> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Statement of Applicability

> How botBrains applies the 93 ISO/IEC 27001:2022 Annex A controls

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<Card title="Download as PDF" icon="download" href="/assets/botbrains-statement-of-applicability.pdf" horizontal />

The Statement of Applicability (SoA) records how botBrains applies each of the 93 ISO/IEC 27001:2022 Annex A controls: whether the control is in scope, which policy governs it, and its implementation status. It's the index that ties the [policies](/trust/policies/overview) to the controls they satisfy.

## How to read this

* **Applicable.** Whether the control is in scope. The only exclusion is outsourced development, which botBrains doesn't do.
* **Implemented.** `Yes` (operating), `Inherited` (operated by a certified provider), `Partial; …` (in place, with the action that finishes it), or `No; …` (applicable, with the action that starts it).
* **Policy.** The governing policy, with the specifics that add detail.

## A.5 Organizational controls

| Annex A | Control                                                   | Applicable | Implemented                                                              | Policy                                                                                                                                                                                          |
| ------- | --------------------------------------------------------- | ---------- | ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 5.1     | Policies for information security                         | Yes        | Yes                                                                      | [Information Security](/trust/policies/information-security-policy)                                                                                                                             |
| 5.2     | Information security roles and responsibilities           | Yes        | Yes                                                                      | [Roles & Responsibilities](/trust/policies/roles-and-responsibilities) (CISO named; co-founder alternate)                                                                                       |
| 5.3     | Segregation of duties                                     | Yes        | Partial; re-affirm the compensating controls at each risk review         | [Roles & Responsibilities](/trust/policies/roles-and-responsibilities) (documented compensating controls, accepted risk)                                                                        |
| 5.4     | Management responsibilities                               | Yes        | Yes                                                                      | [Information Security](/trust/policies/information-security-policy); [Code of Conduct](/trust/policies/code-of-conduct)                                                                         |
| 5.5     | Contact with authorities                                  | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy) (see internal communication plan)                                                                                             |
| 5.6     | Contact with special interest groups                      | Yes        | No; join a security interest group and subscribe key roles to advisories | [Vulnerability Management](/trust/policies/vulnerability-management-policy)                                                                                                                     |
| 5.7     | Threat intelligence                                       | Yes        | Partial; consolidate threat-intel sources into a monitored feed          | [Vulnerability Management](/trust/policies/vulnerability-management-policy); [Responsible Disclosure](/trust/policies/responsible-disclosure-policy) (Dependabot advisories, disclosure inputs) |
| 5.8     | Information security in project management                | Yes        | Yes                                                                      | [Secure Development](/trust/policies/secure-development-policy) See design stage                                                                                                                |
| 5.9     | Inventory of information and associated assets            | Yes        | Yes                                                                      | [Asset Management](/trust/policies/asset-management-policy)                                                                                                                                     |
| 5.10    | Acceptable use of information and assets                  | Yes        | Yes                                                                      | [Acceptable Use](/trust/policies/acceptable-use-policy)                                                                                                                                         |
| 5.11    | Return of assets                                          | Yes        | Yes                                                                      | [Asset Management](/trust/policies/asset-management-policy); [HR Security](/trust/policies/human-resource-security-policy) (leaver process, laptop return)                                      |
| 5.12    | Classification of information                             | Yes        | Yes                                                                      | [Data Classification](/trust/policies/data-classification-policy) (four-level scheme)                                                                                                           |
| 5.13    | Labelling of information                                  | Yes        | Yes                                                                      | [Data Classification](/trust/policies/data-classification-policy) (context-based labelling)                                                                                                     |
| 5.14    | Information transfer                                      | Yes        | Yes                                                                      | [Data Classification](/trust/policies/data-classification-policy); [Cryptography](/trust/policies/cryptography-policy) (transfer rules by level; TLS 1.3, min 1.2)                              |
| 5.15    | Access control                                            | Yes        | Yes                                                                      | [Access Control](/trust/policies/access-control-policy) (least privilege, RBAC)                                                                                                                 |
| 5.16    | Identity management                                       | Yes        | Yes                                                                      | [Access Control](/trust/policies/access-control-policy) (unique named accounts)                                                                                                                 |
| 5.17    | Authentication information                                | Yes        | Yes                                                                      | [Access Control](/trust/policies/access-control-policy) (MFA, password manager, Clerk)                                                                                                          |
| 5.18    | Access rights                                             | Yes        | Yes                                                                      | [Access Control](/trust/policies/access-control-policy) (joiner-mover-leaver, access reviews)                                                                                                   |
| 5.19    | Information security in supplier relationships            | Yes        | Yes                                                                      | [Supplier Management](/trust/policies/supplier-management-policy) (supplier due diligence)                                                                                                      |
| 5.20    | Addressing security within supplier agreements            | Yes        | Yes                                                                      | [Supplier Management](/trust/policies/supplier-management-policy) (Art. 28 DPAs on file)                                                                                                        |
| 5.21    | Managing security in the ICT supply chain                 | Yes        | Yes                                                                      | [Supplier Management](/trust/policies/supplier-management-policy) (model-subprocessor rules)                                                                                                    |
| 5.22    | Monitoring, review and change of supplier services        | Yes        | Yes                                                                      | [Supplier Management](/trust/policies/supplier-management-policy) (annual supplier review defined)                                                                                              |
| 5.23    | Information security for use of cloud services            | Yes        | Yes                                                                      | [Supplier Management](/trust/policies/supplier-management-policy) (EU cloud, DPAs, residency rules)                                                                                             |
| 5.24    | Incident management planning and preparation              | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy) (incident lifecycle defined)                                                                                                  |
| 5.25    | Assessment and decision on security events                | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy) (triage and severity)                                                                                                         |
| 5.26    | Response to information security incidents                | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy); [Breach Notification](/trust/policies/breach-notification-policy)                                                            |
| 5.27    | Learning from information security incidents              | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy) (root-cause analysis)                                                                                                         |
| 5.28    | Collection of evidence                                    | Yes        | Yes                                                                      | [Incident Management](/trust/policies/incident-management-policy) (evidence preservation)                                                                                                       |
| 5.29    | Information security during disruption                    | Yes        | Yes                                                                      | [Business Continuity & DR](/trust/policies/business-continuity-and-disaster-recovery)                                                                                                           |
| 5.30    | ICT readiness for business continuity                     | Yes        | Yes                                                                      | [Business Continuity & DR](/trust/policies/business-continuity-and-disaster-recovery); [Backup](/trust/policies/backup-policy) (RTO/RPO, backups, failover)                                     |
| 5.31    | Legal, statutory, regulatory and contractual requirements | Yes        | Yes                                                                      | [Data Protection](/trust/policies/data-protection-policy) (GDPR met; Article 30 Record of Processing Activities)                                                                                |
| 5.32    | Intellectual property rights                              | Yes        | Yes                                                                      | [Code of Conduct](/trust/policies/code-of-conduct); [Acceptable Use](/trust/policies/acceptable-use-policy)                                                                                     |
| 5.33    | Protection of records                                     | Yes        | Yes                                                                      | [Data Retention](/trust/policies/data-retention-policy) (retention and protection of records)                                                                                                   |
| 5.34    | Privacy and protection of PII                             | Yes        | Yes                                                                      | [Data Protection](/trust/policies/data-protection-policy) (GDPR processor controls; Article 30 Record of Processing Activities)                                                                 |
| 5.35    | Independent review of information security                | Yes        | No; run the first annual internal audit                                  | [Information Security](/trust/policies/information-security-policy)                                                                                                                             |
| 5.36    | Compliance with policies, rules and standards             | Yes        | Partial; complete the internal audit and evidence policy compliance      | [Information Security](/trust/policies/information-security-policy) (enforcement clauses)                                                                                                       |
| 5.37    | Documented operating procedures                           | Yes        | Yes                                                                      | [Operations Security](/trust/policies/operations-security-policy)                                                                                                                               |

