ISO 27001 Compliance

To ensure the security of our customers' information, we have implemented an Information Security Management System (ISMS) in accordance with the requirements of ISO/IEC 27001:2022 standard.

All the company policies, terms, and operational procedures are organized into a set of interconnected documents.
These documents are internal, but we will be happy to show them to you and provide further details in a dedicated audit session.

• Business Continuity Plan
  The structured framework that defines how the organization ensures the continued delivery of critical services and operations during and after disruptive events.

  It includes risk assessments, business impact analysis, continuity strategies, cloud provider selection, and recovery priorities to minimize downtime and safeguard essential functions.

• Security Plan
  This document describes the organization's security objectives, policies, controls, and responsibilities.
  It details how information assets are protected and describes access control procedures and monitoring activities.
  It also includes the roadmap for maintaining and improving the company and software (DPS) security.

• Disaster Recovery Plan
  This plan describes the procedures, resources, and responsibilities needed to restore IT systems, infrastructure, and data after a disruption event.
  It covers backup strategies, recovery time objectives (RTO), recovery point objectives (RPO), and step-by-step restoration processes.

• Employment Conditions & Company Policies
  The set of formal documents defining employee rights, responsibilities, roles, and expected behaviors within the organization.
  They include terms of employment, confidentiality agreements, acceptable use policies, code of conduct, and disciplinary measures.
  These documents ensure that personnel understand and comply with legal, contractual, and security requirements stated in the Security Plan.

Below you will find all the requirements of the ISO 27001:2022 standard, and for each of them, where the arrow “→” is present, you can see how Servity complies.

Main Clauses

1. Scope

Not relevant for describing the compliance.

2. Normative references

Not relevant for describing the compliance.

3. Terms and definitions

Not relevant for describing the compliance.

4. Context of the Organization

1. The organization and its context are identified. → Business Continuity Plan, Security Plan, Security Framework.

   • Internal and external issues that may affect security, reliability, and performance.

2. The needs and expectations of interested parties are well described. → Business Continuity Plan, Security Plan, SLA (Service Level Agreement).

   • Relevant stakeholders and their information security requirements.

3. The scope of the ISMS is determined. → Security Plan, DPS Architecture, Security Framework.

   • The boundaries of the ISMS, including what is included and excluded (with justification).

   • Processes, activities, sites, information systems, and data are covered.

4. The ISMS is established.→ Security Plan, Security Framework.

   • The ISMS is established, implemented, maintained, and continually improved in accordance with the standard.

5. Leadership

1. Leadership and commitment are demonstrated. → Security Plan

   • The ISMS is supported by top management and integrated into business processes.

   • Resources needed for the ISMS are provided, and a continuous improvement of the ISMS is promoted.

2. The information security policy is established. → Security Plan, Employment Conditions & Company Policies

   • An information security policy appropriate to the organization’s purpose is established and maintained.

   • The policy is communicated within the organization and made available to interested parties.

3. Organizational roles, responsibilities, and authorities are assigned. → Security Plan, Employment Conditions & Company Policies

   • Roles and responsibilities related to information security are assigned and communicated.

   • Authorities for ISMS performance and reporting are defined and acknowledged.

6. Planning

1. Actions to address risks and opportunities are determined. → Business Continuity Plan, Security Plan, Secure Development Practices.

   • Risks and opportunities relevant to the ISMS are identified and addressed.

   • Information security risks are assessed using established risk assessment criteria.

   • Information security risks are treated through selected and implemented risk treatment options.

2. Information security objectives and planning to achieve them are established. → Security Plan, Secure Development Practices.

   • Information security objectives consistent with the policy are defined and documented.

   • Objectives are monitored, communicated, and updated as appropriate.

   • Plans for achieving the objectives are established, including responsibilities, resources, timelines, and evaluation methods.

3. Planning of changes is carried out. → Security Plan

   • Changes to the ISMS are planned and implemented in a controlled manner.

7. Support

1. Resources are provided. → Business Continuity Plan, Security Plan

   • Necessary resources for establishing, implementing, maintaining, and continually improving the ISMS are provided.

