ISO/IEC 27001:2022
Status: not pursuing in 2026 · reassessed quarterly · last updated 27 May 2026
Glassbreak is not currently ISO 27001 certified and is not at this time pursuing certification. This page sets out our reasoning, our current posture against the ISMS clauses (4–10) and Annex A (the four control themes), and the trigger conditions that would cause us to start.
Our position
ISO 27001:2022 is the international standard for an Information Security Management System (ISMS). A certified ISMS demonstrates that an organisation has identified its information-security risks, selected appropriate controls, and operates the management cycle (plan-do-check-act) to keep those controls effective.
For an organisation of our current size and customer base, ISO 27001 is a significant investment (typically £40,000–£120,000 in the first year including ISMS implementation, internal audit, and the Stage 1 + Stage 2 certification audit) and a multi-quarter time commitment from leadership. We have chosen to prioritise SOC 2 Type II first because it is the assurance North American enterprise customers ask for, and most of the underlying control work is shared with ISO 27001.
When we will start
We will begin ISO 27001 certification work when any one of the following becomes true:
- EU-headquartered ARR exceeds £500,000 annualised, or
- three or more named EU enterprise prospects require it in writing as a procurement gate, or
- we sign our first government, healthcare, or financial-services customer in the EU/EEA/UK, or
- our first SOC 2 Type II report has been issued (the marginal cost to add ISO 27001 is materially lower once SOC 2 controls are operating).
Status by ISMS clause (4–10)
The main body of the standard requires the ISMS itself. We have built most of the technical foundations; the documented management system is the gap.
ISMS clauses — the management-system spine of the standard
7 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| Clause 4 | Context of the organisation | Met | Controlled ISMS scope document at /policies/isms-scope defining organisational context, interested parties, boundaries, surfaces, and external interfaces. |
| Clause 5 | Leadership | Met | Information Security Policy published at /policies/information-security, approved by leadership, with the Security Officer named as accountable owner. |
| Clause 6 | Planning | Met | Risk Treatment Plan at /policies/risk-treatment-plan and Statement of Applicability at /policies/statement-of-applicability published as controlled documents. |
| Clause 7 | Support (competence, awareness, communication, documented information) | Met | Onboarding policy + training records (/policies/onboarding §§4.3, 5, 8); controlled document register is the /policies index with version + review-cycle metadata. |
| Clause 8 | Operation | Met | Operational planning and change control documented at /policies/sdlc; supplier ops at /policies/procedures/supplier-assessment; vendor lifecycle at /policies/supply-chain-risk. |
| Clause 9 | Performance evaluation | Met | Internal audit programme at /policies/cadences/internal-audit-programme; quarterly management review at /policies/cadences/management-review; annual technical evaluation at /policies/cadences/technical-evaluation. |
| Clause 10 | Improvement | Met | Corrective-action workflow with time-bounded SLAs at /policies/cadences/remediation-slas; nonconformities surface via daily snapshot, DR scenarios, audits, disclosure programme. |
Annex A — Organisational controls (A.5, 37 controls)
Annex A.5 — Organisational
7 met4 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A.5.1–5.2 | Policies for information security | Met | Six published policies at /policies (InfoSec, IR, BCP/DR, Onboarding, Offboarding, Sanctions) reviewed annually with named owner. |
| A.5.3–5.6 | Segregation of duties; contact with authorities and special-interest groups | Partial | PR review gates separate plan/apply; formal authority-contact register not maintained. |
| A.5.7 | Threat intelligence | Met | Documented consumption process at /policies/procedures/threat-intelligence (Dependabot, vendor advisories, sub-processor notices, CVE feeds, disclosure reports). |
| A.5.8 | Project management security | Met | Every project starts from the architecture document; security review is a mandatory step in the PR workflow. |
| A.5.9–5.14 | Asset management | Partial | IaC provides an authoritative inventory of cloud assets; endpoint and personal-device inventory is informal at current headcount. |
| A.5.15–5.18 | Access control | Partial | RBAC implemented; SSO and SCIM provisioning not yet available. |
| A.5.16 | Identity management | Met | Multi-factor required for sensitive operations; refresh-token rotation with family-based reuse detection. |
| A.5.19–5.23 | Supplier relationships | Met | Supply Chain Risk Management Plan at /policies/supply-chain-risk; intake + annual re-assessment at /policies/procedures/supplier-assessment; sub-processor list at /legal/sub-processors. |
| A.5.24–5.28 | Information security in incident management | Met | Incident response procedure at /policies/incident-response with SEV-1/2/3/4 classification, response phases, customer-notification SLAs, and post-mortem template. |
| A.5.29–5.30 | ICT readiness for business continuity | Met | Multi-cloud topology, 22 tested DR scenarios, daily backup integrity check. |
| A.5.31–5.36 | Legal, statutory, regulatory | Partial | Published DPA with EU SCCs Module 2, UK IDTA, Swiss FADP addendum; not all jurisdictional requirements yet documented in a single register. |
Annex A — People controls (A.6, 8 controls)
Annex A.6 — People
8 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A.6.1 | Screening | Met | Background checks completed for workforce members with production access; right-to-work verified at hire. Procedure documented at /policies/onboarding §3. |
| A.6.2 | Terms and conditions of employment | Met | Employment contracts include confidentiality clauses. |
| A.6.3 | Awareness, education and training | Met | Mandatory security awareness training on joining and annually thereafter; role-specific training before independent action — per /policies/onboarding §§4.3, 5, 8. |
| A.6.4 | Disciplinary process | Met | Documented procedure at /policies/sanctions covering minor, material, and gross violations with proportionate sanctions and right of appeal. |
| A.6.5 | Responsibilities after termination | Met | Post-termination obligations (confidentiality, IP, non-disclosure, return of materials, cooperation) defined at /policies/offboarding §10. |
| A.6.6 | Confidentiality / NDA | Met | NDA in employment and contractor agreements. |
| A.6.7 | Remote working | Met | Controlled procedure at /policies/procedures/remote-working (network choice, home-office baseline, travel precautions, lost-device reporting). |
| A.6.8 | Information-security event reporting | Met | Internal channel at /policies/procedures/internal-incident-reporting; external programme at /trust/disclosure and security@glassbreak.io. |
Annex A — Physical controls (A.7, 14 controls)
Glassbreak operates no physical data centres. Production physical controls are inherited from cloud sub-processors (AWS, Scaleway, Neon, Fastly), all of which hold their own ISO 27001 and SOC 2 attestations. Office and equipment controls apply only to staff endpoints and are managed informally at current headcount.
