Our ISMS is built around the full ISO/IEC 27001:2022 framework. We maintain a Statement of Applicability covering all 93 Annex A controls, and our adherence is checked through continuous automated control monitoring alongside internal and external audits.
ISMS management clauses (ISO 27001:2022, Clauses 4 to 10)
The management system itself is governed end-to-end: organizational context, leadership and policy, risk planning, support and resourcing, operation, performance evaluation, and continual improvement. This is implemented through our numbered ISMS documents (Scope, ISMS Policy, Roles & Responsibilities, Risk Assessment & Treatment, Internal Audit, Management Review, Corrective Action, and the Information Security Objectives Plan).
A.5 Organizational controls (37)
Policy framework with documented, approved and accepted policies; segregation of duties; defined information-security roles; contact with authorities; threat intelligence; security in project management; an asset inventory with assigned owners; access-control governance; supplier and third-party security with risk rating and security reviews; cloud-services security; incident management; business-continuity readiness; and legal, regulatory and privacy compliance.
A.6 People controls (8)
Background screening before hiring; terms of employment and signed confidentiality agreements; security awareness training (with secure-code training for engineers); a Code of Conduct and disciplinary process; defined responsibilities that survive role changes and termination; and a structured offboarding process.
A.7 Physical controls (14)
Managed physical access and visitor logging at our offices; clear-screen enforcement through automatic device lock; protection and secure disposal of equipment and media (with certificates of destruction); and data-centre physical and environmental security provided by AWS under its own ISO 27001:2022 certification.
A.8 Technological controls (34)
Multi-factor authentication; least-privilege access; anti-malware and web-filtering protection; vulnerability management and remediation; secure configuration baselines; encryption in transit and at rest; backups and cross-region redundancy; logging, monitoring and automated alerting; network segregation, traffic filtering and intrusion detection; secure development and change management; separation of development, test and production environments (production data is not used in testing); capacity management; and time synchronisation across infrastructure.
Our full Statement of Applicability, mapping each of the 93 controls to its implementation, is available under NDA. Request the SoA