Skip to main content
These policies make up the botBrains Information Security Management System (ISMS). Each one maps to one or more ISO/IEC 27001:2022 clauses or Annex A controls. See ISO 27001 for how the ISMS fits together.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
PolicyWhat it coversISO 27001 relevance
Information Security PolicyEstablishes management’s commitment, the ISMS framework, and our top-level security objectivesClause 5.2; Annex A 5.1
Roles and ResponsibilitiesDefines who owns, operates, and stays accountable for information security across botBrainsClause 5.3; Annex A 5.2-5.4
Risk Management PolicySets our methodology for identifying, assessing, and treating information security risksClauses 6.1, 8.2, 8.3; Annex A 5.7
Acceptable Use PolicyDefines how personnel may use company information, devices, accounts, and AI and SaaS toolingAnnex A 5.10, 6.7, 8.1
Access Control PolicyGoverns how botBrains grants, reviews, and revokes identities, authentication, and least-privilege accessAnnex A 5.15-5.18, 8.2, 8.3, 8.5
Cryptography PolicyDefines encryption standards for data at rest and in transit and how we manage keys and certificatesAnnex A 8.24
Asset Management PolicyMaintains an inventory of information assets and assigns ownership and handling rulesAnnex A 5.9-5.11, 7.10, 7.14
Data Classification PolicyClassifies, labels, and governs how we handle data across its lifecycle by sensitivityAnnex A 5.12-5.14, 8.10-8.12
Data Protection PolicyEnsures lawful, GDPR-compliant processing of personal and customer data, including AI conversation dataAnnex A 5.34, 8.11; GDPR
Data Retention PolicyDefines how long we keep each category of data and how we securely delete itAnnex A 5.33, 5.34, 8.10
Human Resource Security PolicyCovers screening, onboarding, security awareness, discipline, and offboarding of personnelAnnex A 6.1-6.6, 6.8; Clause 7.2, 7.3
Physical Security PolicyProtects offices, equipment, and physical media and controls access to secure areasAnnex A 7.1-7.14
Operations Security PolicyGoverns secure day-to-day operations, including change management, capacity, and malware protectionAnnex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32
Logging and Monitoring PolicyDefines what we log, how we protect logs, and how we monitor and review security eventsAnnex A 8.15-8.17
Vulnerability Management PolicySets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration testsAnnex A 8.8
Backup PolicyDefines backup frequency, scope, encryption, and tested restoration of critical systems and dataAnnex A 8.13
Secure Development PolicyEmbeds security into our software development lifecycle, code review, testing, and deploymentAnnex A 8.25-8.31
Network Security PolicyGoverns segmentation, secure configuration, and protection of our networks and network servicesAnnex A 8.20-8.23, 8.9
Incident Management PolicyDefines how we report, triage, escalate, and learn from security incidentsAnnex A 5.24-5.28, 6.8
Breach Notification PolicyDefines our obligations and timelines for notifying authorities and affected parties of a data breachAnnex A 5.26; GDPR Art. 33/34
Business Continuity and Disaster RecoveryEnsures botBrains can continue and recover critical services during and after disruptionAnnex A 5.29, 5.30, 8.13, 8.14; Clause 8.1
Supplier Management PolicyManages information security risk across our vendors, subprocessors, and cloud providersAnnex A 5.19-5.23
Responsible Disclosure PolicyGives external researchers a safe channel to report vulnerabilities to botBrainsAnnex A 5.7, 6.8, 8.8
Code of ConductSets ethical conduct expectations for personnel, including anti-bribery and anti-corruptionAnnex A 5.4, 6.2