Download as PDF
How to read this
- Applicable. Whether the control is in scope. The only exclusion is outsourced development, which botBrains doesn’t do.
- Implemented.
Yes(operating),Inherited(operated by a certified provider),Partial; …(in place, with the action that finishes it), orNo; …(applicable, with the action that starts it). - Policy. The governing policy, with the specifics that add detail.
A.5 Organizational controls
| Annex A | Control | Applicable | Implemented | Policy |
|---|---|---|---|---|
| 5.1 | Policies for information security | Yes | Yes | Information Security |
| 5.2 | Information security roles and responsibilities | Yes | Yes | Roles & Responsibilities (CISO named; co-founder alternate) |
| 5.3 | Segregation of duties | Yes | Partial; re-affirm the compensating controls at each risk review | Roles & Responsibilities (documented compensating controls, accepted risk) |
| 5.4 | Management responsibilities | Yes | Yes | Information Security; Code of Conduct |
| 5.5 | Contact with authorities | Yes | Yes | Incident Management (see internal communication plan) |
| 5.6 | Contact with special interest groups | Yes | No; join a security interest group and subscribe key roles to advisories | Vulnerability Management |
| 5.7 | Threat intelligence | Yes | Partial; consolidate threat-intel sources into a monitored feed | Vulnerability Management; Responsible Disclosure (Dependabot advisories, disclosure inputs) |
| 5.8 | Information security in project management | Yes | Yes | Secure Development See design stage |
| 5.9 | Inventory of information and associated assets | Yes | Yes | Asset Management |
| 5.10 | Acceptable use of information and assets | Yes | Yes | Acceptable Use |
| 5.11 | Return of assets | Yes | Yes | Asset Management; HR Security (leaver process, laptop return) |
| 5.12 | Classification of information | Yes | Yes | Data Classification (four-level scheme) |
| 5.13 | Labelling of information | Yes | Yes | Data Classification (context-based labelling) |
| 5.14 | Information transfer | Yes | Yes | Data Classification; Cryptography (transfer rules by level; TLS 1.3, min 1.2) |
| 5.15 | Access control | Yes | Yes | Access Control (least privilege, RBAC) |
| 5.16 | Identity management | Yes | Yes | Access Control (unique named accounts) |
| 5.17 | Authentication information | Yes | Yes | Access Control (MFA, password manager, Clerk) |
| 5.18 | Access rights | Yes | Yes | Access Control (joiner-mover-leaver, access reviews) |
| 5.19 | Information security in supplier relationships | Yes | Yes | Supplier Management (supplier due diligence) |
| 5.20 | Addressing security within supplier agreements | Yes | Yes | Supplier Management (Art. 28 DPAs on file) |
| 5.21 | Managing security in the ICT supply chain | Yes | Yes | Supplier Management (model-subprocessor rules) |
| 5.22 | Monitoring, review and change of supplier services | Yes | Yes | Supplier Management (annual supplier review defined) |
| 5.23 | Information security for use of cloud services | Yes | Yes | Supplier Management (EU cloud, DPAs, residency rules) |
| 5.24 | Incident management planning and preparation | Yes | Yes | Incident Management (incident lifecycle defined) |
| 5.25 | Assessment and decision on security events | Yes | Yes | Incident Management (triage and severity) |
| 5.26 | Response to information security incidents | Yes | Yes | Incident Management; Breach Notification |
| 5.27 | Learning from information security incidents | Yes | Yes | Incident Management (root-cause analysis) |
| 5.28 | Collection of evidence | Yes | Yes | Incident Management (evidence preservation) |
| 5.29 | Information security during disruption | Yes | Yes | Business Continuity & DR |
| 5.30 | ICT readiness for business continuity | Yes | Yes | Business Continuity & DR; Backup (RTO/RPO, backups, failover) |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Yes | Data Protection (GDPR met; Article 30 Record of Processing Activities) |
