Statement Of Applicability

Control IDControl nameApplicable (Y/N)Justification (if N or partial)Implementation status (Planned/Partial/Implemented)OwnerPolicy/Procedure referenceEvidence / record linkNotes
A.5.1Policies for Information SecurityYPolicy acknowledgement collection is in progress (records prepared for employees/contractors; signatures pending for some personnel).PartialTimo Andreas Bejan01.03-information-security-policy; 01.05-control-of-documented-information; 01.07-competence-awareness-and-training; 03-policies/; 04-procedures/doc-register; training-register; 07-records/2026/policy-acknowledgements/ISO 27001:2022/A.5-organizational-controls/A.5.1-policies-for-information-security.md
A.5.2Information Security Roles and ResponsibilitiesYRoles are defined and allocated; full communication/ack evidence is being collected (see acknowledgement records).PartialTimo Andreas Bejan01.04-roles-responsibilities-and-authorities; 01.07-competence-awareness-and-training; 04.01-people-onboarding-offboarding-and-third-partiesdoc-register; training-register; 07-records/2026/policy-acknowledgements/ISO 27001:2022/A.5-organizational-controls/A.5.2-information-security-roles-and-responsibilities.md
A.5.3Segregation of DutiesYDue to small company size and customer constraints, full segregation is not always feasible; compensating controls (approvals, logging, reviews) are used and exceptions are handled via risk acceptance.PartialTimo Andreas Bejan03.15-segregation-of-duties-and-dual-control-policy; 01.04-roles-responsibilities-and-authorities; 03.02-access-control-policy; 04.02-access-request-changes-and-offboarding; 04.03-change-management; 03.05-secure-development-policy; 04.09-internal-audit02.02-risk-register (R-0003); 02.03-risk-treatment-plan (RTP-0004/0005/0006); access-register (ACC-0001–ACC-0018); internal-audit-programISO 27001:2022/A.5-organizational-controls/A.5.3-segregation-of-duties.md
A.5.4Management ResponsibilitiesYFramework and procedures in place; management review and internal audit cycles not yet completed.PartialTimo Andreas Bejan01.04-roles-responsibilities-and-authorities; 01.07-competence-awareness-and-training; 04.09-internal-audit; 04.10-management-review; 04.11-nonconformity-and-corrective-actiontraining-register; 07-records/2026/policy-acknowledgements/ISO 27001:2022/A.5-organizational-controls/A.5.4-management-responsibilities.md
A.5.5Contact with AuthoritiesYImplementedTimo Andreas Bejan04.05-incident-response; 01.04-roles-responsibilities-and-authoritiesauthorities-contact-registerISO 27001:2022/A.5-organizational-controls/A.5.5-contact-with-authorities.md
A.5.6Contact with Special Interest GroupsYSmall company; CISO monitors security advisories and vendor bulletins; formal group membership not warranted.PartialTimo Andreas Bejan01.07-competence-awareness-and-trainingISO 27001:2022/A.5-organizational-controls/A.5.6-contact-with-special-interest-groups.md
A.5.7Threat IntelligenceYThreat awareness integrated into risk assessment and vulnerability management; dedicated threat intelligence tooling not warranted for company size.PartialTimo Andreas Bejan02.01-risk-management-methodology; 04.08-vulnerability-and-patching; 01.07-competence-awareness-and-trainingISO 27001:2022/A.5-organizational-controls/A.5.7-threat-intelligence.md
A.5.8Information Security in Project ManagementYImplementedTimo Andreas Bejantemplate-project-security-checklist; 03.05-secure-development-policy; 04.02-access-request-changes-and-offboardingcustomer-project-register; 07-records/2025/project-security-reviews/ISO 27001:2022/A.5-organizational-controls/A.5.8-information-security-in-project-management.md
A.5.9Inventory of Information and Other Associated AssetsYImplementedTimo Andreas Bejan03.03-asset-management-and-classification-policyasset-registerISO 27001:2022/A.5-organizational-controls/A.5.9-inventory-of-information-and-other-associated-assets.md
A.5.10Acceptable Use of Information and Other Associated AssetsYImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.14-ai-acceptable-use-policyISO 27001:2022/A.5-organizational-controls/A.5.10-acceptable-use-of-information-and-other-associated-assets.md
