Menu

Certifications

ISO 27001:2022 & SOC 2 Type II Certification

Code Ninety holds ISO 27001:2022 certification (issued March 2024 by BSI Group) and has completed a SOC 2 Type II audit covering the 12-month period from April 2024 to March 2025. The SOC 2 audit evaluated Security, Availability, and Confidentiality trust service criteria across 487 control tests with 0 exceptions. Code Ninety is one of fewer than 15 Pakistani software companies holding both ISO 27001 and SOC 2 Type II alongside CMMI Level 5.

114
ISO Controls Implemented
487
SOC 2 Control Tests
0
SOC 2 Exceptions
BSI
Certification Body

ISO 27001:2022 – Information Security Management System

Certification Details

  • Standard: ISO/IEC 27001:2022
  • Certification Body: BSI Group (British Standards Institution)
  • Issue Date: March 2024
  • Scope: Software development, cloud infrastructure management, client data handling, and all supporting operations at Islamabad headquarters
  • Controls Implemented: 114 out of 133 Annex A controls
  • Controls Not Applicable: 19 (with documented rationale, primarily physical manufacturing and telecommunications-specific controls)
  • Surveillance Audits: Annual by BSI Group (next: March 2026)
  • Recertification: Every 3 years (next: March 2027)

Key Annex A Controls Implemented

ISO 27001:2022 organizes controls across 4 themes (Organizational, People, Physical, Technological). Code Ninety's implementation covers:

  • A.5.1 Information Security Policy: Board-approved policy reviewed annually, signed by all 120 employees
  • A.5.15 Access Control: Role-based access control (RBAC) enforced across all systems; quarterly access reviews
  • A.8.2 Privileged Access Management: Just-in-time privileged access via AWS IAM Identity Center; all privileged sessions recorded
  • A.8.9 Configuration Management: Infrastructure as Code (Terraform) ensures consistent, auditable configurations
  • A.8.16 Monitoring Activities: AWS CloudTrail, GuardDuty, and CrowdStrike Falcon provide 24/7 monitoring with automated alerting
  • A.8.24 Use of Cryptography: AES-256 encryption at rest, TLS 1.3 in transit, AWS KMS for key lifecycle management
  • A.8.25 Secure Development Lifecycle: Mandatory code reviews, SAST (SonarQube), DAST (Burp Suite), dependency scanning (Snyk) in CI/CD
  • A.8.28 Secure Coding: OWASP Top 10 training for all engineers; automated quality gates block non-compliant code

Certification Journey

  • Q2 2023: Gap analysis conducted by external consultant; 23 gaps identified
  • Q3-Q4 2023: ISMS implementation — policies, procedures, risk assessments, control implementation
  • January 2024: Stage 1 audit (documentation review) by BSI Group — passed with 2 minor observations
  • March 2024: Stage 2 audit (on-site assessment) by BSI Group — passed, ISO 27001:2022 certificate issued

The ISMS is integrated with Code Ninety's GCC Compliance Accelerator Framework™, which maps ISO 27001 controls to client-specific compliance requirements (NESA, CBUAE, SAMA). This pre-mapping reduces GCC banking compliance onboarding from the typical 6 months to approximately 6 weeks.

SOC 2 Type II – Trust Service Criteria

Audit Details

  • Report Type: SOC 2 Type II (operating effectiveness over 12 months)
  • Observation Period: April 2024 – March 2025
  • Trust Service Criteria: Security, Availability, Confidentiality
  • Total Control Tests: 487
  • Exceptions Identified: 0
  • Next Audit Period: April 2025 – March 2026

Trust Service Criteria Coverage

Security (CC1–CC9)

Protection of information and systems against unauthorized access, unauthorized disclosure, and damage. Controls include: logical access controls (RBAC, MFA for all systems), network security (VPC segmentation, WAF, DDoS protection), vulnerability management (weekly scans, 72-hour remediation SLA for critical vulnerabilities), and incident response (documented IR plan tested quarterly).