## A.6 People controls

| Annex A | Control                                                | Applicable | Implemented                                                  | Policy                                                                                                                                                      |
| ------- | ------------------------------------------------------ | ---------- | ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 6.1     | Screening                                              | Yes        | Partial; record founder background-check evidence            | [HR Security](/trust/policies/human-resource-security-policy) (proportional checks defined)                                                                 |
| 6.2     | Terms and conditions of employment                     | Yes        | Yes                                                          | [HR Security](/trust/policies/human-resource-security-policy) (contracts with confidentiality terms)                                                        |
| 6.3     | Information security awareness, education and training | Yes        | Partial; populate the annual security-awareness training log | [HR Security](/trust/policies/human-resource-security-policy)                                                                                               |
| 6.4     | Disciplinary process                                   | Yes        | Yes                                                          | [HR Security](/trust/policies/human-resource-security-policy)                                                                                               |
| 6.5     | Responsibilities after termination or change           | Yes        | Yes                                                          | [HR Security](/trust/policies/human-resource-security-policy) (offboarding, continuing confidentiality)                                                     |
| 6.6     | Confidentiality or non-disclosure agreements           | Yes        | Partial; sign and file founder NDAs                          | [HR Security](/trust/policies/human-resource-security-policy) (required before access)                                                                      |
| 6.7     | Remote working                                         | Yes        | Yes                                                          | [Acceptable Use](/trust/policies/acceptable-use-policy); [Physical Security](/trust/policies/physical-security-policy) (fully remote; home-office controls) |
| 6.8     | Information security event reporting                   | Yes        | Yes                                                          | [Incident Management](/trust/policies/incident-management-policy); [Responsible Disclosure](/trust/policies/responsible-disclosure-policy)                  |

