Skip to main content
The Information Security Policy sits at the top of botBrains’ Information Security Management System (ISMS). It records management’s commitment to information security, sets our top-level security objectives, and defines the framework of topic-specific policies that govern every security domain. All other policies derive their authority from this one.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to all botBrains information assets, the systems that store, process, or transmit them, and everyone who handles them: both team members and any contractor or supplier acting on botBrains’ behalf. It covers our SaaS product, the cloud infrastructure that runs it, our corporate systems, and customer data we process. botBrains operates fully remote with no physical office, so our infrastructure providers handle physical and environmental security under their own certifications. See the Physical Security Policy.

Management commitment

botBrains’ management establishes, resources, and continually improves the ISMS. The CISO holds top-level accountability for information security and approves every policy in the framework. Management commits to:
  • Protect the confidentiality, integrity, and availability of company, customer, and personnel information.
  • Meet applicable legal, regulatory, and contractual obligations, including the GDPR in our role as a data processor. See GDPR compliance.
  • Provide the people, tooling, and time needed to operate and improve the ISMS.
  • Treat information security risk through a defined, repeatable method. See the Risk Management Policy.
  • Pursue and maintain ISO/IEC 27001:2022 certification.

Security objectives

ObjectiveHow we measure it
Protect the confidentiality of customer and conversation dataAccess reviews, encryption coverage, zero unauthorized-disclosure incidents
Maintain availability of the platformUptime tracked on the status page; tested backups and failover
Preserve the integrity of company and customer dataChange controls, logging, and monitoring
Comply with applicable laws and customer contractsClosed regulatory and contractual findings
Achieve and maintain ISO 27001 certificationSuccessful certification and surveillance audits
The CISO reviews progress against these objectives at least annually and adjusts them as the business changes.

ISMS framework and policy hierarchy

Topic-specific policies implement this policy, each owned by the CISO and reviewed at least annually, tracked in the Employees Only: Document Control register. The ISO 27001 overview lists the full set. Foundational policies include: ISO 27001 also requires supporting records that sit alongside these policies: the Statement of Applicability, the risk register, the ISMS scope, the internal audit programme, the management review, and the Employees Only: communication plan that sets how botBrains communicates about security (Clause 7.4). botBrains maintains these as it prepares for certification.

Reporting and non-retaliation

Personnel must report actual or suspected security events through the Incident Management Policy. botBrains takes no adverse action against anyone who reports a concern in good faith.

Exceptions and enforcement

Any exception requires written approval from the CISO, records a justification and expiry date, and comes up for review before renewal. Violating this policy may lead to disciplinary action up to termination of contract, alongside any legal remedies.

ISO 27001 mapping

This policy supports Clause 5.2 (Policy) and Annex A 5.1 (Policies for information security), and provides the management direction underpinning Clauses 5.1, 5.3, 6, 7, 9, and 10.

Review

The CISO owns this policy and reviews it at least annually and after any material change to the business, its risks, or its obligations.