Comparison with ISO 27001
30.2.1. ISO 27001 Overview
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Jointly established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a management system for the systematic protection of an organization's information assets.
The current latest standard is ISO/IEC 27001:2022, published in October 2022. Compared to the previous 2013 edition, the Annex A controls were restructured from 114 to 93, and modern security requirements such as cloud services, threat intelligence, and data masking have been incorporated.
ISO 27001 is applicable to all organizations regardless of industry, size, or region. It is widely obtained to establish trust with customers and partners, particularly in the finance, healthcare, public, and IT services sectors. In South Korea, companies conducting global business frequently obtain it in response to overseas client requirements.
30.2.2. Certification Structure
30.2.2.1. Management System Requirements
The main body of ISO 27001 (Clauses 4-10) defines requirements for the establishment and operation of the management system.
| Clause | Title | Core Content |
|---|---|---|
| 4 | Context of the Organization | Internal/external issues, interested party requirements, scope determination |
| 5 | Leadership | Management commitment, information security policy, roles/responsibilities/authorities |
| 6 | Planning | Risk assessment, risk treatment, information security objectives, change planning |
| 7 | Support | Resources, competence, awareness, communication, documented information |
| 8 | Operation | Operational planning and control, risk assessment/treatment execution |
| 9 | Performance Evaluation | Monitoring/measurement, internal audit, management review |
| 10 | Improvement | Nonconformity and corrective action, continual improvement |
This structure is based on the PDCA (Plan-Do-Check-Act) cycle and is designed to continuously improve the management system.
30.2.2.2. Annex A Controls
Annex A of ISO/IEC 27001:2022 classifies 93 controls into 4 themes.
| Theme | Number of Controls | Key Content |
|---|---|---|
| Organizational Controls | 37 | Information security policy, asset management, access control, supplier relationships, incident management |
| People Controls | 8 | Pre/during/post-employment security, security awareness training, disciplinary process |
| Physical Controls | 14 | Physical security perimeters, equipment security, cabling, secure areas |
| Technological Controls | 34 | Authentication, encryption, malware prevention, network security, secure coding |
Newly added controls in the 2022 version include threat intelligence (A.5.7), cloud service information security (A.5.23), secure coding (A.8.28), data masking (A.8.11), and data leakage prevention (A.8.12).
A notable point is that the A.8.28 "Secure Coding" control was newly added in the 2022 version. However, this control is a requirement at the level of "secure coding principles must be applied to software development" and does not provide specific code-level verification criteria.
30.2.3. Audit Method
ISO 27001 certification audits are performed by internationally accredited Certification Bodies (CBs). The audit process is as follows.
30.2.3.1. Certification Audit Stages
| Stage | Name | Content | Duration |
|---|---|---|---|
| Preparation | Certification Preparation | Establishment of management system, risk assessment, control implementation, documentation | 6-12 months |
| Stage 1 | Stage 1 Audit | Document audit — confirmation of management system document adequacy | 1-2 days |
| Stage 2 | Stage 2 Audit | On-site audit — confirmation of actual operational effectiveness of the management system | 3-10 days |
| Maintenance | Surveillance Audit | Annual on-site audit, confirmation of continued management system operation | 1-3 days |
| Renewal | Recertification Audit | Full re-audit every 3 years, certificate renewal | 3-5 days |
30.2.3.2. Audit Focus
The key aspects examined during an ISO 27001 audit are as follows.
- Whether the information security policy has been documented and approved by management
- Whether the asset inventory has been identified and risk assessment has been performed
- Whether Annex A controls have been applied according to the risk treatment plan
- Whether the Statement of Applicability (SoA) has been prepared
- Whether internal audits and management reviews are performed regularly
- Whether security incident response procedures have been established and tested
The focus of the audit is on "the existence and operational effectiveness of policies and processes." Activities such as directly opening source code, executing build pipelines, or measuring test coverage are not included in the audit scope.