| 5.32 | Intellectual property rights | Yes | Yes | Code of Conduct; Acceptable Use |
| 5.33 | Protection of records | Yes | Yes | Data Retention (retention and protection of records) |
| 5.34 | Privacy and protection of PII | Yes | Yes | Data Protection (GDPR processor controls; Article 30 Record of Processing Activities) |
| 5.35 | Independent review of information security | Yes | No; run the first annual internal audit | Information Security |
| 5.36 | Compliance with policies, rules and standards | Yes | Partial; complete the internal audit and evidence policy compliance | Information Security (enforcement clauses) |
| 5.37 | Documented operating procedures | Yes | Yes | Operations Security |
A.6 People controls
| Annex A | Control | Applicable | Implemented | Policy |
|---|---|---|---|---|
| 6.1 | Screening | Yes | Partial; record founder background-check evidence | HR Security (proportional checks defined) |
| 6.2 | Terms and conditions of employment | Yes | Yes | HR Security (contracts with confidentiality terms) |
| 6.3 | Information security awareness, education and training | Yes | Partial; populate the annual security-awareness training log | HR Security |
| 6.4 | Disciplinary process | Yes | Yes | HR Security |
| 6.5 | Responsibilities after termination or change | Yes | Yes | HR Security (offboarding, continuing confidentiality) |
| 6.6 | Confidentiality or non-disclosure agreements | Yes | Partial; sign and file founder NDAs | HR Security (required before access) |
| 6.7 | Remote working | Yes | Yes | Acceptable Use; Physical Security (fully remote; home-office controls) |
| 6.8 | Information security event reporting | Yes | Yes | Incident Management; Responsible Disclosure |
A.7 Physical controls
| Annex A | Control | Applicable | Implemented | Policy |
|---|---|---|---|---|
| 7.1 | Physical security perimeters | Yes | Inherited | Physical Security (certified data centers) |
| 7.2 | Physical entry | Yes | Inherited | Physical Security (provider access control) |
| 7.3 | Securing offices, rooms and facilities | Yes | Inherited | Physical Security (no own offices; home-office) |
| 7.4 | Physical security monitoring | Yes | Inherited | Physical Security (provider surveillance) |
| 7.5 | Protecting against physical and environmental threats | Yes | Inherited | Physical Security (provider fire, power, and climate controls) |
| 7.6 | Working in secure areas | Yes | Inherited | Physical Security (data center secure areas) |
| 7.7 | Clear desk and clear screen | Yes | Yes | Physical Security; Acceptable Use (idle lock, clean-screen practice) |
| 7.8 | Equipment siting and protection | Yes | Yes | Physical Security (devices in trusted locations; servers inherited) |
| 7.9 | Security of assets off-premises | Yes | Yes | Physical Security; Asset Management (full-disk-encrypted laptops, device care) |
| 7.10 | Storage media | Yes | Yes | Asset Management; Data Classification (no removable media for production data) |
| 7.11 | Supporting utilities | Yes | Inherited | Physical Security (data center power and cooling) |
| 7.12 | Cabling security | Yes | Inherited | Physical Security (data center cabling) |
| 7.13 | Equipment maintenance | Yes | Inherited | Physical Security (cloud provider maintenance) |
| 7.14 | Secure disposal or re-use of equipment | Yes | Yes | Asset Management (laptop wipe with full-disk encryption; providers destroy server media) |
A.8 Technological controls
| Annex A | Control | Applicable | Implemented | Policy |
|---|---|---|---|---|
| 8.1 | User endpoint devices | Yes | Partial; evaluate and roll out MDM for endpoints | Acceptable Use (full-disk encryption, MFA, updates) |
| 8.2 | Privileged access rights | Yes | Yes | Access Control (minimal admin access with MFA) |
| 8.3 | Information access restriction | Yes | Yes | Access Control (multi-tenant logical isolation) |
| 8.4 | Access to source code | Yes | Yes | Secure Development (private GitHub, role-based, MFA) |
