Skip to main content

ISO 27001 compliance

Disclaimer: Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program.

Last updated: November 2025

ISO 27001 is the international standard for information security management systems. Organizations must demonstrate continuous security testing and risk management, not just point-in-time assessments.

Semgrep helps address multiple ISO 27001:2022 Annex A controls:

  • Control A.8.8 (management of technical vulnerabilities): Semgrep provides continuous vulnerability scanning on every code change. Audit logs document vulnerability detection and remediation timelines, giving auditors automated proof that controls are operational rather than requiring manual evidence collection during audit season.

  • Controls A.8.25 through A.8.32 (secure development lifecycle): When properly configured with CI/CD systems, policy enforcement can help demonstrate active enforcement of secure coding practices. Auditors can see documented evidence that security policies were run on every code change. Note that developers with appropriate permissions can override policy blocks when necessary. For details around proper configuration, please chat with the Semgrep team.

  • Controls A.8.9 and A.8.32 (configuration management and change management): Jira integration documents how security issues are tracked and remediated through your change management process with timestamps, assignments, and resolution status.

  • Controls A.5.19 through A.5.23 (information security in supplier relationships): SBOM generation provides a documented inventory of third-party components and their vulnerabilities, proving you have visibility into supply chain risk.

Deployment and certification

Semgrep Inc. is ISO 27001 certified. For CLI deployments, scans run on customer infrastructure. For on-premises CI/CD, scans run on customer-controlled infrastructure. Cloud CI/CD providers (GitHub, GitLab, Azure DevOps, Bitbucket) maintain ISO 27001 certification. For AI Assistant, the default provider (OpenAI) maintains ISO 27001 certification. For Semgrep Managed Scans, AWS infrastructure is ISO 27001 certified.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.