ISO 27001:2022 — 93 Controls · Version 2.4
| Control Ref | Title | Domain | In Scope | Justification | Implementation | Responsible | Accountable |
|---|---|---|---|---|---|---|---|
| A.5 — Organisational Controls (37) | |||||||
| A.5.1 | Policies for information security | Organisational | In Scope | Core ISMS requirement | Completed | CISO | CEO |
| A.5.2 | Information security roles | Organisational | In Scope | Core ISMS requirement | Completed | HR Director | CISO |
| A.5.3 | Segregation of duties | Organisational | In Scope | SOC 2 and client requirements | Completed | IT Ops | CISO |
| A.5.4 | Management responsibilities | Organisational | In Scope | Core ISMS requirement | Completed | HR Director | CEO |
| A.5.5 | Contact with authorities | Organisational | In Scope | NIS 2 and GDPR requirement | In Progress | CISO | CEO |
| A.5.12 | Classification of information | Organisational | In Scope | Customer data protection | Completed | DPO | CISO |
| A.5.15 | Access control | Organisational | In Scope | Critical for platform security | Completed | IT Ops | CISO |
| A.5.23 | Information security for use of cloud services | Organisational | In Scope | AWS primary infrastructure | Completed | CTO | CISO |
| A.5.26 | Response to information security incidents | Organisational | In Scope | GDPR 72h notification obligation | Completed | CISO | CEO |
| A.5.29 | Information security during disruption | Organisational | In Scope | BCP / DR coverage | Planning | COO | CEO |
| A.6 — People Controls (8) | |||||||
| A.6.1 | Screening | People | In Scope | Pre-employment vetting | Completed | HR Director | CEO |
| A.6.3 | Information security awareness, education and training | People | In Scope | Annual mandatory requirement | Completed | HR Director | CISO |
| A.6.5 | Responsibilities after termination | People | In Scope | Leaver procedures | Completed | HR Director | CISO |
| A.7 — Physical Controls (14) | |||||||
| A.7.1 | Physical security perimeters | Physical | In Scope | Office and DC perimeters | Completed | Facilities | COO |
| A.7.4 | Physical security monitoring | Physical | In Scope | CCTV and badge access | Planning | Facilities | COO |
| A.7.9 | Security of assets off-premises | Physical | Out of Scope | Remote work classified separately | N/A | — | — |
| A.8 — Technological Controls (34) | |||||||
| A.8.2 | Privileged access rights | Technological | In Scope | Admin account controls | In Progress | IT Ops | CISO |
| A.8.5 | Secure authentication | Technological | In Scope | MFA enforcement on all systems | Completed | IT Ops | CISO |
| A.8.8 | Management of technical vulnerabilities | Technological | In Scope | Annual pen test + patching schedule | Completed | CTO | CISO |
| A.8.16 | Monitoring activities | Technological | In Scope | Datadog SIEM and alerting | In Progress | IT Ops | CISO |
| A.8.24 | Use of cryptography | Technological | In Scope | Data at rest and in transit | Completed | CTO | CISO |