BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
Compliance regime · Global

ISO 27001 compliance — what GateTest actually catches

ISO/IEC 27001:2022 — Information security management systems

By the end of 2025, every company on the 2013 standard has to be re-certified against 2022's Annex A — the new control set explicitly names threat intelligence (A.5.7), secure development (A.8.25-28), and configuration management (A.8.9). Code-level evidence is what auditors sample.

Run a scan →See the modules

The regime

ISO/IEC 27001:2022 — Information security management systemsGlobal — voluntary certification, but contractually required by many international enterprise buyers and procurement frameworks.. Effective since ISO/IEC 27001:2022 published 25 October 2022; transition from 2013 version closes 31 October 2025..

Maximum penalty: Not a statutory regime — no fines. Cost of failure is loss of contracts that require certification (especially in EU public-sector and UK government procurement).

Authoritative source: https://www.iso.org/standard/27001

The 3 modules that do the heaviest lifting for ISO 27001

Linked to each module's page for the full finding list.

GateTest module
secretRotation
View full coverage →
GateTest module
dependencies
View full coverage →
GateTest module
webHeaders
View full coverage →

Technical findings GateTest catches for ISO 27001

Each item ties a specific code-level pattern to a clause or principle of ISO 27001. These are the findings auditors sample.

  • Credentials in source older than 90 days — A.5.16 identity management / A.5.17 authentication information.
  • Dependencies with known CVEs in production code — A.8.8 management of technical vulnerabilities.
  • Missing CSP / HSTS / X-Frame-Options on user-facing services — A.8.23 web filtering / A.8.26 application security requirements.
  • Wildcard CORS with credentials — A.8.26.
  • Hardcoded secrets in committed source — A.5.17 authentication information.
  • CI workflows with continue-on-error on the security gate — A.8.32 change management.
  • Unpinned third-party GitHub Actions — A.5.21 information security in the supply chain.
  • .env.example missing keys actually read by code — A.8.9 configuration management evidence.
  • TLS validation disabled — A.8.24 cryptography.

Out of scope — what you still need humans for

GateTest is a code scanner. ISO 27001 compliance is a programme, not a tool. These items will never be answerable from source code alone.

  • Defining your Statement of Applicability (SoA) — methodological.
  • Information Security Management System (ISMS) scope and governance documents.
  • Internal audit programme and management review meetings (Cl. 9).
  • Risk assessment / treatment methodology (Cl. 6.1) — needs human risk reasoning.
  • Physical and environmental controls (A.7).

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.

Pricing

Quick
$29
4 essential modules
Full
$99
All modules — scan only
Scan + Fix
$199
Full scan + AI auto-fix PR
Forensic
$399
Everything + correlation + report

Trust

CLI is MIT-licensedAvailable on GitHub Marketplace soon

Try a $29 Quick scan on your repo

See the ISO 27001-relevant findings on your own code in under 15 seconds. Free preview. Pay only if you ship the report.

Start a scan →

Other regulations

GDPR
General Data Protection Regulation
HIPAA
Health Insurance Portability and Accountability Act
SOC 2
SOC 2 Trust Services Criteria (Type I and Type II)
CCPA
California Consumer Privacy Act (amended by the CPRA)
PCI DSS
Payment Card Industry Data Security Standard (v4.0)