From Maturity to Compliance: Using ISO/IEC 27034 to Close CRA Gaps in OWASP SAMM
Nariman Aga-Tagiyev
SecureHabitsApplication Security Architect
Abstract
OWASP SAMM is widely used to assess and improve application security maturity, but the EU Cyber Resilience Act (CRA) introduces new expectations around governance, accountability, and evidence that go beyond maturity assessment alone. This talk shows how ISO/IEC 27034 can be used as a complementary governance framework to close CRA-related gaps in SAMM without replacing it. Through practical mappings and real-world examples, attendees will learn how to combine SAMM and ISO 27034 to support secure-by-design, vulnerability handling, and audit-ready application security processes under the CRA.
Speaker bio
Nariman Aga-Tagiyev is an Application Security Architect with 20+ years of experience in software development. Since 2016, he has focused on advancing SSDLC maturity and building Application Security programs for international organizations. He is a core team member of OWASP SAMM, a liaison to the ISO/IEC 27034 working group representing OWASP, and the founder of SecureHabits, helping industrial manufacturers prepare for the EU Cyber Resilience Act (CRA).