Code review is the systematic examination of source code by one or more people before the code is merged into the main branch. The goal is to detect bugs, security vulnerabilities, maintainability issues, and architectural violations early.
ISO 27001 Annex A control A.8.25 (Secure Development) requires secure development practices — code review is among the most effective. The review typically covers functional correctness, input validation, authentication and authorization logic, error handling, logging, and adherence to coding standards. In practice, code review happens through pull/merge requests on platforms like GitHub, GitLab, or Bitbucket. SAST tools (Static Application Security Testing) can complement manual review by automatically checking for common security patterns.