Skip to main content
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS): a documented, risk-based framework for protecting the confidentiality, integrity, and availability of information. botBrains is getting ready to certify against it.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Status

We’re preparing our ISMS for ISO 27001 certification. See the Certification Roadmap for the status of every standard.

Our ISMS

A single Information Security Policy sits at the top of our ISMS. Beneath it, the topic-specific policies below set the rules for each security domain, supported by the records ISO 27001 requires, including the Statement of Applicability, the risk register, and the internal audit programme.

Policies

PolicyWhat it coversISO 27001 relevance
Information Security PolicyEstablishes management’s commitment, the ISMS framework, and our top-level security objectivesClause 5.2; Annex A 5.1
Roles and ResponsibilitiesDefines who owns, operates, and stays accountable for information security across botBrainsClause 5.3; Annex A 5.2-5.4
Risk Management PolicySets our methodology for identifying, assessing, and treating information security risksClauses 6.1, 8.2, 8.3; Annex A 5.7
Acceptable Use PolicyDefines how personnel may use company information, devices, accounts, and AI and SaaS toolingAnnex A 5.10, 6.7, 8.1
Access Control PolicyGoverns how botBrains grants, reviews, and revokes identities, authentication, and least-privilege accessAnnex A 5.15-5.18, 8.2, 8.3, 8.5
Cryptography PolicyDefines encryption standards for data at rest and in transit and how we manage keys and certificatesAnnex A 8.24
Asset Management PolicyMaintains an inventory of information assets and assigns ownership and handling rulesAnnex A 5.9-5.11, 7.10, 7.14
Data Classification PolicyClassifies, labels, and governs how we handle data across its lifecycle by sensitivityAnnex A 5.12-5.14, 8.10-8.12
Data Protection PolicyEnsures lawful, GDPR-compliant processing of personal and customer data, including AI conversation dataAnnex A 5.34, 8.11; GDPR
Data Retention PolicyDefines how long we keep each category of data and how we securely delete itAnnex A 5.33, 5.34, 8.10
Human Resource Security PolicyCovers screening, onboarding, security awareness, discipline, and offboarding of personnelAnnex A 6.1-6.6, 6.8; Clause 7.2, 7.3
Physical Security PolicyProtects offices, equipment, and physical media and controls access to secure areasAnnex A 7.1-7.14
Operations Security PolicyGoverns secure day-to-day operations, including change management, capacity, and malware protectionAnnex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32
Logging and Monitoring PolicyDefines what we log, how we protect logs, and how we monitor and review security eventsAnnex A 8.15-8.17
Vulnerability Management PolicySets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration testsAnnex A 8.8
Backup PolicyDefines backup frequency, scope, encryption, and tested restoration of critical systems and dataAnnex A 8.13
Secure Development PolicyEmbeds security into our software development lifecycle, code review, testing, and deploymentAnnex A 8.25-8.31
Network Security PolicyGoverns segmentation, secure configuration, and protection of our networks and network servicesAnnex A 8.20-8.23, 8.9
Incident Management PolicyDefines how we report, triage, escalate, and learn from security incidentsAnnex A 5.24-5.28, 6.8
Breach Notification PolicyDefines our obligations and timelines for notifying authorities and affected parties of a data breachAnnex A 5.26; GDPR Art. 33/34
Business Continuity and Disaster RecoveryEnsures botBrains can continue and recover critical services during and after disruptionAnnex A 5.29, 5.30, 8.13, 8.14; Clause 8.1
Supplier Management PolicyManages information security risk across our vendors, subprocessors, and cloud providersAnnex A 5.19-5.23
Responsible Disclosure PolicyGives external researchers a safe channel to report vulnerabilities to botBrainsAnnex A 5.7, 6.8, 8.8
Code of ConductSets ethical conduct expectations for personnel, including anti-bribery and anti-corruptionAnnex A 5.4, 6.2

Internal Documents

Alongside the policies above, botBrains maintains the records, registers, and procedures ISO 27001 requires. These are Company-Internal and live in the ISMS workspace in Notion, so the links below need employee access. The internal audit programme is the one record still to be established as botBrains prepares for certification.
DocumentWhat it coversISO 27001 relevance
ISMS Scope, Information Security Objectives (employees only)Boundaries of the ISMS: the platform, EU cloud infrastructure, data, people, and locations, with the exclusions inherited from providers; Measurable security objectives and the RAG status tracked against themClause 4.3; Clause 6.2
Risk Register (employees only)Identified risks, treatment decisions, and residual riskClauses 6.1.2, 6.1.3, 8.2, 8.3
Statement of ApplicabilityEvery Annex A control with applicability, justification, and implementation statusClause 6.1.3(d)
Internal Audit Programme (employees only)Plan and reports for the annual internal audit. Not yet establishedClause 9.2
Management Review (employees only)Minutes of the leadership review of ISMS performanceClause 9.3
Corrective Actions (employees only)Log of findings and the corrective actions taken to close themClauses 10.1, 10.2
People (Competence & Training) (employees only)Personnel records, NDAs, screening, and security-awareness training evidenceClauses 7.2, 7.3
Document Control register (employees only)Index and version control of every ISMS documentClause 7.5
Communication Plan (employees only)What botBrains communicates about security, to whom, when, and howClause 7.4
Secure Coding Standards (employees only)Mandatory secure coding practices for botBrains codeAnnex A 8.28
Record of Processing Activities (RoPA) (employees only)Inventory of personal-data processing as controller and processorGDPR Article 30; supports Annex A 5.31, 5.34
Registers & logs (employees only)Asset and tool inventory, supplier register, incident log, access reviews, backup and DR tests, legal requirements, and exceptionsAnnex A 5.9, 5.19-5.22, 5.24-5.26, 8.8
Playbooks (employees only)Step-by-step procedures for joiner, mover, leaver, incident response, data breach, backup restore, and downtimeAnnex A 5.24-5.26, 5.37, 6.1-6.5