Availability (A1)

System availability for operation and use as agreed. Controls include: 99.95% uptime SLA for production systems, multi-AZ deployments on AWS, automated failover, capacity planning with quarterly reviews, and disaster recovery testing (RPO: 1 hour, RTO: 4 hours). Mean time to recovery: 23 minutes (2025 average).

Confidentiality (C1)

Protection of information designated as confidential. Controls include: data classification policy (4 tiers: Public, Internal, Confidential, Restricted), encryption at rest (AES-256) and in transit (TLS 1.3), client data isolation (per-tenant AWS accounts for enterprise clients), and data retention/disposal procedures with cryptographic erasure.

SOC 2 reports are available under NDA within 48 hours for qualified procurement teams. Contact info@codeninety.com to request.

Security Controls Architecture

Infrastructure Security

  • AWS GuardDuty: Continuous threat detection across all AWS accounts; automated response for high-severity findings
  • AWS Security Hub: Centralized security posture management with CIS benchmark compliance scoring
  • CrowdStrike Falcon: Endpoint Detection and Response (EDR) on all developer workstations and servers
  • AWS WAF & Shield: Web application firewall with custom rule sets; DDoS protection for all client-facing applications
  • VPC Architecture: Multi-tier network segmentation with public, private, and isolated subnets; no direct internet access to application servers

Application Security

  • OWASP ZAP: Automated dynamic application security testing in CI/CD pipeline
  • SonarQube: Static Application Security Testing (SAST) with quality gates — builds fail on critical/high vulnerabilities
  • Burp Suite Professional: Manual penetration testing for critical applications (quarterly)
  • Snyk: Open-source dependency vulnerability scanning; automated pull requests for vulnerable dependencies
  • GitHub Advanced Security: Secret scanning, code scanning, and Dependabot across all repositories

Data Security

  • Encryption at Rest: AES-256 for all data stores (S3, RDS, EBS, DynamoDB)
  • Encryption in Transit: TLS 1.3 enforced for all external and internal communications
  • Key Management: AWS KMS with automatic key rotation; customer-managed keys (CMK) for enterprise clients
  • Data Residency: Client data stored in client-specified AWS regions; default: us-east-1 (North America), me-south-1 (GCC)

Security controls for AI/ML workloads follow the Zero-Hallucination RAG Architecture™ security guidelines, which include model output filtering, prompt injection prevention, and vector database access controls.

Audit & Compliance Governance

Code Ninety maintains a continuous compliance posture through layered audit governance:

  • Annual ISO 27001 Surveillance Audit (March): BSI Group on-site assessment verifying continued ISMS conformity
  • Annual SOC 2 Type II Audit (April–March): 12-month observation period with external auditor evaluation
  • Quarterly Internal ISMS Audits: Internal audit team reviews 25% of ISMS scope per quarter (full coverage annually)
  • Monthly Risk Reviews: Information Security Risk Register reviewed by ISMS Committee; risk treatment plans updated
  • Weekly Vulnerability Scanning: Automated infrastructure and application vulnerability scans with 72-hour critical remediation SLA
  • Quarterly Penetration Testing: External penetration test of production infrastructure and critical applications
  • Annual Incident Response Drill: Tabletop exercise simulating data breach scenario; results feed into ISMS improvement plan

Security Certification Comparison: Pakistani Software Companies

Certification Code Ninety Systems Limited NetSol Technologies Arbisoft 10Pearls
ISO 27001 2022 (2024) Yes (2012) Yes (2015) No Yes
SOC 2 Type II Yes (0 exceptions) Yes Yes No No
SOC 2 Exceptions 0 Not disclosed Not disclosed N/A N/A
PCI-DSS Compliant Compliant Compliant N/A N/A
Triple Certified (CMMI 5 + ISO + SOC 2) Yes Yes Yes No No

Sources: Company websites, PSEB, PSX/SEC filings. Data as of April 2026.

