ISO 27001: The Global Security Standard
ISO 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Unlike SOC 2 (which is primarily US-focused), ISO 27001 is recognized globally and is often required for doing business in Europe, Asia, and the Middle East. Certification requires: risk assessment, implementation of controls from Annex A, internal audits, management review, and an external audit by a certified body.
Annex A: 93 controls organized into 4 themes (ISO 27001:2022 revision): Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34). AI-generated code primarily implements technological controls, but must also support organizational controls through audit, reporting, and workflow features.
The AI governance approach: the ISMS defines which controls are applicable based on the risk assessment. The AI should not blindly implement all 93 controls — it should implement the controls that the risk assessment determined are necessary. AI rule: 'Check the Statement of Applicability (SoA) to determine which Annex A controls are in scope. The AI implements the technological controls from the SoA. If no SoA exists: implement all technological controls as a baseline.'
Access Management and Cryptography Controls
A.8.3 — Information access restriction: restrict access to information and systems according to the access control policy. A.8.5 — Secure authentication: secure authentication technologies and procedures must be implemented. AI rules: 'Role-based access control with least privilege. Authentication: strong passwords (minimum 12 characters), MFA for privileged accounts, session timeout after inactivity, and account lockout after failed attempts. The AI must generate access controls that enforce the principle of least privilege.'
A.8.24 — Use of cryptography: rules for the effective use of cryptography, including key management. AI rules: 'Encryption at rest: AES-256 for sensitive data. Encryption in transit: TLS 1.2+ for all connections. Key management: keys stored in a dedicated key management system (AWS KMS, HashiCorp Vault, Azure Key Vault) — never in source code or configuration files. Key rotation: automated, per the organization's cryptographic policy.'
A.8.25 — Secure development lifecycle: rules for secure development of software and systems. AI rules: 'Code reviews: mandatory before merging. Security-focused review for authentication, authorization, and data handling code. Dependency scanning: automated in CI/CD. Static analysis: run SAST tools on every build. Dynamic testing: DAST scans against staging environments. The AI generates code that passes static analysis without security findings.'
ISO 27001 A.8.24 requires proper key management. Encryption keys, API secrets, or database passwords hardcoded in source code or configuration files: automatic audit finding. Keys must be stored in a dedicated Key Management System (AWS KMS, HashiCorp Vault, Azure Key Vault) and injected at runtime via environment variables or secrets management. The AI must never generate code with hardcoded secrets — use reference variables to the KMS.
Operations Security and Monitoring
A.8.15 — Logging: event logs recording user activities, exceptions, faults, and information security events must be produced, kept, and regularly reviewed. AI rules: 'Log security events: authentication (success/failure), authorization decisions, data access, configuration changes, administrative actions. Logs: structured format (JSON), forwarded to central log management, retained per the retention policy (minimum 12 months), and protected from tampering (write-once, access-controlled).'
A.8.16 — Monitoring activities: networks, systems, and applications must be monitored for anomalous behavior. AI rules: 'Generate monitoring and alerting for: unusual access patterns (access outside business hours, from unusual locations), repeated failed authentications, privilege escalation, mass data downloads, and configuration changes. Integrate with the organization's SIEM or monitoring platform.'
A.8.9 — Configuration management: configurations of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. AI rules: 'All configuration: stored as code (Infrastructure as Code), version-controlled, and tracked. No manual configuration changes in production. The AI generates configurations through IaC tools (Terraform, Pulumi, CloudFormation) — not manual console changes.'
Unstructured log messages (console.log('User login failed')) cannot be automatically parsed by SIEM tools. Structured logs ({event: 'auth_failure', userId: 'abc', ip: '1.2.3.4', timestamp: '...'}) enable: automated anomaly detection, dashboarding, alerting rules, and compliance reporting. The AI should generate structured log entries (JSON format) with consistent field names across all services. This satisfies A.8.15 (logging) and enables A.8.16 (monitoring).
Incident Management and Business Continuity
A.5.24-28 — Information security incident management: plan and prepare for managing incidents, assess and decide on events, respond to incidents, learn from incidents, and collect evidence. AI rules: 'Generate incident detection capabilities: automated alerting for security events, severity classification (critical/high/medium/low), escalation workflows, and incident response runbooks. The AI should generate: alerting rules alongside security features, not as an afterthought.'
A.8.13-14 — Information backup and redundancy: backup copies of information, software, and system images must be maintained. AI rules: 'Generate backup configurations for all data stores. Automated backups with defined frequency (daily for databases, continuous for critical data). Test restores regularly (untested backups are not backups). Redundancy: no single points of failure for critical systems. The AI generates HA (High Availability) configurations by default for production systems.'
Continual improvement (Clause 10): the ISMS must be continually improved. AI rule: 'Generate metrics and reporting that enable improvement: security event trends, vulnerability remediation times, access review completion rates, and control effectiveness measurements. The ISMS requires evidence of improvement over time — the AI should generate the measurement infrastructure alongside the controls.'
ISO 27001 A.8.13 requires information backup — but a backup that has never been tested might be corrupted, incomplete, or use an incompatible format. The AI should generate: automated backup jobs AND automated restore tests (at least monthly). The restore test verifies: data completeness, application functionality on restored data, and recovery time (does the restore complete within the RTO?). Document test results as evidence for the auditor.
ISO 27001 AI Rules Summary
Summary of AI rules mapped to ISO 27001 Annex A technological controls.
- Access management: RBAC, least privilege, MFA for privileged accounts, session timeout, lockout
- Cryptography: AES-256 at rest, TLS 1.2+ in transit, KMS for keys, automated rotation
- Secure development: code review, dependency scanning, SAST, DAST, security-focused review
- Logging: security events in structured JSON, centralized, 12+ month retention, tamper-proof
- Monitoring: anomaly detection, SIEM integration, alerting for unusual access patterns
- Configuration: Infrastructure as Code, version-controlled, no manual production changes
- Incident management: automated detection, severity classification, escalation workflows
- Backup: automated, tested restores, HA configuration, no single points of failure