MODEL
Threat model → Annex A scope.
The model names the assets, the trust boundaries, and the in-scope code. Each finding ties to the Annex A control that governs it.
ISO/IEC 27001:2022
Annex A technical controls. Code-level evidence.
VibeReview is ISO 27001 certified itself. The same threat-model and guardrail engine that supports our own ISMS produces Annex A evidence for your code. Map controls to guardrails. Hand the SoA to your assessor.
14-day free trial · No card required
You prompting Cursor · app/api/admin/users.py
"Add an admin endpoint that lists every user with email and last login."
VibeReview matched 3 Annex A controls · invisibly - ✓ A.5.15 — require admin role, deny by default
- ✓ A.8.16 — audit-log every privileged read with actor and IP
- ✓ A.8.28 — parameterized query; no string-formatted SQL
@app.get("/admin/users")
@require_role("admin")
def list_users(
actor = Depends(auth),
request: Request = None,
):
audit.log(
"admin.users.list",
actor=actor.id,
ip=request.client.host,
)
return db.execute(
"SELECT id, email, last_login_at "
"FROM users "
"ORDER BY last_login_at DESC "
"LIMIT ?",
(200,),
)✓ Role-gated, audit-logged, parameterized. A.5.15, A.8.16, A.8.28 evidence on every call.
ENFORCE
Guardrails → A.8 technical controls.
A.8.4 access to source code. A.8.16 monitoring. A.8.25 secure development. A.8.28 secure coding. A.8.29 security testing. Each guardrail cites the control.
EVIDENCE
PR review → per-control evidence.
Every diff runs the matching controls. Audit log records the control ID and the outcome.
REPORT
Mapping report → SoA-friendly.
Per-control coverage, per-control evidence pointers. Hand it to your assessor with the Statement of Applicability.
WHAT'S COVERED
ISO/IEC 27001:2022 Annex A controls and the VibeReview controls behind them.
Coverage focuses on Annex A.5 organizational controls and A.8 technical controls applicable to software development.
- A.5.30 ICT readiness for business continuity: Threat-model identifies single-points-of-failure in the code that affect resilience.
- A.8.1 User endpoint devices: IDE-resident MCP guardrails enforce endpoint-side policy at prompt time.
- A.8.4 Access to source code: GitHub App and GitLab App with scoped, read-only OAuth. Code is never persisted on VibeReview servers.
- A.8.8 Management of technical vulnerabilities: Guardrails on dependency pinning, CVE-aware policies, and supply-chain checks. Mapping to OWASP and CWE per finding.
- A.8.16 Monitoring activities: Read-only audit log of guardrail enforcement across the SDLC. Exportable to your SIEM on Enterprise.
- A.8.25 Secure development life cycle: Threat model, guardrails, PR review form the SDLC controls. Every change carries evidence.
- A.8.27 Secure system architecture: Threat model documents architecture, trust boundaries, and data flows per repo.
- A.8.28 Secure coding: Guardrails enforce secure-coding rules at prompt time and re-verify at PR.
- A.8.29 Security testing: PR review acts as continuous security testing. Findings logged per A.8.29.
Get the ISO 27001 mapping report for your repo.
We walk you through the per-control coverage and the SoA-friendly export. Bring your assessor.