2. Competence is ensured. → Security Plan, Secure Development Practices.

   • Personnel performing work affecting the ISMS are made competent through education, training, or experience.

3. Awareness is promoted. → Security Plan, Employment Conditions & Company Policies, Secure Development Practices.

   • Personnel are made aware of the information security policy, their contributions to ISMS effectiveness, and the implications of non-compliance.

4. Communication is managed. → Security Plan

   • Internal and external communications relevant to the ISMS are determined, implemented, and maintained.

   • What, when, with whom, and how to communicate is ensured.

5. Documented information is controlled. → Security Plan

   • Required documented information is created, updated, and controlled.

   • Documented information required by the ISMS and the standard is protected and made available as needed (audit).

8. Operation

1. Operational planning and control are implemented. → Security Plan, Secure Development Practices.

   • Processes needed for the ISMS are planned, implemented, and controlled.

   • Criteria for these processes are established and applied.

   • Risks associated with operations are addressed and managed.

2. Information security risk assessment is performed. → Security Plan, Secure Development Practices.

   • Information security risks are assessed at planned intervals and when changes occur.

   • Assessment results are documented and used to guide risk treatment.

3. Information security risk treatment is applied. → Security Plan, Secure Development Practices.

   • Risk treatment plans are implemented and maintained.

   • Residual risks are accepted and communicated as appropriate.

   • Controls selected from Annex A or other sources are implemented and monitored.

9. Performance Evaluation

• Monitoring, measurement, analysis, and evaluation are performed. → Security Plan

  • The performance and effectiveness of the ISMS are monitored, measured, analyzed, and evaluated at planned intervals.

• Internal audits are conducted. → Security Plan, Secure Development Practices.

  • Internal audits of the ISMS are planned and performed at defined intervals.

  • Audit results are documented and communicated to relevant management.

• Management reviews are conducted. → Security Plan

  • The ISMS is reviewed by top management at planned intervals.

  • Opportunities for improvement and changes needed to maintain the ISMS are identified and acted upon.

10. Improvement

• Nonconformities and corrective actions are addressed. → Security Plan, Secure Development Practices

  • Nonconformities are identified and addressed.

  • Corrective actions are implemented to eliminate causes of nonconformities.

  • The effectiveness of corrective actions is verified.

• Continuous improvement is ensured. → Security Plan.

  • The ISMS is continually improved to enhance information security performance.

Annex A - Controls

A.5 – Organizational Controls

1. Information Security Policies → Security Plan, Employment Conditions & Company Policies, Security Framework

2. Information security roles and responsibilities → Security Plan, Employment Conditions & Company Policies

3. Segregation of Duties → Security Plan, Employment Conditions & Company Policies

4. Management responsibilities → Security Plan, Employment Conditions & Company Policies

5. Contact with authorities → Security Plan, Data Processor Agreement

6. Contact with special interest groups → Security Plan, Secure Development Practices

7. Threat intelligence → Business Continuity Plan, Security Plan, Secure Development Practices

8. Information security in project management → Security Plan, Employment Conditions & Company Policies, Secure Development Practices

9. Inventory of information and other associated assets → Security Plan, Secure Development Practices

10. Acceptable use of information and other associated assets → Security Plan

11. Return of assets → Security Plan

12. Classification of information → Security Plan

13. Labelling of information → Security Plan

14. Information transfer→ Security Plan, Security Framework, GDPR Compliance

15. Access control → Security Plan, Account and Identity Security

16. Identity management → Security Plan, Account and Identity Security

17. Authentication information → Security Plan, Account and Identity Security

18. Access rights → Security Plan, Account and Identity Security

19. Information security in supplier relationships → Security Plan, Employment Conditions & Company Policies

20. Addressing information security within supplier agreements → Security Plan

21. Managing information security in the ICT supply chain → Security Plan, Servitly Privacy Management

22. Monitoring, review, and change management of supplier services → Security Plan

23. Information security for the use of cloud services → Business Continuity Plan, Security Plan

24. Information security incident management planning and preparation → Security Plan, Data Processor Agreement

25. Assessment and decision on information security events→ Business Continuity Plan, Security Plan, Secure Development Practices