A.5.11Return of AssetsYImplementedTimo Andreas Bejan04.01-people-onboarding-offboarding-and-third-parties; 04.02-access-request-changes-and-offboardingaccess-register; asset-registerISO 27001:2022/A.5-organizational-controls/A.5.11-return-of-assets.md
A.5.12Classification of InformationYImplementedTimo Andreas Bejan03.03-asset-management-and-classification-policyISO 27001:2022/A.5-organizational-controls/A.5.12-classification-of-information.md
A.5.13Labelling of InformationYLabelling is implicit via folder structure and access controls (private repos, restricted Drive folders); formal labelling system not warranted for company size.PartialTimo Andreas Bejan03.03-asset-management-and-classification-policyISO 27001:2022/A.5-organizational-controls/A.5.13-labelling-of-information.md
A.5.14Information TransferYImplementedTimo Andreas Bejan03.04-cryptography-and-secrets-policy; 03.01-acceptable-use-policy; template-project-security-checklist07-records/2026/supplier-agreements/ISO 27001:2022/A.5-organizational-controls/A.5.14-information-transfer.md
A.5.15Access ControlYImplementedTimo Andreas Bejan03.02-access-control-policy; 04.02-access-request-changes-and-offboardingaccess-registerISO 27001:2022/A.5-organizational-controls/A.5.15-access-control.md
A.5.16Identity ManagementYImplementedTimo Andreas Bejan03.02-access-control-policyaccess-registerISO 27001:2022/A.5-organizational-controls/A.5.16-identity-management.md
A.5.17Authentication InformationYImplementedTimo Andreas Bejan03.02-access-control-policy; 03.04-cryptography-and-secrets-policyISO 27001:2022/A.5-organizational-controls/A.5.17-authentication-information.md
A.5.18Access RightsYImplementedTimo Andreas Bejan03.02-access-control-policy; 04.02-access-request-changes-and-offboarding; 03.15-segregation-of-duties-and-dual-control-policyaccess-registerISO 27001:2022/A.5-organizational-controls/A.5.18-access-rights.md
A.5.19Information Security in Supplier RelationshipsYImplementedTimo Andreas Bejan03.06-supplier-management-policysupplier-register; 07-records/2025/supplier-reviews/ISO 27001:2022/A.5-organizational-controls/A.5.19-information-security-in-supplier-relationships.md
A.5.20Addressing Information Security within Supplier AgreementsYImplementedTimo Andreas Bejan04.06-supplier-onboarding-and-reviewsupplier-register; 07-records/2025/supplier-reviews/; 07-records/2026/supplier-agreements/ISO 27001:2022/A.5-organizational-controls/A.5.20-addressing-information-security-within-supplier-agreements.md
A.5.21Managing Information Security in the ICT Supply ChainYImplementedTimo Andreas Bejan03.06-supplier-management-policy; 04.06-supplier-onboarding-and-reviewsupplier-register; 07-records/2025/supplier-reviews/ISO 27001:2022/A.5-organizational-controls/A.5.21-managing-information-security-in-the-ict-supply-chain.md
A.5.22Monitoring, Review, and Change Management of Supplier ServicesYImplementedTimo Andreas Bejan04.06-supplier-onboarding-and-reviewsupplier-register; 07-records/2025/supplier-reviews/ISO 27001:2022/A.5-organizational-controls/A.5.22-monitoring-review-and-change-management-of-supplier-services.md
A.5.23Information Security for Use of Cloud ServicesYImplemented (cloud-first; supplier controls; MFA; logging; risk-based exceptions; AI usage governed)Timo Andreas Bejan03.06-supplier-management-policy; 03.14-ai-acceptable-use-policyISO 27001:2022/A.5-organizational-controls/A.5.23-information-security-for-use-of-cloud-services.md
A.5.24Information Security Incident Management Planning and PreparationYImplementedTimo Andreas Bejan04.05-incident-response; 03.07-incident-management-policyincident-register; authorities-contact-registerISO 27001:2022/A.5-organizational-controls/A.5.24-information-security-incident-management-planning-and-preparation.md
A.5.25Assessment and Decision on Information Security EventsYImplementedTimo Andreas Bejan04.05-incident-responseincident-registerISO 27001:2022/A.5-organizational-controls/A.5.25-assessment-and-decision-on-information-security-events.md
A.5.26Response to Information Security IncidentsYImplementedTimo Andreas Bejan04.05-incident-responseincident-registerISO 27001:2022/A.5-organizational-controls/A.5.26-response-to-information-security-incidents.md
