ISO 27001
At a glance
- Standard
- ISO/IEC 27001:2022
- Controls
- 93 Annex A controls, 4 themes
- Approach
- Risk-based ISMS
- Certification
- On roadmap (aligned today)
Information Security Management System
Our ISMS defines security objectives, a risk-assessment and treatment methodology, a Statement of Applicability, and a cycle of review and continual improvement. Security is owned at leadership level.
Annex A control themes
| Theme | Coverage |
|---|---|
| Organisational | Policies, roles, supplier security, threat intel, incident management |
| People | Screening, awareness training, responsibilities, joiner/mover/leaver |
| Physical | Secure cloud facilities, equipment and media handling |
| Technological | Access control, cryptography, secure development, logging, backup, vulnerability management |
Engineering practices
- Secure SDLC with code review and dependency/vulnerability scanning.
- Least-privilege access, MFA, and centralised audit logging.
- Encryption in transit and at rest; managed key lifecycle.
- Regular backups with tested restoration and business continuity.
- Independent penetration testing with remediation tracking.
Honest status
We describe ourselves as “aligned to ISO 27001 controls,” not certified. When certification is achieved the certificate and scope will be published here. Reviewers may request our current control mapping and Statement of Applicability summary under NDA.
Documentation available on request
- ISO 27001 control mapping / Statement of Applicability summary
- Penetration-test executive summary
- Information-security policy summary
Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.
