments, the data classes you process, and the teams in scope. Exclude anything you do not control end-to-end (third-party SaaS, payroll systems, personal devices that never touch production). A tight scope is defensible; a sprawling scope is audit suicide.
2. Map Annex A controls to engineering reality
The 2022 revision collapsed 114 controls into 93 across four themes: organizational, people, physical, and technological. For a cloud-native SaaS you will spend most of your evidence budget on access management (A.5.15), cryptography (A.8.24), secure development (A.8.25 through A.8.28), and supplier relationships (A.5.19 through A.5.23). Document each control owner and the recurring evidence artifact.
3. Automate the evidence pipeline
Manual screenshots age out the moment your auditor closes the meeting. Wire your CI to emit signed control attestations on every merge: SBOM generation, dependency scanning, branch-protection state, IAM drift reports. Store them in an immutable bucket with retention locked at three years.
# .github/workflows/evidence.yml
name: iso-evidence
on: [push]
jobs:
attest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: generate sbom
run: syft . -o spdx-json > sbom.json
- name: sign attestation
run: cosign attest --predicate sbom.json $IMAGE
- name: upload to evidence bucket
run: aws s3 cp sbom.json s3://isms-evidence/