## A.7 Physical controls

| Annex A | Control                                               | Applicable | Implemented | Policy                                                                                                                                                                  |
| ------- | ----------------------------------------------------- | ---------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 7.1     | Physical security perimeters                          | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (certified data centers)                                                                                  |
| 7.2     | Physical entry                                        | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (provider access control)                                                                                 |
| 7.3     | Securing offices, rooms and facilities                | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (no own offices; home-office)                                                                             |
| 7.4     | Physical security monitoring                          | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (provider surveillance)                                                                                   |
| 7.5     | Protecting against physical and environmental threats | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (provider fire, power, and climate controls)                                                              |
| 7.6     | Working in secure areas                               | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (data center secure areas)                                                                                |
| 7.7     | Clear desk and clear screen                           | Yes        | Yes         | [Physical Security](/trust/policies/physical-security-policy); [Acceptable Use](/trust/policies/acceptable-use-policy) (idle lock, clean-screen practice)               |
| 7.8     | Equipment siting and protection                       | Yes        | Yes         | [Physical Security](/trust/policies/physical-security-policy) (devices in trusted locations; servers inherited)                                                         |
| 7.9     | Security of assets off-premises                       | Yes        | Yes         | [Physical Security](/trust/policies/physical-security-policy); [Asset Management](/trust/policies/asset-management-policy) (full-disk-encrypted laptops, device care)   |
| 7.10    | Storage media                                         | Yes        | Yes         | [Asset Management](/trust/policies/asset-management-policy); [Data Classification](/trust/policies/data-classification-policy) (no removable media for production data) |
| 7.11    | Supporting utilities                                  | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (data center power and cooling)                                                                           |
| 7.12    | Cabling security                                      | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (data center cabling)                                                                                     |
| 7.13    | Equipment maintenance                                 | Yes        | Inherited   | [Physical Security](/trust/policies/physical-security-policy) (cloud provider maintenance)                                                                              |
| 7.14    | Secure disposal or re-use of equipment                | Yes        | Yes         | [Asset Management](/trust/policies/asset-management-policy) (laptop wipe with full-disk encryption; providers destroy server media)                                     |

