Statement of Applicability (SoA)
The Statement of Applicability (SoA) identifies which ISO/IEC 27001:2022 Annex A controls are applicable to ISMS Copilot, justifies the inclusion or exclusion of each control, and describes how applicable controls are implemented. It is a mandatory output of our risk treatment process.
This document follows ISO 27001:2022 Clause 6.1.3 d). Each control is marked as Yes (applicable and implemented), Partial (applicable, implementation in progress), or N/A (not applicable, exclusion justified).
Summary Statistics
Category | Total Controls | Applicable | Partial | N/A |
|---|---|---|---|---|
A.5 Organizational | 37 | 35 | 2 | 0 |
A.6 People | 8 | 7 | 1 | 0 |
A.7 Physical | 14 | 1 | 0 | 13 |
A.8 Technological | 34 | 28 | 5 | 1 |
Total | 93 | 71 | 8 | 14 |
71 controls are fully applicable and implemented, 8 are partially implemented (in progress), and 14 are not applicable — primarily physical controls excluded because ISMS Copilot is a fully remote, cloud-hosted SaaS platform with no physical office or data center.
Organizational Controls (A.5)
# | Control | Status | Implementation Summary |
|---|---|---|---|
A.5.1 | Policies for information security | Yes | Comprehensive policy set covering all ISMS domains |
A.5.2 | Information security roles and responsibilities | Yes | Defined roles across all policies with clear accountability |
A.5.3 | Segregation of duties | Partial | Limited by team size; mitigated by dual access reviews and PR approval requirements |
A.5.4 | Management responsibilities | Yes | CEO is ISMS owner with overall accountability |
A.5.5 | Contact with authorities | Yes | Regulatory contacts documented; CNIL notification procedures defined |
A.5.6 | Contact with special interest groups | Yes | Security communities and provider advisory monitoring |
A.5.7 | Threat intelligence | Yes | Active threat intelligence programme with weekly sweeps |
A.5.8 | Information security in project management | Yes | Security considered in all feature development via change management process |
A.5.9 | Inventory of information and other associated assets | Yes | Infrastructure and data inventories maintained |
A.5.10 | Acceptable use of information and other associated assets | Yes | Acceptable use rules for all information assets, platforms, data, and AI tools |
A.5.11 | Return of assets | Yes | Offboarding procedures for access revocation |
A.5.12 | Classification of information | Yes | Four-level classification scheme (Public, Internal, Confidential, Restricted) |
A.5.13 | Labelling of information | Yes | Classification labels on all policy and GRC documents |
A.5.14 | Information transfer | Yes | TLS-enforced on all transfer paths; documented transfer procedures |
A.5.15 | Access control | Yes | Comprehensive access control policy with RLS, JWT validation, and route guards |
A.5.16 | Identity management | Yes | Supabase Auth for users; platform accounts for operators |
A.5.17 | Authentication information | Yes | MFA enforced for operators; password standards defined |
A.5.18 | Access rights | Yes | Quarterly access reviews; onboarding/offboarding procedures |
A.5.19 | Information security in supplier relationships | Yes | Supplier management policy covering all cloud providers |
A.5.20 | Addressing information security within supplier agreements | Yes | DPAs and contractual requirements with all suppliers |
A.5.21 | Managing information security in the ICT supply chain | Yes | Dependency management via Dependabot; vulnerability monitoring |
A.5.22 | Monitoring, review and change management of supplier services | Yes | Ongoing supplier monitoring and performance tracking |
A.5.23 | Information security for use of cloud services | Yes | Cloud-native architecture with documented shared responsibility model |
A.5.24 | Information security incident management planning and preparation | Yes | Incident response playbook with defined procedures per scenario |
A.5.25 | Assessment and decision on information security events | Yes | Severity classification system for security events |
A.5.26 | Response to information security incidents | Yes | Response playbooks for each incident scenario |
A.5.27 | Learning from information security incidents | Yes | Post-incident review with NC/OFI tracking and lessons learned |
A.5.28 | Collection of evidence | Yes | Log retention and evidence preservation procedures |
A.5.29 | Information security during disruption | Yes | Business continuity and disaster recovery plan with defined recovery procedures |
A.5.30 | ICT readiness for business continuity | Yes | Recovery procedures documented for each service; bootstrap runbook maintained |
A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Legal register maintained and reviewed |
A.5.32 | Intellectual property rights | Yes | IP guidelines documented; no copyrighted standards text in training data |
A.5.33 | Protection of records | Yes | Retention schedules defined across all data categories |
A.5.34 | Privacy and protection of PII | Yes | Full GDPR compliance documentation (RoPA, DPIA, TIA, DSR procedures) |
A.5.35 | Independent review of information security | Partial | Internal audit programme established; external audit planned for certification |
A.5.36 | Compliance with policies, rules and standards | Yes | Enforced through PR reviews, automated tests, and audit programme |
A.5.37 | Documented operating procedures | Yes | Operational procedures documented and version-controlled |
People Controls (A.6)
# | Control | Status | Implementation Summary |
|---|---|---|---|
A.6.1 | Screening | Partial | Founding team; formal screening process documented for future hires |
A.6.2 | Terms and conditions of employment | Yes | Security responsibilities communicated and acknowledged before access granted |
A.6.3 | Information security awareness, education and training | Yes | Competence and awareness programme established |
A.6.4 | Disciplinary process | Yes | Graduated disciplinary process defined |
A.6.5 | Responsibilities after termination or change of employment | Yes | Offboarding procedure with timelines and ongoing obligations |
