How can we help? 👋

ISO 27001:2022 Controls Coverage

How our ISMS addresses the ISO 27001:2022 management clauses and all 93 Annex A controls.

Our ISMS is built around the full ISO/IEC 27001:2022 framework. We maintain a Statement of Applicability covering all 93 Annex A controls, and our adherence is checked through continuous automated control monitoring alongside internal and external audits.

ISMS management clauses (ISO 27001:2022, Clauses 4 to 10)

The management system itself is governed end-to-end: organizational context, leadership and policy, risk planning, support and resourcing, operation, performance evaluation, and continual improvement. This is implemented through our numbered ISMS documents (Scope, ISMS Policy, Roles & Responsibilities, Risk Assessment & Treatment, Internal Audit, Management Review, Corrective Action, and the Information Security Objectives Plan).

A.5 Organizational controls (37)

Policy framework with documented, approved and accepted policies; segregation of duties; defined information-security roles; contact with authorities; threat intelligence; security in project management; an asset inventory with assigned owners; access-control governance; supplier and third-party security with risk rating and security reviews; cloud-services security; incident management; business-continuity readiness; and legal, regulatory and privacy compliance.

A.6 People controls (8)

Background screening before hiring; terms of employment and signed confidentiality agreements; security awareness training (with secure-code training for engineers); a Code of Conduct and disciplinary process; defined responsibilities that survive role changes and termination; and a structured offboarding process.

A.7 Physical controls (14)

Managed physical access and visitor logging at our offices; clear-screen enforcement through automatic device lock; protection and secure disposal of equipment and media (with certificates of destruction); and data-centre physical and environmental security provided by AWS under its own ISO 27001:2022 certification.

A.8 Technological controls (34)

Multi-factor authentication; least-privilege access; anti-malware and web-filtering protection; vulnerability management and remediation; secure configuration baselines; encryption in transit and at rest; backups and cross-region redundancy; logging, monitoring and automated alerting; network segregation, traffic filtering and intrusion detection; secure development and change management; separation of development, test and production environments (production data is not used in testing); capacity management; and time synchronisation across infrastructure.

Our full Statement of Applicability, mapping each of the 93 controls to its implementation, is available under NDA. Request the SoA
Did this answer your question?
😞
😐
🤩