TINQIN’s Data Protection Officer, Vasil Vasilev, explains how ISO 27001:2022 strengthens software delivery, from secure design to CI/CD, and what CTOs should verify in vendor due diligence.
DPO: The 2022 revision is the first major update since 2013. The new standard takes into account new aspects of information security in modern processes while at the same time simplifies and merges controls. I’ll point out Annex A, which moved from 114 to 93 controls, now grouped under four themes: organizational, people, physical, and technological. The structure is simpler, and alignment with modern delivery is better. This helps teams map controls to day-to-day SDLC activities.
DPO: Start with A.8.25 Secure development life cycle, A.8.28 Secure coding, and A.8.29 Security testing in development and acceptance. Add A.5.7 Threat intelligence, A.5.23 Cloud services, and A.8.9 Configuration management. Together, these steer secure-by-design work, code quality, automated testing, and cloud hygiene.
DPO: At TINQIN, we define functional and non-functional security requirements at the start, codified in tickets and acceptance criteria. We maintain separate environments for development, test, and production. We restrict developer access to production and use masked or synthetic data in testing. Repos follow signed commits, branch protection, and secret scanning. CI/CD runs SAST, SCA, DAST, or IAST where applicable, plus IaC scanners and automated policy checks before merge and release. Training covers language-specific secure coding patterns that match the tech stack and A.8.28 expectations. On top of that, we’ve developed Secure Coding Guidelines to ensure consistent practices across projects.
DPO: As early as specification and design! We reference OWASP Top 10 to anchor common risks and the NIST SSDF, SP 800-218, to align practices like threat modeling, dependency risk management, and build integrity. These sources integrate cleanly with ISO 27001’s control intent. Moreover, the GDPR requirement of privacy by design and by default under Article 25 aligns perfectly with this approach.
DPO: We run continuous scanning that maps to A.8.26, A.8.29 and vulnerability management objectives. Our approach combines continuous automated scanning with targeted penetration testing to identify and address vulnerabilities proactively. All findings are tracked from discovery to closure, with evidence documented in our project management system and release notes.
DPO: Contracts include information security clauses, right-to-audit, data protection obligations, and breach notification terms. Vendors must attest to secure coding practices and CI/CD controls. Access to client data is minimized and monitored. For subcontractors, masked data and environment separation are mandatory. This comprehensive approach assures clients and partners that we not only promise security but consistently deliver it.
DPO: Cloud responsibilities are clearer with A.5.23. We implement a control framework that maps provider shared-responsibility models to our policies, configuration baselines, encryption, key management, and logging. Change control covers both application and infrastructure code, aligning with A.8.9 Configuration management. (DataGuard)
DPO: The deadline to transition is 31 October 2025. Teams should run a gap assessment, update the Statement of Applicability, and prioritize SDLC changes, environment separation, CI/CD controls, cloud controls, and training. Build a short improvement program with measurable checkpoints.
DPO: Our certification translates directly into superior delivery quality and a more reliable partnership for our clients. It reduces uncontrolled variance across projects. CI/CD pipelines and security tests identify and fix vulnerabilities earlier, leading to faster remediation and fewer delays. For regulated industries, certification simplifies vendor oversight and provides peace of mind. Ultimately, it’s more than a badge; it is a commitment to consistent, high-quality, secure processes.
DPO: TINQIN is certified to ISO/IEC 27001:2022. We run internal assessments throughout the year and complete annual surveillance audits. A group of ISO Champions runs the program, supporting projects with training and checks. This lets product teams focus on delivery while we keep the ISMS effective.
| Control | What clients should see in practice |
|---|---|
| A.8.25 Secure development life cycle | Security requirements in backlog, threat modeling, peer reviews with security checklists, and environment separation documented. |
| A.8.26 Application security requirements | Non-functional security requirements linked to acceptance criteria and tests. |
| A.8.27 Secure architecture and engineering | Authn, session control, input validation, crypto design patterns documented and reviewed. |
| A.8.28 Secure coding | Language-specific secure coding standards, training records, secret scanning, dependency policies. |
| A.8.29 Security testing in development and acceptance | CI/CD gates for SAST, SCA, DAST or IAST, IaC scanning, evidence of test results tied to releases. |
| A.5.23 Cloud services | Cloud configuration baselines, logging, key management, and change control mapped to shared responsibility. |