Which compliance standards actually matter for web application security in South Africa?
By Matt Owen, Auto Alpha Security

If you run a web application that touches personal data in South Africa, the compliance standard that actually has legal teeth is POPIA §19. Everything else — MITRE ATT&CK, NIST CSF, OWASP, ISO 27001 — is either a supporting framework or a heavier certification you may not need. So start with the law, then work out how much of the rest applies to you.
POPIA §19 is the one with legal weight
The Protection of Personal Information Act has been fully in force since 1 July 2021. Section 19 is the part that governs security. It requires you, as the “responsible party,” to secure the integrity and confidentiality of personal information through “appropriate, reasonable technical and organisational measures” — the exact phrase matters, because it’s the standard you’ll be judged against.
Read plainly, §19 asks you to do four things: identify the reasonably foreseeable risks to the personal data you hold, put safeguards in place against them, regularly check those safeguards are working, and keep them updated as threats change. Notice what it does not do — it doesn’t hand you a checklist. “Appropriate and reasonable” is deliberately context-dependent. What’s reasonable for a two-person business is different from what’s reasonable for a medical aid administrator. That flexibility is a gift and a trap: it means you can right-size your effort, but it also means “we thought it was fine” is not a defence if you never actually checked.
POPIA §19 — the cycle
- Identifythe reasonably foreseeable risks to the personal data you hold
- Safeguardput appropriate, reasonable measures in place against them
- Verifyregularly check the safeguards are actually working
- Updateadjust as your app changes and new risks emerge
And there’s a back-end to this. Section 22 requires that if you suffer a security compromise, you notify both the Information Regulator and the affected data subjects “as soon as reasonably possible.” The Regulator also provides a channel for that reporting. A breach you have to disclose is a much worse day than a scan you commissioned quietly beforehand.
What “reasonable technical measures” means for a web app
For a live web application, the foreseeable risks in §19 aren’t abstract. They’re the things that let an attacker read data they shouldn’t — SQL injection, broken access controls, exposed admin panels, cross-site scripting, misconfigured servers. “Regularly verify that the safeguards are effectively implemented” is close to a direct instruction to test the thing, not just assume it’s secure because it was built by competent people.
This is where confirmed web-application scanning earns its place. We built Deep Scan to do exactly this job: active, black-box testing of your live application, with every finding reproduced by a re-runnable proof-of-concept. We only report the vulnerabilities we can prove — false positives are stripped before anything reaches you, so you get 0 false positives on confirmed findings and a defensible record that you looked. It’s operator-run, not an unattended bot, and we never scan without your written authorisation and proof of domain ownership.
The frameworks we map findings to
A finding is more useful when it’s tied to the wider body of security knowledge, so every confirmed vulnerability we report is mapped to four frameworks.
Every finding, cross-referenced
Mapping to these isn’t decoration. When your bank, your insurer, or a client’s procurement team asks what you did about web security, “we ran a confirmed scan and here are the findings, mapped to OWASP and NIST, with proof and a remediation record” is a concrete answer to the §19 question.
Where PCI DSS and ISO 27001 come in — and where we stop
Two standards get raised a lot, and we’ll be honest about both, because they are not what a scan gives you.
PCI DSS is the Payment Card Industry Data Security Standard. If you store or process card data, it applies, and Requirement 11 mandates formal penetration testing at least annually and after significant changes. ISO/IEC 27001 is the international certification for an information security management system — a risk-based, audited process signed off by an accredited body. Both are separate, heavier regimes with their own certification cycles. We do not provide them, and anyone telling you a single scan delivers PCI or ISO certification is selling you something that doesn’t exist. When you need those, we’ll refer you to people who do that work properly.
For most SA small and medium businesses, the practical position is this: you need to evidence POPIA §19, not certify to PCI or ISO. A confirmed Deep Scan does that at a fraction of a manual pen-test (R8,000–R20,000 once-off, against around R35,000 and up for a full test), in days rather than weeks.
If you’re being asked for security evidence by a bank, client or insurer, send us your domain and we’ll confirm what a scan would and wouldn’t cover for your case before you commit to anything.