## A.8 Technological controls

| Annex A | Control                                                     | Applicable | Implemented                                                                   | Policy                                                                                                                                                                                                                             |
| ------- | ----------------------------------------------------------- | ---------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 8.1     | User endpoint devices                                       | Yes        | Partial; evaluate and roll out MDM for endpoints                              | [Acceptable Use](/trust/policies/acceptable-use-policy) (full-disk encryption, MFA, updates)                                                                                                                                       |
| 8.2     | Privileged access rights                                    | Yes        | Yes                                                                           | [Access Control](/trust/policies/access-control-policy) (minimal admin access with MFA)                                                                                                                                            |
| 8.3     | Information access restriction                              | Yes        | Yes                                                                           | [Access Control](/trust/policies/access-control-policy) (multi-tenant logical isolation)                                                                                                                                           |
| 8.4     | Access to source code                                       | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy) (private GitHub, role-based, MFA)                                                                                                                                  |
| 8.5     | Secure authentication                                       | Yes        | Yes                                                                           | [Access Control](/trust/policies/access-control-policy) (MFA everywhere; Clerk for the product)                                                                                                                                    |
| 8.6     | Capacity management                                         | Yes        | Partial; write the capacity and scaling playbook                              | [Operations Security](/trust/policies/operations-security-policy) (CloudWatch and Better Stack monitoring)                                                                                                                         |
| 8.7     | Protection against malware                                  | Yes        | Yes                                                                           | [Operations Security](/trust/policies/operations-security-policy) (ClamAV on uploads, hardened servers)                                                                                                                            |
| 8.8     | Management of technical vulnerabilities                     | Yes        | Partial; commission the external penetration test                             | [Vulnerability Management](/trust/policies/vulnerability-management-policy) (Dependabot, Wazuh)                                                                                                                                    |
| 8.9     | Configuration management                                    | Yes        | Yes                                                                           | [Operations Security](/trust/policies/operations-security-policy); [Network Security](/trust/policies/network-security-policy) (hardened, version-controlled infrastructure as code)                                               |
| 8.10    | Information deletion                                        | Yes        | Yes                                                                           | [Data Retention](/trust/policies/data-retention-policy) (retention and secure deletion)                                                                                                                                            |
| 8.11    | Data masking                                                | Yes        | Partial; assess the need for a data-masking tool                              | [Data Classification](/trust/policies/data-classification-policy); [Data Protection](/trust/policies/data-protection-policy) (tenant isolation, pseudonymization)                                                                  |
| 8.12    | Data leakage prevention                                     | Yes        | Partial; assess a dedicated data-loss-prevention control                      | [Data Classification](/trust/policies/data-classification-policy); [Acceptable Use](/trust/policies/acceptable-use-policy) (access controls and acceptable use)                                                                    |
| 8.13    | Information backup                                          | Yes        | Yes                                                                           | [Backup](/trust/policies/backup-policy) (Point-in-Time Recovery with Write-Ahead Log, tested restore)                                                                                                                              |
| 8.14    | Redundancy of information processing facilities             | Yes        | Yes                                                                           | [Business Continuity & DR](/trust/policies/business-continuity-and-disaster-recovery) (hot standby, reproducible-from-code recovery, multi-provider model inference)                                                               |
| 8.15    | Logging                                                     | Yes        | Yes                                                                           | [Logging & Monitoring](/trust/policies/logging-and-monitoring-policy) (centralized logs, Wazuh, Better Stack)                                                                                                                      |
| 8.16    | Monitoring activities                                       | Yes        | Yes                                                                           | [Logging & Monitoring](/trust/policies/logging-and-monitoring-policy) (Wazuh SIEM, Sentry alerting)                                                                                                                                |
| 8.17    | Clock synchronization                                       | Yes        | Yes                                                                           | [Logging & Monitoring](/trust/policies/logging-and-monitoring-policy); [Operations Security](/trust/policies/operations-security-policy) (synchronized to network time)                                                            |
| 8.18    | Use of privileged utility programs                          | Yes        | Partial; document the restricted admin-tooling inventory                      | [Access Control](/trust/policies/access-control-policy); [Operations Security](/trust/policies/operations-security-policy) (restricted admin tooling)                                                                              |
| 8.19    | Installation of software on operational systems             | Yes        | Yes                                                                           | [Operations Security](/trust/policies/operations-security-policy) (change management, hardened images)                                                                                                                             |
| 8.20    | Networks security                                           | Yes        | Yes                                                                           | [Network Security](/trust/policies/network-security-policy) (provider security groups, MFA, company VPN for production server access)                                                                                              |
| 8.21    | Security of network services                                | Yes        | Yes                                                                           | [Network Security](/trust/policies/network-security-policy) (private-network isolation or TLS 1.3 for service-to-service)                                                                                                          |
| 8.22    | Segregation of networks                                     | Yes        | Yes                                                                           | [Network Security](/trust/policies/network-security-policy) (environment and tenant segmentation)                                                                                                                                  |
| 8.23    | Web filtering                                               | Yes        | Partial; extend web filtering on endpoints                                    | [Network Security](/trust/policies/network-security-policy) (spam and virus filtering)                                                                                                                                             |
| 8.24    | Use of cryptography                                         | Yes        | Yes                                                                           | [Cryptography](/trust/policies/cryptography-policy) (AES-256, TLS 1.3 min 1.2, provider-managed keys)                                                                                                                              |
| 8.25    | Secure development life cycle                               | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy)                                                                                                                                                                    |
| 8.26    | Application security requirements                           | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy) (security requirements per change)                                                                                                                                 |
| 8.27    | Secure system architecture and engineering principles       | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy) (least privilege, defence in depth)                                                                                                                                |
| 8.28    | Secure coding                                               | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy); [Employees Only: Secure Coding Standards](https://app.notion.com/p/391481da93cf81c4a39cf1ea90ed0079) (OWASP-aligned coding rules, automated checks, review gates) |
| 8.29    | Security testing in development and acceptance              | Yes        | Partial; add dedicated security testing to CI                                 | [Secure Development](/trust/policies/secure-development-policy) (CI tests, dependency scanning)                                                                                                                                    |
| 8.30    | Outsourced development                                      | No         | N/A                                                                           | No outsourced development; all code written in-house                                                                                                                                                                               |
| 8.31    | Separation of development, test and production environments | Yes        | Yes                                                                           | [Operations Security](/trust/policies/operations-security-policy); [Secure Development](/trust/policies/secure-development-policy) (separate local, staging, production)                                                           |
| 8.32    | Change management                                           | Yes        | Partial; introduce a mandatory second approver, or document the accepted risk | [Operations Security](/trust/policies/operations-security-policy); [Secure Development](/trust/policies/secure-development-policy) (CI/CD, staging)                                                                                |
| 8.33    | Test information                                            | Yes        | Yes                                                                           | [Secure Development](/trust/policies/secure-development-policy); [Data Classification](/trust/policies/data-classification-policy) (no production data in non-production; synthetic or anonymized)                                 |
| 8.34    | Protection of information systems during audit testing      | Yes        | Partial; define read-only, scheduled audit access                             | [Operations Security](/trust/policies/operations-security-policy)                                                                                                                                                                  |

## Related

<Card title="ISO 27001" icon="shield-check" href="/trust/iso-27001">
  How the ISMS fits together, with the full policy list.
</Card>
