DevSecOps19 Mar 202611 min read

DevSecOps for Compliance Teams: Turning Controls into Code

How GRC teams and engineers can turn ISO 27001, SOC 2 and ENS controls into automated pipeline checks that generate audit evidence continuously.

How do DevSecOps and compliance actually fit together? They fit together the moment you stop treating a control as a document and start treating it as a check that runs. DevSecOps embeds security testing and policy enforcement directly into the software delivery pipeline, and most modern compliance frameworks (ISO 27001, SOC 2, ENS) ask for precisely the things a well-instrumented pipeline already does: control access to change, test for vulnerabilities, track what shipped, and keep a record of it all. When you wire those framework requirements into your CI/CD, compliance stops being a point-in-time scramble before an audit and becomes a continuous by-product of how you build software. This article shows GRC and engineering teams how to make that translation concretely: which controls map to which automation, what evidence each check produces, and how to run the whole thing as a shared responsibility.

The gap between GRC and engineering

For years, compliance and engineering have spoken different dialects of the same language. A GRC lead talks about "A.8.8 – management of technical vulnerabilities." An engineer talks about "the Trivy scan in the merge pipeline." These are the same control. The problem is that nobody translated one into the other, so the two teams end up meeting only once a year, in a conference room, when the auditor arrives and someone asks engineering for "screenshots proving vulnerabilities are managed."

That annual scramble is expensive and, worse, dishonest by design. A screenshot captured the week before an audit tells you the control worked once, on one day, for one system. It says nothing about the other 51 weeks. Auditors increasingly know this, and frameworks are increasingly written to reward continuous operation over point-in-time theatre.

DevSecOps closes the gap because it moves security and control enforcement to where the work actually happens: the pull request, the build, the deployment. If a control is enforced by a pipeline gate, then every single change is evidence that the control ran. Compliance shifts from "prove it worked in March" to "here is the immutable log of it working on every commit since March."

Shift-left: the same idea, two vocabularies

"Shift-left" means moving security checks earlier in the development lifecycle β€” closer to the developer writing code, rather than a gate at the end before release. For compliance, this is the mechanism that turns a control objective into something enforceable and cheap.

Consider vulnerability management. The traditional GRC approach is a quarterly scan, a spreadsheet of findings, and a remediation SLA that everyone misses. The shift-left approach runs the scan on every pull request, blocks the merge if a critical vulnerability is introduced, and never lets the debt accumulate in the first place. The control objective is identical. The difference is that one produces a backlog and an argument, while the other produces a clean, continuous evidence trail and a much smaller attack surface.

The core DevSecOps toolchain maps neatly onto control families that any ISO 27001, SOC 2, or ENS practitioner will recognise:

  • SAST (Static Application Security Testing) β€” analyses source code for insecure patterns. Evidences secure development and vulnerability management controls.
  • DAST (Dynamic Application Security Testing) β€” tests the running application for exploitable weaknesses. Evidences vulnerability management and secure operations.
  • SCA (Software Composition Analysis) β€” inventories third-party and open-source dependencies and flags known CVEs. Evidences supply-chain and technical vulnerability controls.
  • Secrets scanning β€” detects hardcoded credentials, tokens, and keys before they reach a repository. Evidences access control and cryptographic key management.
  • IaC scanning β€” checks Terraform, CloudFormation, or Kubernetes manifests for misconfigurations before they are provisioned. Evidences secure configuration and change management.
  • SBOM (Software Bill of Materials) β€” produces a machine-readable inventory of everything in a build. Evidences asset management and supply-chain transparency.

None of these is exotic. Most engineering teams already run several of them. The compliance opportunity is not to buy new tools β€” it is to recognise the ones already in the pipeline as control implementations and to route their output into your evidence store.

