The purpose of AcmeCorp's Information Security Management System (ISMS) is to protect the confidentiality, integrity, and availability of all information assets critical to the organisation's operations and its customers' data.

The ISMS objectives are to systematically manage information security risks, comply with applicable legal and contractual obligations, and continually improve security posture through a cycle of plan, do, check, and act.

AcmeCorp is a SaaS technology company providing cloud-based business management solutions to mid-enterprise clients across the UK and EU. The company operates in a regulated environment subject to GDPR, ISO 27001, NIS 2, and contractual SOC 2 Type II requirements from enterprise customers.

Key external factors include evolving data protection legislation, growing cyber threat landscapes, and client contractual requirements for independent assurance of information security controls.

All full-time employees, part-time employees, contractors, and authorised third parties accessing AcmeCorp systems fall within scope. The boundaries include all business units: Engineering, Product, InfoSec, Operations, Sales, Finance, HR, and Legal.

All information assets are registered in the Asset Register. Asset classification follows the Data Classification Policy with four tiers: Public, Internal, Confidential, and Restricted. Critical assets include customer data, authentication systems, source code repositories, and financial records.

In-scope technology includes: production SaaS platform (AWS eu-west-1, eu-central-1), CI/CD pipeline, corporate IT estate, endpoint devices, communications infrastructure, and authorised third-party integrations.

Risks are assessed using a 5×5 likelihood vs impact matrix. All risks scoring 15 or above require CISO approval for acceptance. The Risk Register is reviewed quarterly and after significant organisational or environmental changes.

The control set is based on ISO 27001:2022 Annex A (93 controls across 4 domains). The Statement of Applicability documents all applicable controls, justifications for inclusion/exclusion, and implementation status. Additional controls from SOC 2, GDPR, and BSI C5 are tracked as supplementary mappings.

The ISMS is governed by the Information Security Steering Committee, chaired by the CISO. The committee meets quarterly. Internal audits are conducted annually and the management review cycle follows the annual operations calendar.

All documented information required by ISO 27001 is maintained in Salvinta GRC. Records include policy documents, risk assessments, audit reports, management review minutes, and training records with defined retention periods per the Records Retention Schedule.

The ISMS interfaces with the following external parties: cloud infrastructure provider (AWS), identity provider (Okta), software development tooling (GitHub), and key subprocessors identified in the DPA register. Each carries contractual security obligations reviewed annually.

The following areas are currently excluded from ISMS scope with documented justifications: