| Policy | What it covers | ISO 27001 relevance |
|---|---|---|
| Information Security Policy | Establishes management’s commitment, the ISMS framework, and our top-level security objectives | Clause 5.2; Annex A 5.1 |
| Roles and Responsibilities | Defines who owns, operates, and stays accountable for information security across botBrains | Clause 5.3; Annex A 5.2-5.4 |
| Risk Management Policy | Sets our methodology for identifying, assessing, and treating information security risks | Clauses 6.1, 8.2, 8.3; Annex A 5.7 |
| Acceptable Use Policy | Defines how personnel may use company information, devices, accounts, and AI and SaaS tooling | Annex A 5.10, 6.7, 8.1 |
| Access Control Policy | Governs how botBrains grants, reviews, and revokes identities, authentication, and least-privilege access | Annex A 5.15-5.18, 8.2, 8.3, 8.5 |
| Cryptography Policy | Defines encryption standards for data at rest and in transit and how we manage keys and certificates | Annex A 8.24 |
| Asset Management Policy | Maintains an inventory of information assets and assigns ownership and handling rules | Annex A 5.9-5.11, 7.10, 7.14 |
| Data Classification Policy | Classifies, labels, and governs how we handle data across its lifecycle by sensitivity | Annex A 5.12-5.14, 8.10-8.12 |
| Data Protection Policy | Ensures lawful, GDPR-compliant processing of personal and customer data, including AI conversation data | Annex A 5.34, 8.11; GDPR |
| Data Retention Policy | Defines how long we keep each category of data and how we securely delete it | Annex A 5.33, 5.34, 8.10 |
| Human Resource Security Policy | Covers screening, onboarding, security awareness, discipline, and offboarding of personnel | Annex A 6.1-6.6, 6.8; Clause 7.2, 7.3 |
| Physical Security Policy | Protects offices, equipment, and physical media and controls access to secure areas | Annex A 7.1-7.14 |
| Operations Security Policy | Governs secure day-to-day operations, including change management, capacity, and malware protection | Annex A 8.6, 8.7, 8.9, 8.19, 8.31, 8.32 |
| Logging and Monitoring Policy | Defines what we log, how we protect logs, and how we monitor and review security events | Annex A 8.15-8.17 |
| Vulnerability Management Policy | Sets how we identify, prioritize, and remediate technical vulnerabilities through scans, patching, and penetration tests | Annex A 8.8 |
| Backup Policy | Defines backup frequency, scope, encryption, and tested restoration of critical systems and data | Annex A 8.13 |
| Secure Development Policy | Embeds security into our software development lifecycle, code review, testing, and deployment | Annex A 8.25-8.31 |
| Network Security Policy | Governs segmentation, secure configuration, and protection of our networks and network services | Annex A 8.20-8.23, 8.9 |
| Incident Management Policy | Defines how we report, triage, escalate, and learn from security incidents | Annex A 5.24-5.28, 6.8 |
| Breach Notification Policy | Defines our obligations and timelines for notifying authorities and affected parties of a data breach | Annex A 5.26; GDPR Art. 33/34 |
| Business Continuity and Disaster Recovery | Ensures botBrains can continue and recover critical services during and after disruption | Annex A 5.29, 5.30, 8.13, 8.14; Clause 8.1 |
| Supplier Management Policy | Manages information security risk across our vendors, subprocessors, and cloud providers | Annex A 5.19-5.23 |
| Responsible Disclosure Policy | Gives external researchers a safe channel to report vulnerabilities to botBrains | Annex A 5.7, 6.8, 8.8 |
| Code of Conduct | Sets ethical conduct expectations for personnel, including anti-bribery and anti-corruption | Annex A 5.4, 6.2 |
Policies
Overview
Index of botBrains security policies and their ISO 27001 relevance
These policies make up the botBrains Information Security Management System (ISMS). Each one maps to one or more ISO/IEC 27001:2022 clauses or Annex A controls. See ISO 27001 for how the ISMS fits together.