A.6.6 | Confidentiality or non-disclosure agreements | Yes | Confidentiality scope and contractual mechanisms defined |
A.6.7 | Remote working | Yes | Remote working security requirements for fully remote team |
A.6.8 | Information security event reporting | Yes | Reporting channels defined; public SECURITY.md for external reporters |
Physical Controls (A.7)
# | Control | Status | Justification |
|---|---|---|---|
A.7.1 | Physical security perimeters | N/A | No physical office or data center; all infrastructure is cloud-hosted |
A.7.2 | Physical entry | N/A | No physical premises; provider-managed physical security |
A.7.3 | Securing offices, rooms and facilities | N/A | No offices; provider-managed |
A.7.4 | Physical security monitoring | N/A | No physical assets; provider-managed |
A.7.5 | Protecting against physical and environmental threats | N/A | No physical infrastructure; provider data centers handle this |
A.7.6 | Working in secure areas | N/A | No secure areas |
A.7.7 | Clear desk and clear screen | Yes | Clear screen principles applied to remote work context |
A.7.8 | Equipment siting and protection | N/A | No organizational equipment; BYOD out of scope |
A.7.9 | Security of assets off-premises | N/A | No organizational assets taken off-premises |
A.7.10 | Storage media | N/A | No organizational storage media; all data in cloud services |
A.7.11 | Supporting utilities | N/A | No on-premises infrastructure |
A.7.12 | Cabling security | N/A | No on-premises infrastructure |
A.7.13 | Equipment maintenance | N/A | No organizational equipment |
A.7.14 | Secure disposal or re-use of equipment | N/A | No organizational equipment |
Technological Controls (A.8)
# | Control | Status | Implementation Summary |
|---|---|---|---|
A.8.1 | User endpoint devices | Partial | Antivirus on CEO device; application-layer controls (MFA, JWT, RLS) compensate for limited endpoint enforcement on freelancers |
A.8.2 | Privileged access rights | Yes | Service role keys and admin access under strict controls |
A.8.3 | Information access restriction | Yes | Row-Level Security (RLS), JWT validation, route guards |
A.8.4 | Access to source code | Yes | GitHub repository access controlled; PR review required for all changes |
A.8.5 | Secure authentication | Yes | MFA for operators; JWT for users; OAuth options available |
A.8.6 | Capacity management | Yes | Token limits per plan; rate limiting; usage monitoring |
A.8.7 | Protection against malware | Partial | File format validation for uploads; no executable code processed |
A.8.8 | Management of technical vulnerabilities | Yes | Vulnerability management programme with Dependabot and defined SLAs |
A.8.9 | Configuration management | Yes | Configuration as code; version-controlled infrastructure definitions |
A.8.10 | Information deletion | Yes | Automated deletion; user-configurable retention periods |
A.8.11 | Data masking | Yes | Logging restrictions and PII scrubbing in error tracking |
A.8.12 | Data leakage prevention | Yes | SystemPromptGuard; logging restrictions; Content Security Policy |
A.8.13 | Information backup | Yes | Point-in-Time Recovery (PITR) for production database; daily backups |
A.8.14 | Redundancy of information processing facilities | Partial | Multi-provider AI failover; managed database redundancy; known single points documented |
A.8.15 | Logging | Yes | Structured logging across multiple sources |
A.8.16 | Monitoring activities | Yes | BetterStack uptime, Sentry errors, PostHog analytics, security alerts |
A.8.17 | Clock synchronization | Yes | Platform-managed NTP on all cloud services |
A.8.18 | Use of privileged utility programs | N/A | No traditional server access; Deno runtime permissions scoped |
A.8.19 | Installation of software on operational systems | Yes | Controlled via CI/CD pipelines and container-based builds |
A.8.20 | Networks security | Yes | All communication paths secured with TLS |
A.8.21 | Security of network services | Yes | TLS 1.2+ on all services; provider-managed network security |
A.8.22 | Segregation of networks | Yes | Logical segregation via separate providers and environments |
A.8.23 | Web filtering | Partial | Content Security Policy restricts frontend connections; runtime permissions restrict backend |
A.8.24 | Use of cryptography | Yes | TLS 1.2+ enforced on all paths; encryption at rest via Supabase |
A.8.25 | Secure development life cycle | Yes | Security embedded in every SDLC phase; TDD mandated |
A.8.26 | Application security requirements | Yes | Security requirements analysis before coding; sensitive change review |
A.8.27 | Secure system architecture and engineering principles | Yes | Architecture principles documented; threat modeling for new features |
A.8.28 | Secure coding | Yes | Coding standards, prohibited patterns, AI-assisted coding controls |
A.8.29 | Security testing in development and acceptance | Yes | TDD, automated test suite (unit/security/UI), CI gates |
A.8.30 | Outsourced development | Partial | AI-assisted development governed by specific guidelines; no external human developers |
A.8.31 | Separation of development, test and production environments | Yes | Separate database projects, application instances, and deployment targets per environment |
A.8.32 | Change management | Yes | Full change management process with automated CI/CD enforcement |
A.8.33 | Test information | Yes | Production data never copied to development; synthetic test data only |
A.8.34 | Protection of information systems during audit testing | Yes | Audit testing in separate environments; read-only audit access |
ISMS Copilot addresses 79 of 93 Annex A controls (fully or partially), with 14 controls justifiably excluded as not applicable to our cloud-hosted, remote-first operating model. Physical controls (A.7) are primarily handled by our cloud infrastructure providers (Supabase, Fly.io, Vercel) under their own SOC 2 and ISO 27001 certifications.
Review
This Statement of Applicability is reviewed annually, when the ISMS scope changes, when risk treatment decisions change the set of required controls, after significant security incidents, and as part of the annual management review.