ISO 27001 in Software Development: What Your Technology Partner Must Have

Working with an unverified vendor on regulated software is a measurable risk. A data breach, a failed audit, or a GDPR notification obligation can cost more than the engagement itself. An ISO 27001 software development partner gives you a governed baseline, one that has been verified by an independent auditor, not self-declared.

The question is not whether your vendor holds a certificate. It is whether their certification reflects a functioning security management system or a document exercise.

What does ISO 27001 mean for a software development company?

ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization and the International Electrotechnical Commission. The current version, ISO 27001:2022, was published in October 2022 and replaced ISO 27001:2013.

For a software development company, certification means an accredited third-party auditor has verified that the organisation has:

Identified and assessed information security risks systematically
Implemented controls to reduce those risks to an acceptable level
Documented policies, procedures, and responsibilities
Committed to continuous improvement of the ISMS

ISO 27001:2022 contains 93 controls across four themes: Organisational, People, Physical, and Technological. Certification does not mean a vendor has implemented all 93. It means they have documented which controls apply, applied those that do, and justified any exclusions.

Control counts per ISO/IEC 27001:2022 Annex A, available directly from iso.org.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

The 2022 revision restructured the control set from 114 controls in 14 categories to 93 controls in 4 themes. Eleven new controls were introduced, covering cloud security, data masking, threat intelligence, and secure coding. All are directly relevant to software development partners.

ISO 27001:2013 certificates are no longer considered current following the completion of the industry transition period that ended in late 2025. Any vendor presenting a 2013 certificate as valid today should be asked to clarify their recertification status.

When evaluating a partner, confirm the certificate specifies ISO/IEC 27001:2022, not the superseded 2013 version.

What should I ask an ISO 27001-certified software development partner?

Certification is a starting point, not a conclusion. Treat the certificate as evidence that a process exists, then verify the process functions.

Ask the following before any commercial engagement:

Is your certificate current? Certificates are valid for three years, with mandatory surveillance audits in years one and two. Request the certificate and confirm the validity date and the name of the accredited certification body.
What is the scope of your certification? ISO 27001 certification can cover a specific department, product, or geography, not the entire company. Confirm the certified scope includes the team and systems that will handle your data.
Which certification body audited you? Accredited bodies are listed in the Global ACI MLA. Certificates from non-accredited bodies carry no internationally recognised assurance.
How do you handle subprocessors and third-party vendors? Supply chain risk management is a control introduced in ISO 27001:2022 (Control 5.19). A certified partner should describe how they vet and monitor third parties who access project data.
What is your incident response procedure? Ask for an overview. How fast do they notify clients? What do they document?

Does ISO 27001 certification mean GDPR compliance?

No, and this is a common misconception. ISO 27001 and GDPR address overlapping but distinct requirements.

ISO 27001 is a voluntary international standard. It focuses on information security risk management.

GDPR is an EU legal obligation. It focuses on the rights of data subjects and lawful processing of personal data.

ISO 27001 certification supports GDPR compliance, particularly Article 32 obligations on security of processing. Article 32 requires organisations to implement measures ensuring confidentiality, integrity, availability and resilience of processing systems, including encryption, pseudonymisation, and regular testing. ISO 27001 certification does not replace these obligations. A certified vendor can still be non-compliant if they lack a valid Data Processing Agreement, do not maintain Records of Processing Activities, or fail to honour data subject rights.

For DACH companies contracting with partners outside the EU, the combination of ISO 27001 certification and Standard Contractual Clauses (SCCs) is typically required. This is how adequate protection under GDPR Chapter V is demonstrated. Confirm both are in place before data transfer begins.

What infosec controls matter most in a software development context?

Not all 93 controls carry equal weight in a vendor assessment. The controls most relevant to secure software development engagements are:

A.8.25 - Secure development lifecycle: Security integrated into the development process, not added after release
A.8.29 - Security testing in development and acceptance: Vulnerabilities tested before deployment
A.8.28 - Secure coding: A 2022 control requiring principles for writing attack-resistant code
A.5.19 - Information security in supplier relationships: Documented security requirements for third-party suppliers
A.8.10 - Information deletion: Client data removed from vendor systems when a project ends
A.6.8 - Information security event reporting: How staff identify and escalate incidents

When assessing a vendor's ISMS in practice, ask how each of these controls operates inside their development workflow , not just whether it is documented.

Is ISO 27001 certification enough for regulated industries?

For most regulated software development contexts, ISO 27001 is necessary but not sufficient.

Financial services. DORA - the Digital Operational Resilience Act (Regulation EU 2022/2554) entered into force on 16 January 2023 and applies as of 17 January 2025. It requires financial entities to manage ICT third-party risk through contractual provisions, incident notification obligations, and operational resilience testing. ISO 27001 supports DORA compliance but does not satisfy it. Confirm your partner understands their obligations under DORA before engagement.

Healthcare. ISO 27001 addresses information security broadly. For health data, ISO 27799 or national equivalents may apply. Requirements vary by jurisdiction, verify before processing patient data.

Government and critical infrastructure. NIS2 - the EU Network and Information Security Directive (EU 2022/2555) expanded the original NIS directive to cover 15 sectors, with stricter risk management and incident reporting obligations. Non-compliance carries penalties up to 10 million euros. ISO 27001 certification is a supporting measure. It does not automatically satisfy NIS2 obligations.

An audit-ready partner operating in regulated sectors can articulate how their ISMS addresses these frameworks. A partner who defers the question is not audit-ready.

What does Gradion's ISO 27001 certification cover?

Gradion holds ISO/IEC 27001:2022 certification across its engineering operations. The certified scope covers the systems, processes, and personnel involved in client software delivery including development, deployment, and data handling.

In practice, this means:

Access to client systems and repositories is governed by documented access control policies
Security incidents are logged, classified, and notified to affected clients within defined timeframes
Subprocessors and third-party tooling are assessed under a vendor risk management process before use on client projects
Developers receive security awareness training before accessing client environments
Secure coding practices are embedded in the development workflow, not applied as a post-release check

This is how we de-risk the security layer of an engagement before the first sprint starts. Certification is renewed through annual surveillance audits by an accredited third-party body. The certificate and scope documentation are available on request under NDA.

How do I verify an ISO 27001 certificate is legitimate?

Three steps:

1. Check the certification body is accredited. Search the Global ACI database at global-aci.org, or your national accreditation body, DAkkS in Germany, UKAS in the UK, SAC in Singapore. If the issuing body is not listed, the certificate carries no recognised assurance.
2. Confirm the scope covers your engagement. The certificate states the certified scope. If it reads Head Office Operations and your project involves a distributed development team, ask whether that team is in scope.
3. Confirm the validity dates. Certificates are valid for three years. Surveillance audits are required in years one and two. No audit record is a follow-up question.

If a vendor cannot share their certificate and scope documentation, treat that as a risk signal.

Sources

ISO/IEC 27001:2022 standard (control counts, Annex A structure) - iso.org, paywalled
GDPR Article 32 - security of processing obligations - gdpr-info.eu (mirrors EUR-Lex, Regulation 2016/679)
DORA effective date and ICT third-party obligations - ESMA, esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
NIS2 scope and penalties - nis2directive.eu (Directive EU 2022/2555)
ISO 27001:2022 transition period - IAF MD 26 (January 2023). IAF ceased operations 1 January 2026; functions transferred to Global Accreditation Cooperation Incorporated (global-aci.org)
Global ACI accreditation registry - global-aci.org