30.2.4. Comparative Analysis with TQS
The following table summarizes the comparison between ISO 27001 and TQS along key comparison axes.
| Comparison Axis | ISO 27001 | TQS |
|---|---|---|
| Verification Target | Information security management system (policies, processes, organization) | Source code, build configurations, CI/CD pipelines |
| Verification Level | Policy/process level ("Has a policy been established?") | Code level ("Is it implemented in the code?") |
| Security Verification Method | Confirms control implementation through documents and interviews | Directly verifies security settings in code and configuration files |
| Encryption Verification | "Has an encryption policy been established?" | "Is BCrypt hashing used and TLS 1.2 or higher configured?" |
| Access Control Verification | "Has the access control policy been documented?" | "Is RBAC (Role-Based Access Control) implemented in Spring Security?" |
| Secure Coding Verification | "Secure coding principles must be applied" (A.8.28) | "SQL parameter binding used, v-html not used, input Bean Validation applied" |
| Audit Method | Document audit + on-site audit (manual) | Automated tools (ESLint, Spotless, OWASP) + code review |
| Audit Cycle | Annual surveillance audit, 3-year recertification audit | Per-commit CI/CD automated verification, major version re-audit |
| Certification Cost | Tens of millions of KRW (audit fees + consulting fees) | Free (internal self-certification) |
| Certification Body | Internationally accredited Certification Body (CB) | TIENIPIA Technical Standards Committee |
| Legal Effect | Internationally recognized, may be required by contract | Internal self-certification (no legal effect) |
30.2.4.1. Difference in Verification Depth
ISO 27001 requires that "an encryption policy must be established and applied." To satisfy this requirement, it is sufficient to prepare an encryption policy document and demonstrate that the policy is being operated within the organization.
TQS defines specific technical specifications such as "passwords must be hashed with BCrypt," "TLS 1.2 or higher must be used," and "MD5, SHA-1, DES, RC4 must not be used," and verifies these in the actual code. It directly inspects the PasswordEncoder Bean configuration, server.ssl configuration files, and dependency lists.
30.2.4.2. Difference in Feedback Speed
ISO 27001 verifies the operational status of the management system through annual surveillance audits. Even if a policy violation occurs between audits, it may not be discovered until the next audit.
Since TQS is integrated into the CI/CD pipeline, if code that violates security policies is committed, the build fails immediately and a notification is sent to the developer. Minutes to hours are sufficient to identify and fix the issue.
30.2.5. Complementary Points
Since ISO 27001 and TQS verify security at different layers, synergy is maximized when applied together.
30.2.5.1. Complementary Structure
ISO 27001 handles "security policy establishment" and "management system operation," while TQS handles "verification of the technical implementation of those policies," forming a two-layer structure.
| Layer | Responsible Certification | Role | Example |
|---|---|---|---|
| Policy Layer | ISO 27001 | Security policy establishment and organizational operation | "Establish a data encryption policy" |
| Implementation Layer | TQS | Verification of code-level implementation of policies | "Hash with BCrypt and encrypt with AES-256" |
30.2.5.2. Synergy Effects
Applying both certifications together yields the following benefits.
- Bridging the Policy-Implementation Gap: TQS proves that security policies required by ISO 27001 are actually implemented in the code. This prevents the situation of "policy exists but implementation does not."
- Improved Audit Efficiency: TQS certification results can be used as supplementary evidence during ISO 27001 audits. TQS reports can be submitted as evidence of implementation for controls related to secure coding (A.8.28), security testing, and change management.
- Real-time Monitoring: Even between ISO 27001 surveillance audits (annual), TQS's CI/CD-based automated verification continuously monitors security compliance status.
- Specific Improvement Metrics: ISO 27001 requires "continual improvement" but does not define specific measurement metrics. TQS provides quantitative metrics such as test coverage, number of security vulnerabilities, and Lighthouse scores, enabling measurement of improvement activities.
30.2.5.3. Application Scenarios
Applying ISO 27001 and TQS together is suitable for the following types of organizations.
- Organizations conducting global business where overseas clients require ISO 27001 certification
- Organizations that operate an information security management system and wish to guarantee actual code quality
- Organizations that already hold ISO 27001 certification and wish to strengthen secure coding practices
ISO 27001 answers "how security is managed," and TQS answers "how security is implemented." Since the two certifications answer different questions, applying them simultaneously is the most effective approach.