A.5.27Learning from Information Security IncidentsYImplementedTimo Andreas Bejan04.05-incident-response; 04.11-nonconformity-and-corrective-actionincident-registerISO 27001:2022/A.5-organizational-controls/A.5.27-learning-from-information-security-incidents.md
A.5.28Collection of EvidenceYImplementedTimo Andreas Bejan04.05-incident-response07-records/ISO 27001:2022/A.5-organizational-controls/A.5.28-collection-of-evidence.md
A.5.29Information Security During DisruptionYProportionate to small (~7 person) remote consultancy; informal redundancy (local copies, fallback communication channels) rather than formal BCP.ImplementedTimo Andreas Bejan03.08-business-continuity-and-availability-policy; 04.05-incident-responseISO 27001:2022/A.5-organizational-controls/A.5.29-information-security-during-disruption.md
A.5.30ICT Readiness for Business ContinuityYCloud-first model with SaaS provider resilience; local copies on developer machines; formal DR runbook not warranted for company size.ImplementedTimo Andreas Bejan03.08-business-continuity-and-availability-policy; 04.04-backup-and-restore07-records/2026/risk-acceptance/RA-2026-0001-no-independent-backups.mdISO 27001:2022/A.5-organizational-controls/A.5.30-ict-readiness-for-business-continuity.md
A.5.31Legal, Statutory, Regulatory, and Contractual RequirementsYImplementedTimo Andreas Bejan01.02-context-and-interested-parties; 03.12-privacy-and-pii-policy; template-project-security-checklistISO 27001:2022/A.5-organizational-controls/A.5.31-legal-statutory-regulatory-and-contractual-requirements.md
A.5.32Intellectual Property RightsYImplementedTimo Andreas Bejan03.01-acceptable-use-policyCustomer contracts (IP clauses); devplant GitHub (DP WAT IP)ISO 27001:2022/A.5-organizational-controls/A.5.32-intellectual-property-rights.md
A.5.33Protection of RecordsYImplementedTimo Andreas Bejan01.05-control-of-documented-informationGitHub repository (primary); Google Drive (secondary copy)ISO 27001:2022/A.5-organizational-controls/A.5.33-protection-of-records.md
A.5.34Privacy and Protection of Personal Identifiable Information (PII)YImplementedTimo Andreas Bejan03.12-privacy-and-pii-policy; 04.05-incident-response (72-hour notification); template-project-security-checklist07-records/2025/project-security-reviews/ (DPA tracking per project); authorities-contact-register (ANSPDCP contact)ISO 27001:2022/A.5-organizational-controls/A.5.34-privacy-and-protection-of-personal-identifiable-information-pii.md
A.5.35Independent Review of Information SecurityYImplementedTimo Andreas Bejan04.09-internal-auditUP QUALITY (external) performs independent review; internal audits supplementISO 27001:2022/A.5-organizational-controls/A.5.35-independent-review-of-information-security.md
A.5.36Compliance with Policies, Rules, and Standards for Information SecurityYImplementedTimo Andreas Bejan04.09-internal-audit; 04.11-nonconformity-and-corrective-action07-records/ (audit reports)ISO 27001:2022/A.5-organizational-controls/A.5.36-compliance-with-policies-rules-and-standards-for-information-security.md
A.5.37Documented Operating ProceduresYImplementedTimo Andreas Bejan04-procedures/doc-registerISO 27001:2022/A.5-organizational-controls/A.5.37-documented-operating-procedures.md
A.6.1ScreeningYImplementedTimo Andreas Bejan04.01-people-onboarding-offboarding-and-third-parties07-records/ (screening evidence)ISO 27001:2022/A.6-people-controls/A.6.1-screening.md
A.6.2Terms and Conditions of EmploymentYImplementedTimo Andreas Bejan04.01-people-onboarding-offboarding-and-third-partiesEmployment contracts; contractor agreementsISO 27001:2022/A.6-people-controls/A.6.2-terms-and-conditions-of-employment.md
A.6.3Information Security Awareness, Education, and TrainingYImplementedTimo Andreas Bejan01.07-competence-awareness-and-training; 04.01-people-onboarding-offboarding-and-third-partiestraining-register; 07-records/ISO 27001:2022/A.6-people-controls/A.6.3-information-security-awareness-education-and-training.md