Policy-as-code: controls that enforce themselves

The most direct translation of a control into code is policy-as-code: expressing a compliance rule as a machine-executable policy that the pipeline evaluates automatically. Tools like Open Policy Agent (OPA), Conftest, and Checkov let you write rules such as "no storage bucket may be publicly readable," "every production namespace must have network policies," or "all container images must come from an approved registry."

When these policies run as a CI/CD gate, three things happen at once:

  1. 1The control is enforced β€” non-compliant changes are blocked before they reach production, not detected afterwards.
  2. 2The control is versioned β€” the policy itself lives in Git, so you have a full history of what the rule was and when it changed, with an approver attached to every modification.
  3. 3The control generates evidence β€” every pipeline run records a pass/fail against the policy, timestamped and tied to a specific commit and author.

That third point is the quiet revolution. In a policy-as-code model, evidence is not something you collect; it is something the pipeline emits whether you ask for it or not. The audit artefact is a natural exhaust of the control operating.

CI/CD security gates and change management

Change management is where GRC and engineering most often talk past each other. The framework language β€” ISO 27001 A.8.32, SOC 2 CC8.1 β€” asks for authorised, tested, documented changes with segregation between the person who writes a change and the person who approves it. Engineers hear "process paperwork." But a properly configured Git workflow already satisfies almost all of it:

  • Branch protection enforces that no change reaches the main branch without a pull request. That is authorisation.
  • Required reviewers enforce that the author cannot approve their own change. That is segregation of duties.
  • Required status checks enforce that tests and security scans pass before merge. That is testing.
  • Signed commits and an immutable Git history provide the documented, tamper-evident record. That is the audit trail.

The work for the GRC team is not to impose a parallel change-management process on top of Git. It is to recognise that the Git workflow is the change-management control, to document it as such in the Statement of Applicability, and to point the auditor at the pull request history instead of a Confluence page nobody updates.

From controls to automated checks: a mapping

The table below shows how common framework controls translate into concrete DevSecOps automation and the evidence that automation produces. The framework references are illustrative rather than exhaustive β€” the point is the pattern, not a definitive crosswalk.

Framework control (example)DevSecOps automation that satisfies itEvidence generated continuously
Access control (ISO 27001 A.5.15 / SOC 2 CC6.1 / ENS op.acc)Secrets scanning in CI; IaC policy checks on IAM roles; least-privilege rules in policy-as-codeScan logs per commit; blocked-merge records; versioned IAM policy diffs
Change management (ISO 27001 A.8.32 / SOC 2 CC8.1)Branch protection, required reviewers, required status checksPull request history with approver, timestamp, and passing checks
Vulnerability management (ISO 27001 A.8.8 / SOC 2 CC7.1 / ENS op.exp)SAST, DAST, SCA on every build with severity-based merge gatesPer-build scan reports; remediation timeline from finding to fix
Secure configuration (ISO 27001 A.8.9 / ENS op.exp.2)IaC scanning (Checkov, tfsec) and OPA policies pre-provisionPolicy pass/fail per pipeline run; drift-detection alerts
Supply-chain security (ISO 27001 A.5.19 / A.8.30)SBOM generation; dependency pinning; signed artefactsVersioned SBOM per release; provenance attestations
Logging and monitoring (ISO 27001 A.8.15 / SOC 2 CC7.2 / ENS op.mon)Centralised pipeline and runtime logging; alert-as-codeImmutable, timestamped log streams; alert configuration in Git
Cryptographic key management (ISO 27001 A.8.24)Secrets manager integration; no plaintext secrets ruleSecret-rotation logs; blocked commits containing key material

Read across any row and you can see the shape of the model: a control on the left, a mechanism in the middle that runs on every change, and evidence on the right that accumulates without anyone assembling it manually.

Continuous control monitoring and evidence-as-a-by-product

The endpoint of this approach is continuous control monitoring (CCM): instead of testing a control's effectiveness once per audit cycle, you observe it operating on every relevant event and flag deviations in near real time.

