> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ISO 27001

> botBrains' path to ISO/IEC 27001:2022 certification

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS): a documented, risk-based framework for protecting the confidentiality, integrity, and availability of information. botBrains is getting ready to certify against it.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

## Status

We're preparing our ISMS for ISO 27001 certification. See the [Certification Roadmap](/trust/roadmap) for the status of every standard.

## Our ISMS

A single [Information Security Policy](/trust/policies/information-security-policy) sits at the top of our ISMS. Beneath it, the topic-specific policies below set the rules for each security domain, supported by the records ISO 27001 requires, including the [Statement of Applicability](/trust/statement-of-applicability), the risk register, and the internal audit programme.

## Policies

| Policy                                                                                                 | What it covers                                                                                                           | ISO 27001 relevance                        |
| ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------ |
| [Information Security Policy](/trust/policies/information-security-policy)                             | Establishes management's commitment, the ISMS framework, and our top-level security objectives                           | Clause 5.2; Annex A 5.1                    |
| [Roles and Responsibilities](/trust/policies/roles-and-responsibilities)                               | Defines who owns, operates, and stays accountable for information security across botBrains                              | Clause 5.3; Annex A 5.2-5.4                |
| [Risk Management Policy](/trust/policies/risk-management-policy)                                       | Sets our methodology for identifying, assessing, and treating information security risks                                 | Clauses 6.1, 8.2, 8.3; Annex A 5.7         |
| [Acceptable Use Policy](/trust/policies/acceptable-use-policy)                                         | Defines how personnel may use company information, devices, accounts, and AI and SaaS tooling                            | Annex A 5.10, 6.7, 8.1                     |
| [Access Control Policy](/trust/policies/access-control-policy)                                         | Governs how botBrains grants, reviews, and revokes identities, authentication, and least-privilege access                | Annex A 5.15-5.18, 8.2, 8.3, 8.5           |
| [Cryptography Policy](/trust/policies/cryptography-policy)                                             | Defines encryption standards for data at rest and in transit and how we manage keys and certificates                     | Annex A 8.24                               |
| [Asset Management Policy](/trust/policies/asset-management-policy)                                     | Maintains an inventory of information assets and assigns ownership and handling rules                                    | Annex A 5.9-5.11, 7.10, 7.14               |
| [Data Classification Policy](/trust/policies/data-classification-policy)                               | Classifies, labels, and governs how we handle data across its lifecycle by sensitivity                                   | Annex A 5.12-5.14, 8.10-8.12               |
| [Data Protection Policy](/trust/policies/data-protection-policy)                                       | Ensures lawful, GDPR-compliant processing of personal and customer data, including AI conversation data                  | Annex A 5.34, 8.11; GDPR                   |
| [Data Retention Policy](/trust/policies/data-retention-policy)                                         | Defines how long we keep each category of data and how we securely delete it                                             | Annex A 5.33, 5.34, 8.10                   |
| [Human Resource Security Policy](/trust/policies/human-resource-security-policy)                       | Covers screening, onboarding, security awareness, discipline, and offboarding of personnel                               | Annex A 6.1-6.6, 6.8; Clause 7.2, 7.3      |
| [Physical Security Policy](/trust/policies/physical-security-policy)                                   | Protects offices, equipment, and physical media and controls access to secure areas                                      | Annex A 7.1-7.14                           |
| [Operations Security Policy](/trust/policies/operations-security-policy)                               | Governs secure day-to-day operations, including change management, capacity, and malware protection                      | Annex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32    |
| [Logging and Monitoring Policy](/trust/policies/logging-and-monitoring-policy)                         | Defines what we log, how we protect logs, and how we monitor and review security events                                  | Annex A 8.15-8.17                          |
| [Vulnerability Management Policy](/trust/policies/vulnerability-management-policy)                     | Sets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration tests | Annex A 8.8                                |
| [Backup Policy](/trust/policies/backup-policy)                                                         | Defines backup frequency, scope, encryption, and tested restoration of critical systems and data                         | Annex A 8.13                               |
| [Secure Development Policy](/trust/policies/secure-development-policy)                                 | Embeds security into our software development lifecycle, code review, testing, and deployment                            | Annex A 8.25-8.31                          |
| [Network Security Policy](/trust/policies/network-security-policy)                                     | Governs segmentation, secure configuration, and protection of our networks and network services                          | Annex A 8.20-8.23, 8.9                     |
| [Incident Management Policy](/trust/policies/incident-management-policy)                               | Defines how we report, triage, escalate, and learn from security incidents                                               | Annex A 5.24-5.28, 6.8                     |
| [Breach Notification Policy](/trust/policies/breach-notification-policy)                               | Defines our obligations and timelines for notifying authorities and affected parties of a data breach                    | Annex A 5.26; GDPR Art. 33/34              |
| [Business Continuity and Disaster Recovery](/trust/policies/business-continuity-and-disaster-recovery) | Ensures botBrains can continue and recover critical services during and after disruption                                 | Annex A 5.29, 5.30, 8.13, 8.14; Clause 8.1 |
| [Supplier Management Policy](/trust/policies/supplier-management-policy)                               | Manages information security risk across our vendors, subprocessors, and cloud providers                                 | Annex A 5.19-5.23                          |
| [Responsible Disclosure Policy](/trust/policies/responsible-disclosure-policy)                         | Gives external researchers a safe channel to report vulnerabilities to botBrains                                         | Annex A 5.7, 6.8, 8.8                      |
| [Code of Conduct](/trust/policies/code-of-conduct)                                                     | Sets ethical conduct expectations for personnel, including anti-bribery and anti-corruption                              | Annex A 5.4, 6.2                           |

