Compliance / ISO/IEC 27001:2022
ISO/IEC 27001:2022 Annex A names the controls. SecHive produces the technical evidence behind A.8.8 (technical vulnerability management), A.8.28 (secure coding) and A.8.29 (security testing) — bound to the engagement and signed.
The mapping is intentionally narrow. We list only the articles where SecHive produces a directly defensible artifact, and we name the artifact.
| Article / control | What it requires | SecHive artifact |
|---|---|---|
| A.5.7 — Threat intelligence | Threat intelligence collected and analysed. | Hypothesis graph with named threat scenarios per engagement. |
| A.8.8 — Management of technical vulnerabilities | Information about technical vulnerabilities used to evaluate exposure and take action. | Per-finding evidence with severity, impact and remediation guidance. |
| A.8.25 — Secure development life cycle | Rules for the secure development of software and systems established. | Source-audit and PR-audit run modes, both with proof-first separation. |
| A.8.28 — Secure coding | Secure coding principles applied. | Source candidates routed to engineering with code references retained. |
| A.8.29 — Security testing in development and acceptance | Security testing processes defined and implemented. | Mode-labeled run output with reproducible artifacts. |
What you can put in front of an auditor or a security review.
replay.sh per finding.SecHive renders an evidence matrix per engagement. Below is one row, redacted.
# evidence-row.yaml — redacted control: A.8.29 # effectiveness testing finding_id: VTX-RPL-0042 mode: black-box target: redacted target_ref: image@sha256:9c4e… # pinned artifact: path: artifacts/replay.sh sha256: 7c3a… signed: cosign:sechive-key disposition: reviewer: redacted-operator state: confirmed retest: status: fixed @ 2026-04-18 evidence: artifacts/retest-receipt.json
Bring the scope and the auditor's evidence list. We will produce the technical artifacts.