ISO 27001¶
The iso-27001 pack enforces controls based on ISO/IEC 27001:2022 Annex A for information security management systems (ISMS). It covers technological controls (A.8), organizational controls (A.5), and people controls (A.6).
Enable¶
Rules¶
The pack includes 32 rules across code enforcement and documentation obligations:
Code rules (22)¶
| ID | Clause | Severity | Description |
|---|---|---|---|
| ISO27001-A8.24-001 | A.8.24 | high | Weak or deprecated cryptographic algorithms (MD5, SHA1, DES, RC4) must not be used |
| ISO27001-A8.24-002 | A.8.24 | critical | Secrets and credentials must not be embedded in source code |
| ISO27001-A8.9-001 | A.8.9 | high | Debug mode must not be enabled in production configurations |
| ISO27001-A8.24-001-CPP | A.8.24 | high | DES and RC4 are deprecated and must not be used in C/C++ |
| ISO27001-A8.28-001-CPP | A.8.28 | high | Disabling SSL certificate verification in libcurl exposes connections to MITM attacks |
| ISO27001-A8.25-001 | A.8.25 | critical | Unsafe deserialization functions (pickle, yaml.unsafe_load, marshal) must not be used |
| ISO27001-A8.25-001-JAVA | A.8.25 | critical | Java ObjectInputStream enables arbitrary code execution from untrusted data |
| ISO27001-A8.25-001-JS | A.8.25 | critical | Using node-serialize enables arbitrary code execution via deserialization |
| ISO27001-A8.28-001 | A.8.28 | high | SSL/TLS certificate verification must not be disabled (Python) |
| ISO27001-A8.28-001-JS | A.8.28 | high | TLS certificate validation must not be disabled in Node.js |
| ISO27001-A8.28-001-GO | A.8.28 | high | TLS certificate verification must not be skipped in Go |
| ISO27001-A8.4-001 | A.8.4 | critical | Dynamic code execution via eval() is prohibited |
| ISO27001-A8.20-001 | A.8.20 | medium | Data must be transmitted over encrypted channels (HTTPS, not HTTP) |
| ISO27001-A8.24-003-JS | A.8.24 | high | crypto.createCipher() is deprecated and uses weak key derivation |
| ISO27001-A8.24-004-JS | A.8.24 | high | DES, RC4, and Blowfish cipher algorithms are cryptographically weak |
| ISO27001-A8.9-002-JS | A.8.9 | high | Calling cors() without options allows all origins |
| ISO27001-A8.24-005-JS | A.8.24 | critical | Hardcoding JWT signing secrets in source code exposes authentication |
| ISO27001-A8.24-006-JAVA | A.8.24 | high | DES, DESede, RC4, and Blowfish ciphers are cryptographically weak |
| ISO27001-A8.28-002-JAVA | A.8.28 | high | Disabling hostname verification exposes connections to MITM attacks |
| ISO27001-A8.24-006-CS | A.8.24 | high | DES, RC2, and TripleDES are cryptographically weak in C# |
| ISO27001-A8.28-002-CS | A.8.28 | high | Disabling certificate validation exposes connections to MITM attacks |
| ISO27001-A8.24-006-GO | A.8.24 | high | DES, RC4, and non-AES ciphers are cryptographically weak in Go |
| ISO27001-A8.24-007-GO | A.8.24 | high | Literal byte arrays as cryptographic keys indicate hardcoded key material |
Documentation obligations (10)¶
| ID | Clause | Description |
|---|---|---|
| ISO27001-A5.1-001 | A.5.1 | Information security policy approved by management and communicated |
| ISO27001-A5.2-001 | A.5.2 | Information security roles and responsibilities defined and allocated |
| ISO27001-A5.10-001 | A.5.10 | Acceptable use policy for information and assets |
| ISO27001-A5.23-001 | A.5.23 | Security requirements for cloud services |
| ISO27001-A5.29-001 | A.5.29 | ICT continuity plans for availability during disruption |
| ISO27001-A5.37-001 | A.5.37 | Operating procedures for information processing facilities |
| ISO27001-A6.3-001 | A.6.3 | Security awareness education and training for personnel |
| ISO27001-A8.8-001 | A.8.8 | Vulnerability management for timely identification and remediation |
| ISO27001-A8.15-001 | A.8.15 | Activity logging policy for recording events and exceptions |
Use case¶
Organizations pursuing ISO 27001 certification or maintaining an ISMS. The pack provides:
- Cryptography enforcement -- Flags weak algorithms, deprecated ciphers, disabled TLS verification, and hardcoded secrets across Python, JavaScript, Java, C#, C/C++, and Go
- Deserialization safety -- Catches unsafe deserialization patterns that lead to remote code execution
- ISMS audit support -- Documentation obligations map to Annex A controls, providing traceable compliance evidence for certification audits