A.6.4Disciplinary ProcessYEnforcement clause in AUP; formal HR disciplinary procedure follows Romanian labor law.ImplementedTimo Andreas Bejan03.01-acceptable-use-policyISO 27001:2022/A.6-people-controls/A.6.4-disciplinary-process.md
A.6.5Responsibilities After Termination or Change of EmploymentYImplementedTimo Andreas Bejan04.01-people-onboarding-offboarding-and-third-parties; 04.02-access-request-changes-and-offboardingaccess-registerISO 27001:2022/A.6-people-controls/A.6.5-responsibilities-after-termination-or-change-of-employment.md
A.6.6Confidentiality or Non-disclosure AgreementsYImplementedTimo Andreas Bejan04.01-people-onboarding-offboarding-and-third-partiesEmployment contracts; NDAsISO 27001:2022/A.6-people-controls/A.6.6-confidentiality-or-non-disclosure-agreements.md
A.6.7Remote WorkingYImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.02-access-control-policyISO 27001:2022/A.6-people-controls/A.6.7-remote-working.md
A.6.8Information Security Event ReportingYImplementedTimo Andreas Bejan03.07-incident-management-policy; 04.05-incident-responseincident-registerISO 27001:2022/A.6-people-controls/A.6.8-information-security-event-reporting.md
A.7.1Physical Security PerimetersYPhysical premises managed by DP COWORKING SRL (related entity); private offices with access control.ImplementedTimo Andreas Bejan03.11-physical-security-policyDP COWORKING SRL agreementISO 27001:2022/A.7-physical-controls/A.7.1-physical-security-perimeters.md
A.7.2Physical EntryYDigital locks and access control managed by DP COWORKING SRL; access granted to DP WAT personnel.ImplementedTimo Andreas Bejan03.11-physical-security-policyDP COWORKING SRL agreementISO 27001:2022/A.7-physical-controls/A.7.2-physical-entry.md
A.7.3Securing Offices, Rooms, and FacilitiesYPrivate locked offices at DP COWORKING SRL premises.ImplementedTimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.3-securing-offices-rooms-and-facilities.md
A.7.4Physical Security MonitoringYSecurity camera on office door managed by DP COWORKING SRL.ImplementedTimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.4-physical-security-monitoring.md
A.7.5Protecting Against Physical and Environmental ThreatsYBuilding protection (fire, flood) managed by DP COWORKING SRL as landlord.ImplementedTimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.5-protecting-against-physical-and-environmental-threats.md
A.7.6Working in Secure AreasYPrivate office is secure area; visitor escort rules in place.ImplementedTimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.6-working-in-secure-areas.md
A.7.7Clear Desk and Clear ScreenYImplementedTimo Andreas Bejan03.11-physical-security-policy; 03.01-acceptable-use-policyISO 27001:2022/A.7-physical-controls/A.7.7-clear-desk-and-clear-screen.md
A.7.8Equipment Siting and ProtectionYLaptops with FileVault encryption; do not leave unattended in public.ImplementedTimo Andreas Bejan03.11-physical-security-policy; 03.01-acceptable-use-policyISO 27001:2022/A.7-physical-controls/A.7.8-equipment-siting-and-protection.md
A.7.9Security of Assets Off-premisesYRemote work covered by AUP; encryption, screen lock, sane networks required.ImplementedTimo Andreas Bejan03.11-physical-security-policy; 03.01-acceptable-use-policyISO 27001:2022/A.7-physical-controls/A.7.9-security-of-assets-off-premises.md
A.7.10Storage MediaYExternal storage (USB/HDD) prohibited without CISO approval.ImplementedTimo Andreas Bejan03.11-physical-security-policy; 03.01-acceptable-use-policyISO 27001:2022/A.7-physical-controls/A.7.10-storage-media.md; [2025→2026 change: was N/A in old SoA; now Y with prohibition policy approach]
A.7.11Supporting UtilitiesNNo DP WAT-owned infrastructure requiring utility protection; cloud-first model.N/ATimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.11-supporting-utilities.md; [2025→2026 change: was Y in old SoA; now N/A — justified by transition to fully cloud-first model with no owned server infrastructure]
A.7.12Cabling SecurityNNo DP WAT-owned network infrastructure; network managed by DP COWORKING and treated as zero trust.N/ATimo Andreas Bejan03.11-physical-security-policyISO 27001:2022/A.7-physical-controls/A.7.12-cabling-security.md
