Aren't those about organizational processes instead of just specific software features? For example, I don't think self-hosting gitlab is enough to claim ISO/IEC 27001, just based on this snippet from wikipedia:
> ISO/IEC 27001 requires that management:
> Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
> Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
> Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.