## Internal Documents

Alongside the policies above, botBrains maintains the records, registers, and procedures ISO 27001 requires. These are Company-Internal and live in the ISMS workspace in Notion, so the links below need employee access. The internal audit programme is the one record still to be established as botBrains prepares for certification.

| Document                                                                                                                  | What it covers                                                                                                                                                                                                   | ISO 27001 relevance                          |
| ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
| [ISMS Scope, Information Security Objectives](https://app.notion.com/p/392481da93cf81a49019c52ee7e0bd83) (employees only) | Boundaries of the ISMS: the platform, EU cloud infrastructure, data, people, and locations, with the exclusions inherited from providers; Measurable security objectives and the RAG status tracked against them | Clause 4.3; Clause 6.2                       |
| [Risk Register](https://app.notion.com/p/2aa14ffc370344b3aae0183804a69841) (employees only)                               | Identified risks, treatment decisions, and residual risk                                                                                                                                                         | Clauses 6.1.2, 6.1.3, 8.2, 8.3               |
| [Statement of Applicability](/trust/statement-of-applicability)                                                           | Every Annex A control with applicability, justification, and implementation status                                                                                                                               | Clause 6.1.3(d)                              |
| [Internal Audit Programme](https://www.notion.so/p/392481da93cf807d9b56cb153acefa4d) (employees only)                     | Plan and reports for the annual internal audit. Not yet established                                                                                                                                              | Clause 9.2                                   |
| [Management Review](https://app.notion.com/p/390481da93cf810db062eca3c8090692) (employees only)                           | Minutes of the leadership review of ISMS performance                                                                                                                                                             | Clause 9.3                                   |
| [Corrective Actions](https://app.notion.com/p/390481da93cf81ef96a0d8e45f4246b3) (employees only)                          | Log of findings and the corrective actions taken to close them                                                                                                                                                   | Clauses 10.1, 10.2                           |
| [People (Competence & Training)](https://app.notion.com/p/390481da93cf81f69084c98eeb8a6e02) (employees only)              | Personnel records, NDAs, screening, and security-awareness training evidence                                                                                                                                     | Clauses 7.2, 7.3                             |
| [Document Control register](https://app.notion.com/p/390481da93cf81e482dec81a54c80cc4) (employees only)                   | Index and version control of every ISMS document                                                                                                                                                                 | Clause 7.5                                   |
| [Communication Plan](https://app.notion.com/p/392481da93cf8135be15f4cdeb3eb495) (employees only)                          | What botBrains communicates about security, to whom, when, and how                                                                                                                                               | Clause 7.4                                   |
| [Secure Coding Standards](https://app.notion.com/p/391481da93cf81c4a39cf1ea90ed0079) (employees only)                     | Mandatory secure coding practices for botBrains code                                                                                                                                                             | Annex A 8.28                                 |
| [Record of Processing Activities (RoPA)](https://app.notion.com/p/5aa35ab2d8424dec8ddcbac6adc66989) (employees only)      | Inventory of personal-data processing as controller and processor                                                                                                                                                | GDPR Article 30; supports Annex A 5.31, 5.34 |
| [Registers & logs](https://app.notion.com/p/390481da93cf815ebef3c8616b141daf) (employees only)                            | Asset and tool inventory, supplier register, incident log, access reviews, backup and DR tests, legal requirements, and exceptions                                                                               | Annex A 5.9, 5.19-5.22, 5.24-5.26, 8.8       |
| [Playbooks](https://app.notion.com/p/390481da93cf81709702dd2afa9b0684) (employees only)                                   | Step-by-step procedures for joiner, mover, leaver, incident response, data breach, backup restore, and downtime                                                                                                  | Annex A 5.24-5.26, 5.37, 6.1-6.5             |