A.7.13Equipment MaintenanceYApple warranty for hardware issues; devices are expendable and replaced if damaged/stolen.ImplementedTimo Andreas Bejan03.11-physical-security-policyasset-registerISO 27001:2022/A.7-physical-controls/A.7.13-equipment-maintenance.md
A.7.14Secure Disposal or Re-use of EquipmentYFull wipe via Apple device management before disposal or reassignment.ImplementedTimo Andreas Bejan03.11-physical-security-policyasset-registerISO 27001:2022/A.7-physical-controls/A.7.14-secure-disposal-or-re-use-of-equipment.md
A.8.1User End Point DevicesYCompany-owned devices: Apple MDM + FileVault; BYOD: written acknowledgement of encryption/screen lock; customer-owned: risk-assessed as third-party assets.ImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.11-physical-security-policy; 04.01-people-onboarding-offboarding-and-third-partiesasset-registerISO 27001:2022/A.8-technological-controls/A.8.1-user-end-point-devices.md
A.8.2Privileged Access RightsYPrivileged roles restricted to named individuals; MFA required; annual access reviews.ImplementedTimo Andreas Bejan03.02-access-control-policy; 03.15-segregation-of-duties-and-dual-control-policyaccess-registerISO 27001:2022/A.8-technological-controls/A.8.2-privileged-access-rights.md
A.8.3Information Access RestrictionYLeast privilege; access request/approval process; private repos and restricted folders.ImplementedTimo Andreas Bejan03.02-access-control-policy; 04.02-access-request-changes-and-offboardingaccess-registerISO 27001:2022/A.8-technological-controls/A.8.3-information-access-restriction.md
A.8.4Access to Source CodeYPrivate GitHub repos; MFA required; least privilege with project-scoped access.ImplementedTimo Andreas Bejan03.05-secure-development-policy; 03.02-access-control-policyaccess-registerISO 27001:2022/A.8-technological-controls/A.8.4-access-to-source-code.md
A.8.5Secure AuthenticationYMFA mandatory; unique accounts per user; passwords in approved managers (iCloud Keychain, 1Password).ImplementedTimo Andreas Bejan03.02-access-control-policy; 03.04-cryptography-and-secrets-policyISO 27001:2022/A.8-technological-controls/A.8.5-secure-authentication.md
A.8.6Capacity ManagementYDP WAT SaaS tools: cloud providers handle capacity. Customer environments: monitoring and alerts in place; recommendations provided.ImplementedTimo Andreas Bejan03.06-supplier-management-policyISO 27001:2022/A.8-technological-controls/A.8.6-capacity-management.md
A.8.7Protection Against MalwareYApple devices with built-in protections (XProtect, Gatekeeper, MRT); no additional endpoint protection (risk accepted R-0005).ImplementedTimo Andreas Bejan03.11-physical-security-policy02.02-risk-register (R-0005)ISO 27001:2022/A.8-technological-controls/A.8.7-protection-against-malware.md
A.8.8Management of Technical VulnerabilitiesYAutomated patching via MDM; Dependabot alerts on all repos; AWS alerting for customer environments. Alert-based response; no proactive scanning.ImplementedTimo Andreas Bejan03.10-vulnerability-management-policy; 04.08-vulnerability-and-patchingISO 27001:2022/A.8-technological-controls/A.8.8-management-of-technical-vulnerabilities.md
A.8.9Configuration ManagementYInfrastructure as code on all projects; no plaintext credentials (AWS Secrets Manager, Azure KeyVault, etc.); developer credentials in iCloud Keychain.ImplementedTimo Andreas Bejan03.04-cryptography-and-secrets-policy; 03.05-secure-development-policyISO 27001:2022/A.8-technological-controls/A.8.9-configuration-management.md
A.8.10Information DeletionYEquipment disposal: full wipe via MDM; offboarding: confirm deletion from BYOD; customer data: deleted per contract requirements at contract end.ImplementedTimo Andreas Bejan03.11-physical-security-policy; 04.01-people-onboarding-offboarding-and-third-partiesCustomer contractsISO 27001:2022/A.8-technological-controls/A.8.10-information-deletion.md
A.8.11Data MaskingYPrefer synthetic/anonymized test data; minimize production data on local machines; customer masking requirements followed per contract.ImplementedTimo Andreas Bejan03.05-secure-development-policyISO 27001:2022/A.8-technological-controls/A.8.11-data-masking.md