CCM changes the auditor conversation fundamentally. The classic audit question is "show me evidence this control operated." In a CCM model, the honest answer is "here is every instance of it operating since the last audit, plus every exception and how each was resolved." Instead of a sampled snapshot, you offer the full population. That is not just easier to defend β€” it is genuinely stronger assurance.

The key architectural principle is evidence as a by-product of pipelines. You should never build a separate system whose job is to manufacture audit evidence, because evidence produced for its own sake drifts from reality and quietly becomes fiction. Instead, the evidence should be the authentic output of controls that exist to keep the system secure:

  • A blocked merge because SCA found a critical CVE is both a security event and a vulnerability-management evidence record.
  • A failed OPA policy check is both a prevented misconfiguration and a secure-configuration evidence record.
  • A signed, reviewed pull request is both good engineering hygiene and a change-management evidence record.

When evidence and security are the same artefact, they cannot diverge. That is the whole point.

The cultural shift: shared ownership

None of this works as a purely technical exercise. The hardest part of turning controls into code is not the tooling β€” it is the shift from "compliance is GRC's job" to "compliance is a shared property of how we build."

In the traditional model, GRC owns the controls and engineering is a reluctant supplier of evidence once a year. In the DevSecOps model, the ownership is split along the seam where each team is strong:

  • GRC owns the intent. Which controls apply, what "good" looks like, how the framework language maps to the organisation's risk appetite, and how to represent the automated control set to an auditor.
  • Engineering owns the implementation. How the control is enforced in the pipeline, which tools run where, and how the gates are configured.
  • Both own the outcome. A control that blocks legitimate work is an engineering problem and a GRC problem. A control that passes but does not actually reduce risk is likewise a shared failure.

Practically, this means GRC people need to be comfortable reading a pipeline definition, and engineers need to understand what a control objective is actually asking for. The goal is a shared vocabulary β€” the moment a GRC lead and an engineer can look at the same failed pipeline check and both call it "the A.8.8 gate," the gap has closed.

Metrics that matter

Shared ownership needs shared metrics β€” and the useful ones measure the health of controls, not activity for its own sake:

  • Control coverage β€” what percentage of applicable controls are enforced by automation versus manual attestation.
  • Mean time to remediate (MTTR) β€” from a security finding to its fix, drawn straight from pipeline and issue data.
  • Gate pass rate and exception volume β€” how often gates block changes, and how many exceptions or overrides are granted (a rising override count is an early warning that a control is misconfigured or being routed around).
  • Evidence freshness β€” how recent the latest evidence for each control is; in a continuous model this should be measured in hours or days, never months.
  • Escaped findings β€” issues discovered in production that a gate should have caught, which tell you where the shift-left coverage has holes.

These metrics are useful precisely because they are honest. They are computed from the same pipeline data that produces the evidence, so they cannot be gamed without also breaking the controls they describe.

Conclusion

Turning controls into code is less a technology project than a translation project. The tools β€” SAST, DAST, SCA, secrets and IaC scanning, SBOMs, policy-as-code, CI/CD gates β€” mostly already exist in modern engineering organisations. What is usually missing is the deliberate mapping from framework control to pipeline mechanism, and the cultural agreement that compliance is a shared property of how software is built rather than a document produced under duress once a year. Get both right and audit evidence stops being something you chase and becomes something your pipelines quietly generate on every commit.

This is exactly the problem ISMShed is built to solve: it connects to your existing pipelines and control mechanisms and turns their output into continuous, framework-mapped audit evidence across ISO 27001, ENS, NIS2, DORA, SOC 2, and GDPR β€” with an AI Compliance Copilot to keep the control-to-code mapping current. If you want help designing that translation for your own stack, Axelia's GRC and DevSecOps consultants can help you map your frameworks to your pipelines and stand the model up. Compliance should be a by-product of good engineering β€” we can help you make it one.

Talk to an expert

Don't wait for the guide. Book a call with our AI-CISO team and get a tailored roadmap to ISO 27001, NIS2, ENS or DORA compliance.