Security check

ISO 27001 evidence from GitHub: proof, not just policy

The ISO 27001 auditor wants to see that controls actually work, not just that you have a policy. We generate traceable technical evidence from your GitHub against the relevant Annex A controls.

Run a free domain scan All checks →
Relates to: ISO 27001 · A.8.28 / A.8.8 / A.5.17 SOC 2 · CC8.1 NIS2 · art. 21

What we check

We map your GitHub controls to ISO 27001 Annex A: secure coding (A.8.28), technical vulnerabilities (A.8.8), authentication information/secrets (A.5.17) and change management — and deliver traceable evidence per control.

Why it matters

In an ISO 27001 audit the difference between passing and failing is often the evidence: can you SHOW that branch protection, secrets handling and vulnerability management work? We make that proof measurable and repeatable.

How Security Guru tests it

Common mistakes

  • Having the policy but lacking technical evidence of compliance
  • Manual screenshots instead of repeatable evidence
  • No history showing the control worked over time
  • Evidence disconnected from the actual code

What you get in the report

  • Annex A controls mapped to GitHub status
  • Traceable evidence per control
  • Gaps to fix before the audit
  • Repeatable report for ongoing compliance

FAQ

Does it replace the audit?

No — it gives the auditor the technical evidence that makes the audit faster and reduces the risk of non-conformities.

Is the evidence repeatable?

Yes — it can be re-run before each audit and shows the controls worked over time, not just at a point in time.

Which A controls are covered?

Mainly A.8.28, A.8.8, A.5.17 and change management — the ones that land in GitHub. We map exactly which.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan