Skip to main content
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Download as PDF

The Statement of Applicability (SoA) records how botBrains applies each of the 93 ISO/IEC 27001:2022 Annex A controls: whether the control is in scope, which policy governs it, and its implementation status. It’s the index that ties the policies to the controls they satisfy.

How to read this

  • Applicable. Whether the control is in scope. The only exclusion is outsourced development, which botBrains doesn’t do.
  • Implemented. Yes (operating), Inherited (operated by a certified provider), Partial; … (in place, with the action that finishes it), or No; … (applicable, with the action that starts it).
  • Policy. The governing policy, with the specifics that add detail.

A.5 Organizational controls

Annex AControlApplicableImplementedPolicy
5.1Policies for information securityYesYesInformation Security
5.2Information security roles and responsibilitiesYesYesRoles & Responsibilities (CISO named; co-founder alternate)
5.3Segregation of dutiesYesPartial; re-affirm the compensating controls at each risk reviewRoles & Responsibilities (documented compensating controls, accepted risk)
5.4Management responsibilitiesYesYesInformation Security; Code of Conduct
5.5Contact with authoritiesYesYesIncident Management (see internal communication plan)
5.6Contact with special interest groupsYesNo; join a security interest group and subscribe key roles to advisoriesVulnerability Management
5.7Threat intelligenceYesPartial; consolidate threat-intel sources into a monitored feedVulnerability Management; Responsible Disclosure (Dependabot advisories, disclosure inputs)
5.8Information security in project managementYesYesSecure Development See design stage
5.9Inventory of information and associated assetsYesYesAsset Management
5.10Acceptable use of information and assetsYesYesAcceptable Use
5.11Return of assetsYesYesAsset Management; HR Security (leaver process, laptop return)
5.12Classification of informationYesYesData Classification (four-level scheme)
5.13Labelling of informationYesYesData Classification (context-based labelling)
5.14Information transferYesYesData Classification; Cryptography (transfer rules by level; TLS 1.3, min 1.2)
5.15Access controlYesYesAccess Control (least privilege, RBAC)
5.16Identity managementYesYesAccess Control (unique named accounts)
5.17Authentication informationYesYesAccess Control (MFA, password manager, Clerk)
5.18Access rightsYesYesAccess Control (joiner-mover-leaver, access reviews)
5.19Information security in supplier relationshipsYesYesSupplier Management (supplier due diligence)
5.20Addressing security within supplier agreementsYesYesSupplier Management (Art. 28 DPAs on file)
5.21Managing security in the ICT supply chainYesYesSupplier Management (model-subprocessor rules)
5.22Monitoring, review and change of supplier servicesYesYesSupplier Management (annual supplier review defined)
5.23Information security for use of cloud servicesYesYesSupplier Management (EU cloud, DPAs, residency rules)
5.24Incident management planning and preparationYesYesIncident Management (incident lifecycle defined)
5.25Assessment and decision on security eventsYesYesIncident Management (triage and severity)
5.26Response to information security incidentsYesYesIncident Management; Breach Notification
5.27Learning from information security incidentsYesYesIncident Management (root-cause analysis)
5.28Collection of evidenceYesYesIncident Management (evidence preservation)
5.29Information security during disruptionYesYesBusiness Continuity & DR
5.30ICT readiness for business continuityYesYesBusiness Continuity & DR; Backup (RTO/RPO, backups, failover)
5.31Legal, statutory, regulatory and contractual requirementsYesYesData Protection (GDPR met; Article 30 Record of Processing Activities)
5.32Intellectual property rightsYesYesCode of Conduct; Acceptable Use
5.33Protection of recordsYesYesData Retention (retention and protection of records)
5.34Privacy and protection of PIIYesYesData Protection (GDPR processor controls; Article 30 Record of Processing Activities)
5.35Independent review of information securityYesNo; run the first annual internal auditInformation Security
5.36Compliance with policies, rules and standardsYesPartial; complete the internal audit and evidence policy complianceInformation Security (enforcement clauses)
5.37Documented operating proceduresYesYesOperations Security

A.6 People controls

Annex AControlApplicableImplementedPolicy
6.1ScreeningYesPartial; record founder background-check evidenceHR Security (proportional checks defined)
6.2Terms and conditions of employmentYesYesHR Security (contracts with confidentiality terms)
6.3Information security awareness, education and trainingYesPartial; populate the annual security-awareness training logHR Security
6.4Disciplinary processYesYesHR Security
6.5Responsibilities after termination or changeYesYesHR Security (offboarding, continuing confidentiality)
6.6Confidentiality or non-disclosure agreementsYesPartial; sign and file founder NDAsHR Security (required before access)
6.7Remote workingYesYesAcceptable Use; Physical Security (fully remote; home-office controls)
6.8Information security event reportingYesYesIncident Management; Responsible Disclosure

A.7 Physical controls

Annex AControlApplicableImplementedPolicy
7.1Physical security perimetersYesInheritedPhysical Security (certified data centers)
7.2Physical entryYesInheritedPhysical Security (provider access control)
7.3Securing offices, rooms and facilitiesYesInheritedPhysical Security (no own offices; home-office)
7.4Physical security monitoringYesInheritedPhysical Security (provider surveillance)
7.5Protecting against physical and environmental threatsYesInheritedPhysical Security (provider fire, power, and climate controls)
7.6Working in secure areasYesInheritedPhysical Security (data center secure areas)
7.7Clear desk and clear screenYesYesPhysical Security; Acceptable Use (idle lock, clean-screen practice)
7.8Equipment siting and protectionYesYesPhysical Security (devices in trusted locations; servers inherited)
7.9Security of assets off-premisesYesYesPhysical Security; Asset Management (full-disk-encrypted laptops, device care)
7.10Storage mediaYesYesAsset Management; Data Classification (no removable media for production data)
7.11Supporting utilitiesYesInheritedPhysical Security (data center power and cooling)
7.12Cabling securityYesInheritedPhysical Security (data center cabling)
7.13Equipment maintenanceYesInheritedPhysical Security (cloud provider maintenance)
7.14Secure disposal or re-use of equipmentYesYesAsset Management (laptop wipe with full-disk encryption; providers destroy server media)

A.8 Technological controls

Annex AControlApplicableImplementedPolicy
8.1User endpoint devicesYesPartial; evaluate and roll out MDM for endpointsAcceptable Use (full-disk encryption, MFA, updates)
8.2Privileged access rightsYesYesAccess Control (minimal admin access with MFA)
8.3Information access restrictionYesYesAccess Control (multi-tenant logical isolation)
8.4Access to source codeYesYesSecure Development (private GitHub, role-based, MFA)
8.5Secure authenticationYesYesAccess Control (MFA everywhere; Clerk for the product)
8.6Capacity managementYesPartial; write the capacity and scaling playbookOperations Security (CloudWatch and Better Stack monitoring)
8.7Protection against malwareYesYesOperations Security (ClamAV on uploads, hardened servers)
8.8Management of technical vulnerabilitiesYesPartial; commission the external penetration testVulnerability Management (Dependabot, Wazuh)
8.9Configuration managementYesYesOperations Security; Network Security (hardened, version-controlled infrastructure as code)
8.10Information deletionYesYesData Retention (retention and secure deletion)
8.11Data maskingYesPartial; assess the need for a data-masking toolData Classification; Data Protection (tenant isolation, pseudonymization)
8.12Data leakage preventionYesPartial; assess a dedicated data-loss-prevention controlData Classification; Acceptable Use (access controls and acceptable use)
8.13Information backupYesYesBackup (Point-in-Time Recovery with Write-Ahead Log, tested restore)
8.14Redundancy of information processing facilitiesYesYesBusiness Continuity & DR (hot standby, reproducible-from-code recovery, multi-provider model inference)
8.15LoggingYesYesLogging & Monitoring (centralized logs, Wazuh, Better Stack)
8.16Monitoring activitiesYesYesLogging & Monitoring (Wazuh SIEM, Sentry alerting)
8.17Clock synchronizationYesYesLogging & Monitoring; Operations Security (synchronized to network time)
8.18Use of privileged utility programsYesPartial; document the restricted admin-tooling inventoryAccess Control; Operations Security (restricted admin tooling)
8.19Installation of software on operational systemsYesYesOperations Security (change management, hardened images)
8.20Networks securityYesYesNetwork Security (provider security groups, MFA, company VPN for production server access)
8.21Security of network servicesYesYesNetwork Security (private-network isolation or TLS 1.3 for service-to-service)
8.22Segregation of networksYesYesNetwork Security (environment and tenant segmentation)
8.23Web filteringYesPartial; extend web filtering on endpointsNetwork Security (spam and virus filtering)
8.24Use of cryptographyYesYesCryptography (AES-256, TLS 1.3 min 1.2, provider-managed keys)
8.25Secure development life cycleYesYesSecure Development
8.26Application security requirementsYesYesSecure Development (security requirements per change)
8.27Secure system architecture and engineering principlesYesYesSecure Development (least privilege, defence in depth)
8.28Secure codingYesYesSecure Development; Employees Only: Secure Coding Standards (OWASP-aligned coding rules, automated checks, review gates)
8.29Security testing in development and acceptanceYesPartial; add dedicated security testing to CISecure Development (CI tests, dependency scanning)
8.30Outsourced developmentNoN/ANo outsourced development; all code written in-house
8.31Separation of development, test and production environmentsYesYesOperations Security; Secure Development (separate local, staging, production)
8.32Change managementYesPartial; introduce a mandatory second approver, or document the accepted riskOperations Security; Secure Development (CI/CD, staging)
8.33Test informationYesYesSecure Development; Data Classification (no production data in non-production; synthetic or anonymized)
8.34Protection of information systems during audit testingYesPartial; define read-only, scheduled audit accessOperations Security

ISO 27001

How the ISMS fits together, with the full policy list.