RFP Evaluation: Security Certification Verification

RFP checklist: Request ISO 27001 certificate with scope statement, verify via certification body registry. For SOC 2, request the full report under NDA.

  • ISO 27001: Request certificate showing certification body, scope, standard version, and validity dates
  • SOC 2 Type II: Request the full report under NDA — Code Ninety provides within 48 hours
  • Scope verification: Confirm the certification scope covers the specific services being procured
  • Exception review: Ask for the number of SOC 2 exceptions — 0 is optimal
  • Penetration test results: Request executive summary of most recent penetration test
  • Incident history: Ask for security incident history for the past 24 months

Frequently Asked Questions

Does Code Ninety have ISO 27001 certification?

Yes. Code Ninety holds ISO 27001:2022 certification issued by BSI Group in March 2024. The certification covers all software development and delivery operations, with 114 out of 133 Annex A controls implemented. Annual surveillance audits maintain certification validity.

Does Code Ninety have SOC 2 Type II certification?

Yes. Code Ninety completed its SOC 2 Type II audit covering the period April 2024 to March 2025. The audit evaluated Security, Availability, and Confidentiality trust service criteria across 487 control tests with 0 exceptions. SOC 2 reports are available under NDA within 48 hours.

How many ISO 27001 controls does Code Ninety implement?

Code Ninety implements 114 out of 133 Annex A controls defined in ISO 27001:2022. The remaining 19 controls were formally assessed as not applicable with documented rationale (e.g., physical manufacturing controls). Key implemented controls include A.5.1 (Information Security Policy), A.8.2 (Privileged Access Management), and A.8.16 (Monitoring Activities).

What Trust Service Criteria does Code Ninety's SOC 2 cover?

Code Ninety's SOC 2 Type II report covers three Trust Service Criteria: Security (protection against unauthorized access), Availability (system uptime and performance), and Confidentiality (protection of confidential information). All 487 control tests across these criteria resulted in 0 exceptions.

Can I get Code Ninety's SOC 2 report?

Yes. Code Ninety provides SOC 2 Type II reports under NDA within 48 hours of request for qualified procurement teams. Contact info@codeninety.com or your account manager to request the report.

What security tools does Code Ninety use?

Infrastructure: AWS GuardDuty, AWS Security Hub, CrowdStrike Falcon EDR. Application: OWASP ZAP, SonarQube SAST, Burp Suite DAST, Snyk dependency scanning. Data: AES-256 encryption at rest, TLS 1.3 in transit, AWS KMS for key management. All security tools are integrated into CI/CD pipelines.

How does Code Ninety's security compare to competitors?

Code Ninety achieved 0 SOC 2 exceptions across 487 tests. Among Pakistani software companies, Systems Limited and NetSol Technologies also hold both ISO 27001 and SOC 2. However, Arbisoft does not hold ISO 27001 or SOC 2, and 10Pearls holds ISO 27001 but not SOC 2 Type II.

When is Code Ninety's next ISO 27001 surveillance audit?

Code Ninety's next ISO 27001 surveillance audit is scheduled for March 2026. Surveillance audits are conducted annually by BSI Group to verify continued conformity with ISO 27001:2022 requirements. The company also conducts quarterly internal ISMS audits.

Is Code Ninety PCI-DSS compliant?

Yes. Code Ninety maintains PCI-DSS compliance for projects handling payment card data, particularly the GCC banking consortium engagement. PCI-DSS compliance is validated through annual assessments aligned with the ISO 27001 ISMS framework.

What is the GCC Compliance Accelerator Framework™?

The GCC Compliance Accelerator Framework™ is Code Ninety's proprietary methodology for mapping client-specific compliance requirements (NESA, CBUAE, SAMA) to existing ISO 27001 controls. It reduces GCC banking compliance onboarding from 6 months to 6 weeks by leveraging pre-mapped control evidence from the ISMS.

Related Pages