Annex A.7 — Physical
4 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A.7.1–7.6 | Physical perimeters, entry controls, offices, facilities | Met | Inherited from cloud sub-processors with their own ISO 27001 / SOC 2 reports. |
| A.7.7 | Clear desk and clear screen | Met | Controlled procedure at /policies/procedures/clear-desk-clear-screen. |
| A.7.8 | Equipment siting and protection | Met | Inherited from sub-processors for production; staff endpoints at /policies/onboarding §4.1 + /policies/procedures/clear-desk-clear-screen. |
| A.7.9–7.14 | Off-site assets, storage media, secure disposal | Met | Off-site assets at /policies/procedures/off-site-assets; equipment decommissioning + cryptographic erasure at /policies/procedures/endpoint-decommissioning. |
Annex A — Technological controls (A.8, 34 controls)
The strongest area of coverage. The platform was designed with most of these controls in mind from the start.
Annex A.8 — Technological
17 met5 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A.8.1 | User endpoint devices | Partial | MDM and full-disk encryption enforced; formal endpoint inventory not yet centralised. |
| A.8.2 | Privileged access rights | Partial | Admin access requires MFA; just-in-time elevation and admin-action audit log exist; admin impersonation has known gaps (audit findings C-3, C-4). |
| A.8.3 | Information access restriction | Met | Per-organisation row-level isolation in the database; RBAC at the application layer. |
| A.8.4 | Access to source code | Met | GitHub with SSO + 2FA required; branch protection on main. |
| A.8.5 | Secure authentication | Met | Argon2id (t=4, m=128MB, p=2), TOTP and WebAuthn MFA, refresh-token rotation with peppered HMAC, EdDSA JWTs with kid-driven verify. |
| A.8.6 | Capacity management | Partial | Serverless autoscaling; formal capacity planning not recurring. |
| A.8.7 | Protection against malware | Met | Built-in OS protections on endpoints; N/A for serverless production (no persistent compute surface). |
| A.8.8 | Management of technical vulnerabilities | Met | Monthly /policies/cadences/vulnerability-review with dated minutes captures each finding, severity, owner, and remediation deadline. |
| A.8.9 | Configuration management | Met | OpenTofu state under version control; no manual cloud-console changes. |
| A.8.10 | Information deletion | Met | Self-service erasure route mounted (audit finding C-12 resolved). Cryptographic erasure for shared secrets; account deletion via /legal/data-request. |
| A.8.11 | Data masking | Met | Met by design via end-to-end encryption. |
| A.8.12 | Data leakage prevention | Partial | CSP, HSTS, no third-party tracking on authenticated pages; managed DLP not deployed. |
| A.8.13 | Information backup | Met | Per-vertical backups; integrity verified nightly in DR scenario 22. |
| A.8.14 | Redundancy of information processing facilities | Met | Two independent compute stacks across two providers; cross-vertical failover tested. |
| A.8.15 | Logging | Met | Application audit log, request log with trace IDs, sub-processor access logs. |
| A.8.16 | Monitoring activities | Met | Grafana Cloud with three SLO alerts and runbooks (docs/observability.md). |
| A.8.17 | Clock synchronisation | Met | NTP via cloud provider; serverless runtime clocks within tolerance. |
| A.8.18 | Use of privileged utility programs | Partial | SSH access to production is read-only and audited; admin-action audit log exists. |
| A.8.19 | Installation of software on operational systems | Met | CI-only deployment; no manual production installs. |
| A.8.20–8.23 | Networks security | Met | Per-vertical network isolation; egress controls on serverless functions; CSP and secure DNS at the edge. |
| A.8.24 | Use of cryptography | Met | AES-256-GCM at rest, TLS 1.2+ in transit, hybrid PQ encryption (RSA-OAEP-8192 + ML-KEM-1024), Wycheproof vectors in CI. See /technology/encryption. |
| A.8.25–8.34 | Secure development lifecycle | Met | Controlled SDLC procedure at /policies/sdlc with security activities at each phase (plan, design, implement, review, test, release, operate, retire). |
Estimated effort to certification (if triggered)
- Months 0–3 — ISMS implementation. Hire or contract an ISO 27001 Lead Implementer; draft policies, scope, SoA, risk treatment plan. Estimated effort: 0.5 FTE for one quarter.
- Months 3–6 — Operate the ISMS for at least one internal-audit cycle; run a management review; remediate nonconformities.
- Month 6 — Stage 1 certification audit (documentation review).
- Month 7–8 — Stage 2 certification audit (operating effectiveness).
- Month 9 — Certificate issued (three-year certification cycle with annual surveillance audits).
If we run SOC 2 Type II in parallel (or sequentially), most evidence is reusable: the gap from a clean Type II report to ISO 27001 certification is typically three months and one auditor selection rather than a full cycle.
If ISO 27001 is a hard procurement requirement for your organisation, please write to compliance@glassbreak.io with your expected ACV and contract term so we can prioritise accordingly.