| 8.5 | Secure authentication | Yes | Yes | Access Control (MFA everywhere; Clerk for the product) |
| 8.6 | Capacity management | Yes | Partial; write the capacity and scaling playbook | Operations Security (CloudWatch and Better Stack monitoring) |
| 8.7 | Protection against malware | Yes | Yes | Operations Security (ClamAV on uploads, hardened servers) |
| 8.8 | Management of technical vulnerabilities | Yes | Partial; commission the external penetration test | Vulnerability Management (Dependabot, Wazuh) |
| 8.9 | Configuration management | Yes | Yes | Operations Security; Network Security (hardened, version-controlled infrastructure as code) |
| 8.10 | Information deletion | Yes | Yes | Data Retention (retention and secure deletion) |
| 8.11 | Data masking | Yes | Partial; assess the need for a data-masking tool | Data Classification; Data Protection (tenant isolation, pseudonymization) |
| 8.12 | Data leakage prevention | Yes | Partial; assess a dedicated data-loss-prevention control | Data Classification; Acceptable Use (access controls and acceptable use) |
| 8.13 | Information backup | Yes | Yes | Backup (Point-in-Time Recovery with Write-Ahead Log, tested restore) |
| 8.14 | Redundancy of information processing facilities | Yes | Yes | Business Continuity & DR (hot standby, reproducible-from-code recovery, multi-provider model inference) |
| 8.15 | Logging | Yes | Yes | Logging & Monitoring (centralized logs, Wazuh, Better Stack) |
| 8.16 | Monitoring activities | Yes | Yes | Logging & Monitoring (Wazuh SIEM, Sentry alerting) |
| 8.17 | Clock synchronization | Yes | Yes | Logging & Monitoring; Operations Security (synchronized to network time) |
| 8.18 | Use of privileged utility programs | Yes | Partial; document the restricted admin-tooling inventory | Access Control; Operations Security (restricted admin tooling) |
| 8.19 | Installation of software on operational systems | Yes | Yes | Operations Security (change management, hardened images) |
| 8.20 | Networks security | Yes | Yes | Network Security (provider security groups, MFA, company VPN for production server access) |
| 8.21 | Security of network services | Yes | Yes | Network Security (private-network isolation or TLS 1.3 for service-to-service) |
| 8.22 | Segregation of networks | Yes | Yes | Network Security (environment and tenant segmentation) |
| 8.23 | Web filtering | Yes | Partial; extend web filtering on endpoints | Network Security (spam and virus filtering) |
| 8.24 | Use of cryptography | Yes | Yes | Cryptography (AES-256, TLS 1.3 min 1.2, provider-managed keys) |
| 8.25 | Secure development life cycle | Yes | Yes | Secure Development |
| 8.26 | Application security requirements | Yes | Yes | Secure Development (security requirements per change) |
| 8.27 | Secure system architecture and engineering principles | Yes | Yes | Secure Development (least privilege, defence in depth) |
| 8.28 | Secure coding | Yes | Yes | Secure Development; Employees Only: Secure Coding Standards (OWASP-aligned coding rules, automated checks, review gates) |
| 8.29 | Security testing in development and acceptance | Yes | Partial; add dedicated security testing to CI | Secure Development (CI tests, dependency scanning) |
| 8.30 | Outsourced development | No | N/A | No outsourced development; all code written in-house |
| 8.31 | Separation of development, test and production environments | Yes | Yes | Operations Security; Secure Development (separate local, staging, production) |
| 8.32 | Change management | Yes | Partial; introduce a mandatory second approver, or document the accepted risk | Operations Security; Secure Development (CI/CD, staging) |
| 8.33 | Test information | Yes | Yes | Secure Development; Data Classification (no production data in non-production; synthetic or anonymized) |
| 8.34 | Protection of information systems during audit testing | Yes | Partial; define read-only, scheduled audit access | Operations Security |
Related
ISO 27001
How the ISMS fits together, with the full policy list.