A.8.12Data Leakage PreventionYNo formal DLP tooling (proportionate to size; risk accepted R-0006); controls via AUP, private repos, MFA, least privilege, external storage prohibited.ImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.02-access-control-policy02.02-risk-register (R-0006)ISO 27001:2022/A.8-technological-controls/A.8.12-data-leakage-prevention.md
A.8.13Information BackupYDeliberate choice: SaaS provider replication + local copies on dev machines; no independent backup system (risk accepted).ImplementedTimo Andreas Bejan04.04-backup-and-restore; 03.08-business-continuity-and-availability-policy07-records/2026/risk-acceptance/RA-2026-0001-no-independent-backups.mdISO 27001:2022/A.8-technological-controls/A.8.13-information-backup.md
A.8.14Redundancy of Information Processing FacilitiesYDP WAT tools: SaaS provider redundancy (risk accepted). Customer environments: automatic backups (S3, DB snapshots, time travel, etc.).ImplementedTimo Andreas Bejan03.08-business-continuity-and-availability-policy07-records/2026/risk-acceptance/RA-2026-0001-no-independent-backups.mdISO 27001:2022/A.8-technological-controls/A.8.14-redundancy-of-information-processing-facilities.md; [2025→2026 change: was N/A in old SoA; now Y — addressed via SaaS provider redundancy reliance with documented risk acceptance]
A.8.15LoggingYDP WAT systems: audit logs enabled (Google Workspace, GitHub, Cloudflare). Customer environments: logging implemented per customer requirements/budget.ImplementedTimo Andreas Bejan03.02-access-control-policyISO 27001:2022/A.8-technological-controls/A.8.15-logging.md
A.8.16Monitoring ActivitiesYDP WAT tools: audit logs spot-checked during periodic access reviews and quarterly log reviews. Customer environments: alerts in place (especially AWS).ImplementedTimo Andreas Bejan03.02-access-control-policy; 04.07-log-reviewISO 27001:2022/A.8-technological-controls/A.8.16-monitoring-activities.md
A.8.17Clock SynchronizationYmacOS uses NTP by default; SaaS and cloud providers handle their own clock synchronization.ImplementedTimo Andreas BejanOS default; cloud provider managedISO 27001:2022/A.8-technological-controls/A.8.17-clock-synchronization.md
A.8.18Use of Privileged Utility ProgramsYDevelopers have admin rights (required for dev work; risk accepted R-0004); source of truth is cloud/GitHub.ImplementedTimo Andreas Bejan03.11-physical-security-policy02.02-risk-register (R-0004)ISO 27001:2022/A.8-technological-controls/A.8.18-use-of-privileged-utility-programs.md
A.8.19Installation of Software on Operational SystemsYDev machines: developers install as needed (risk accepted R-0004). Customer production: change management applies.ImplementedTimo Andreas Bejan04.03-change-management02.02-risk-register (R-0004)ISO 27001:2022/A.8-technological-controls/A.8.19-installation-of-software-on-operational-systems.md
A.8.20Network SecurityYZero trust model (all networks treated as untrusted); no owned infrastructure; TLS for all communications.ImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.11-physical-security-policyISO 27001:2022/A.8-technological-controls/A.8.20-network-security.md
A.8.21Security of Network ServicesYNetwork services provided by SaaS vendors and DP COWORKING; treated as zero trust; no DP WAT-managed network services.ImplementedTimo Andreas Bejan03.01-acceptable-use-policy; 03.06-supplier-management-policyISO 27001:2022/A.8-technological-controls/A.8.21-security-of-network-services.md
A.8.22Segregation of NetworksNNo owned network infrastructure; zero trust model treats all networks as untrusted, making network segregation irrelevant.N/ATimo Andreas Bejan03.01-acceptable-use-policyISO 27001:2022/A.8-technological-controls/A.8.22-segregation-of-networks.md
A.8.23Web FilteringYNo technical web filtering (impractical for dev work; risk accepted R-0007); addressed via security awareness training.ImplementedTimo Andreas Bejan01.07-competence-awareness-and-trainingtraining-register; 02.02-risk-register (R-0007)ISO 27001:2022/A.8-technological-controls/A.8.23-web-filtering.md
A.8.24Use of CryptographyYFileVault (AES-256) for devices; secrets in approved managers (AES-256-GCM); TLS 1.2+ for transit; relies on provider-implemented cryptography.ImplementedTimo Andreas Bejan03.04-cryptography-and-secrets-policyISO 27001:2022/A.8-technological-controls/A.8.24-use-of-cryptography.md