26. Response to information security incidents → Business Continuity Plan, Disaster Recovery Plan, Data Processor Agreement

27. Learning from information security incidents → Security Plan

28. Collection of evidence→ Security Plan

29. Information security during disruption → Security Plan, Continuous Improvements

30. ICT readiness for business continuity → Business Continuity Plan, Security Plan, Secure Development Practices

31. Legal, statutory, regulatory, and contractual requirements → Employment Conditions & Company Policies

32. Intellectual Property Rights → Employment Conditions & Company Policies, Terms and Conditions

33. Protection of records → Security Plan, Data Isolation

34. Privacy and protection of personally identifiable information (PII) → Security Plan, Account and Identity Security, GDPR Compliance

35. Independent review of information security → Security Plan, Continuous Improvements

36. Compliance with policies, rules, and standards for information security → Security Plan

37. Documented operating procedures → Security Plan

A.6 – People Controls

1. Screening → Security Plan

2. Terms and conditions of employment → Security Plan

3. Information security awareness, education, and training → Security Plan, Employment Conditions & Company Policies, Continuous Improvements

4. Disciplinary process → Security Plan

5. Responsibilities after termination or change of employment → Security Plan

A.7 – Physical Controls

1. Physical security perimeters → Business Continuity Plan, Security Plan

2. Physical entry controls →  Business Continuity Plan, Security Plan

3. Securing offices, rooms, and facilities → Business Continuity Plan

4. Physical security monitoring → Business Continuity Plan

5. Protection against physical and environmental threats → Business Continuity Plan, Security Plan

6. Working in secure areas → Business Continuity Plan, Security Plan

7. Clear desk and clear screen → Business Continuity Plan, Security Plan

8. Equipment siting and protection → Security Plan

9. Security of assets off-premises → Security Plan

10. Storage media → Security Plan

11. Supporting utilities → Business Continuity Plan, Security Plan

12. Cabling security → Business Continuity Plan, Security Plan

13. Equipment maintenance → Security Plan

14. Secure disposal or re-use of equipment → Security Plan

A.8 – Technological Controls

1. Endpoint User Devices → Security Plan

2. Privileged Access Rights → Security Plan, Account and Identity Security

3. Information Access Restriction → Security Plan, Employment Conditions & Company Policies, Account and Identity Security

4. Access to Source Code → Employment Conditions & Company Policies, Security Plan

5. Secure Authentication → Employment Conditions & Company Policies, Account and Identity Security

6. Capacity Management → Security Plan, Scalability, SLA (Service Level Agreement)

7. Protection Against Malware → Security Plan

8. Management of Technical Vulnerabilities → Security Plan, Secure Development Practices

9. Configuration Management →Security Plan, DPS Configuration Console

10. Information Deletion → Security Plan, Rights for Individuals

11. Data Masking → Data Masking and Filtering

12. Data Leakage Prevention → Employment Conditions & Company Policies

13. Information Backup → Disaster Recovery Plan

14. Redundancy of Information Processing Facilities → Business Continuity Plan, Disaster Recovery Plan, DPS Architecture

15. Logging → Security Plan, Account and Identity Security

16. Monitoring Activities → Monitoring and Logging

17. Clock Synchronization → Microservices

18. Use of Privileged Utility Programs → Security Plan

19. Installation of Software on Operational Systems → Secure Development Practices

20. Network Security → Architectural Security

21. Security of Network Services → Architectural Security

22. Segregation of Networks → Architectural Security

23. Web Filtering → Architectural Security

24. Use of Cryptography → Disaster Recovery Plan, REST API Security, IoT Connectors Security, Secure Development Practices

25. Secure Development Life Cycle → Secure Development Practices, SLA (Service Level Agreement)

26. Application Security Requirements → Secure Development Practices

27. Secure System Architecture and Engineering Principles → Secure Development Practices

28. Secure Coding →  Secure Development Practices

29. Security Testing in Development and Acceptance → Secure Development Practices

30. Outsourced Development → NOT in place