A.8.25Secure Development Life CycleYSecure development policy in place; risk-based code review (R-0008); MFA on repos; dependency management; security testing per project risk.ImplementedTimo Andreas Bejan03.05-secure-development-policy02.02-risk-register (R-0008)ISO 27001:2022/A.8-technological-controls/A.8.25-secure-development-life-cycle.md
A.8.26Application Security RequirementsYProject security checklist captures requirements; customer requirements addressed per project.ImplementedTimo Andreas Bejantemplate-project-security-checklist; 03.05-secure-development-policy07-records/ (completed checklists)ISO 27001:2022/A.8-technological-controls/A.8.26-application-security-requirements.md
A.8.27Secure System Architecture and Engineering PrinciplesYDefense in depth; secure defaults; least privilege via IaC; fail secure; input validation; standard stack (AWS/Terraform/ECS).ImplementedTimo Andreas Bejan03.05-secure-development-policyISO 27001:2022/A.8-technological-controls/A.8.27-secure-system-architecture-and-engineering-principles.md
A.8.28Secure CodingYStatic code analysis; IDE/GitHub dependency alerts; risk-based code review (R-0008); input validation; secrets handling.ImplementedTimo Andreas Bejan03.05-secure-development-policy02.02-risk-register (R-0008)ISO 27001:2022/A.8-technological-controls/A.8.28-secure-coding.md
A.8.29Security Testing in Development and AcceptanceYStatic analysis; pen testing (FOX SYSTEMS); unit/integration/e2e/manual QA; coverage per project risk (R-0009); third-party dependencies chosen based on experience (reputable libraries only).ImplementedTimo Andreas Bejan03.05-secure-development-policysupplier-register (SUP-0016); 02.02-risk-register (R-0009)ISO 27001:2022/A.8-technological-controls/A.8.29-security-testing-in-development-and-acceptance.md
A.8.30Outsourced DevelopmentYDP WAT engages contractors (PFAs/companies) for development; contractors sign policy acknowledgements and NDAs/DPAs; subject to onboarding/offboarding procedure; access time-bound and reviewed.ImplementedTimo Andreas Bejan03.05-secure-development-policy; 04.01-people-onboarding-offboarding-and-third-parties07-records/2026/policy-acknowledgements/ (contractor ACKs)ISO 27001:2022/A.8-technological-controls/A.8.30-outsourced-development.md
A.8.31Separation of Development, Test, and Production EnvironmentsYSeparate AWS accounts where feasible; at minimum separate data layer; IaC defines environments; production credentials/data not used in non-production; audit gap accepted (R-0010).ImplementedTimo Andreas Bejan03.05-secure-development-policy02.02-risk-register (R-0010)ISO 27001:2022/A.8-technological-controls/A.8.31-separation-of-development-test-and-production-environments.md; [2025→2026 change: was N/A in old SoA; now Y — properly documented with separation practices and risk acceptance for gaps]
A.8.32Change ManagementYChange management procedure covers standard/normal/emergency changes; risk assessment; rollback plans; SoD for high-risk changes; post-implementation review; stakeholder communication via Slack/email.ImplementedTimo Andreas Bejan04.03-change-management; 03.15-segregation-of-duties-and-dual-control-policy07-records/ (change records)ISO 27001:2022/A.8-technological-controls/A.8.32-change-management.md
A.8.33Test InformationYPrefer synthetic/anonymized test data; production data access minimized; test environments ephemeral (CI/Docker) - data disposed when torn down; access controls apply; environment separation per A.8.31.ImplementedTimo Andreas Bejan03.05-secure-development-policyISO 27001:2022/A.8-technological-controls/A.8.33-test-information.md
A.8.34Protection of Information Systems During Audit TestingYAudit scope agreed in advance; external auditors get supervised side-by-side access only (CISO shows what's needed); no unsupervised system access; pen testing scoped per customer project.ImplementedTimo Andreas Bejan04.09-internal-auditISO 27001:2022/A.8-technological-controls/A.8.34-protection-of-information-systems-during-audit-testing.md