ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
2
Statement of ApplicabilityCurrent as of: 05/09/2025
3
Legend (for Selected Controls and Reasons for controls selection)Version 1 05/09/2025
4
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent
5
Information Security Attribute (s)
6
ISO 27001 ControlsCurrent ControlsRemarks (Justification for exclusion)Control TypeInformatiom Security PropertiesCybersceurity ConceptsOperational CapabiliitiesSecurity DomainsSelected Controls and Reasons for selectionRemarks (Overview of implementation)
7
LRCOBR/BPRRA
8
ClauseSecControl Objective/Control
9
A.5Organisational Controls
10
5.10Policies for information security Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.Information Security Policy and supporting topic-specific policies in placepreventiveconfidentiality, integrity,
availability 		identify
governance
defence,
governance and ecosystem,
resilience		PPPPatronus maintains a single Information Security Policy, approved by both directors and supported by concise procedures (e.g. access, incidents, data handling). The policy is stored in Activ, version-controlled, and will be reviewed annually or after significant change. All future staff and contractors to confirm understanding at onboarding; relevant sections will be shared with partners and clients where appropriate.
11
5.20Information security roles and responsibilitiesInformation security roles and responsibilities shall be defined and allocated according to the organization needs.Roles and Responsibilities Register in placepreventiveconfidentiality, integrity,
availability 		identify
governance
governance and ecosystem,
resilience		PPPInformation security responsibilities are defined within Patronus’ Roles and Responsibilities Register. Both directors share accountability, with clear allocation of operational tasks (e.g. access control, incident handling). Roles are reviewed annually or when responsibilities change. In the Active system: Manager= KR + MC, Editor= KR, Read-only= MC.
12
5.30Segregation of dutiesConflicting duties and conflicting areas of responsibility shall be segregated.Roles and Responsibilities Register in placepreventiveconfidentiality, integrity,
availability 		protect,
governance,
identity and access management, 		governance and ecosystem,
PPPGiven Patronus’ small size, both directors share responsibilities but apply peer review for key activities (e.g. system access changes, policy updates). This ensures no single person has unchecked control over critical information security processes.
13
5.40Management responsibilitiesManagement shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.Communication Register in place
Internal Audit plans in place and audit carried out		preventiveconfidentiality, integrity,
availability 		identify
governance
governance and ecosystem, PPPBoth directors actively support and enforce information security by approving policies, ensuring resources are in place, and monitoring compliance. Responsibilities are documented in the Roles and Responsibilities Register, and reviewed annually. Communication Register, Internal Audit Plan and Report form are also relevant.
14
5.50Contact with authoritiesThe organization shall establish and maintain contact with relevant authorities.Threat Intelligence Policy in place
Relevant Authorities Register in place		preventive,
corrective		confidentiality, integrity,
availability 		identify,
protect,
respond,
recover		governancedefence,
resilience		PPPatronus maintains up-to-date contact details for relevant authorities in the Relevan Authority Register on Google Drive (e.g. ICO, law enforcement) to enable timely reporting and cooperation if required. Both directors are responsible for maintaining and using these contacts.
15
5.60Contact with special interest groupsThe organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.Both directors endevour to maintain contact with special interest groups, receive newsletters and attend events.preventiveintegrityprotect,
governancedefence,
resilience		PPatronus maintains awareness of information security developments through professional networks, ISO resources, and safeguarding sector groups. This supports continual improvement and alignment with best practice.
16
5.70Threat intelligenceInformation relating to information security threats shall be collected and analysed to produce threat intelligence.Threat Intelligence policy in place

Improvement Procedure and Log in place		preventive, detective,
corrective		confidentiality, integrity,
availability 		identify,
detect,
respond		threat and
vulnerability management		defence,
resilience		PPPatronus monitors relevant cyber threat intelligence through trusted sources (e.g. OWasp, ICO, sector updates). Directors will review and act on updates to strengthen controls which sits within Improvement Procedure and Improvement Log and will keep clients informed where appropriate.
17
5.80Information security in project managementInformation security shall be integrated into project management.Project documentation and reports include security and risk section

Information Security Chanve Management Register in place		preventive, confidentiality, integrity,
availability 		identify,
protect
governance
governance and ecosystem,
protection
PPPInformation security is considered in all Patronus projects, including software development and consultancy. Risks are assessed at the outset, with directors ensuring controls are built into delivery. This can be found in Project Documentation on Google Drive.
18
5.90Inventory of information and other associated assetsAn inventory of information and other associated assets, including owners, shall be developed and maintained.Equipment and Asset registers in placepreventiveconfidentiality, integrity,
availability 		identify
asset management
governance and ecosystem
protection
PPManage and maintain a full configuration management database of assets. Accountability maintained within asset register in Google Drive.
19
5.10Acceptable use of information and other associated assetsRules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.Acceptible use of Assets policy in place
Mobile Devices Policy in place		preventiveconfidentiality, integrity,
availability 		protect
asset management
continuity,
information protection
governance and ecosystem,
protection
PPPPatronus maintains an inventory of key information assets, systems, and devices in Equipment and Maintenece Register as well as Physical Asset Register. The inventory is reviewed annually and updated when assets are added or removed. Software Functionality Test happens automatically on every change.
20
5.11Return of assetsPersonnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.Acceptible use of Assets policy in placepreventiveconfidentiality, integrity,
availability 		protectasset managementprotectionPPPPatronus defines acceptable use of systems, devices, and data in the Acceptable Use of Assests Policy. All staff and contractors will confirm understanding at onboarding, with compliance monitored by directors. The Leaver Checklist will support with appropriate off boarding.
21
5.12Classification of informationInformation shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.Information Classification and Labelling Policy in placepreventiveconfidentiality, integrity,
availability 		identifyinformation protectiondefence,
governance and ecosystem,
protection,
resilience		PPPPPatronus requires all equipment, accounts, and data to be returned or revoked when staff or contractors leave. Directors will oversee recovery and confirm completion via the offboarding register.
22
5.13Labelling of informationAn appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.Information Classification and Labelling Policy in placepreventiveconfidentiality, integrity,
availability 		protectinformation protectionprotectionPPPPClassification rules are set out in the Control of Documented Information Procedure. They ensure information assets are classified consistently, considering value, criticality, legal requirements, and sensitivity. The rules are designed to be practical for future staff, directors, and third parties handling Patronus information.
23
5.14Information transferInformation transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.Control of Documented Information Procedure in Placepreventiveconfidentiality, integrity,
availability 		protect
asset management,
information protection		protection
PWhere required, information is labelled according to the classification rules in the Control of Documented Information Procedure. Labels are applied in a practical way so future staff and third parties can handle assets consistently however, currently we keep all files and documents to 'Highly Confidential' Standard with access being restricted to Directors only, protected by LastPass and encrypted secrets vault for production credentials.
24
5.15Access controlRules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.Access control policy
Information Security Policy in place		preventiveconfidentiality, integrity,
availability 		protectidentity and access management
protection
PPAccess to systems and data is granted on a need-to-know basis by the directors. Accounts will reviewed regularly, and access is revoked immediately when no longer required as per Leaver checklist and checked against the Systems Access Control Register.
25
5.16Identity managementThe full life cycle of identities shall be managed.Access control policy in placepreventiveconfidentiality, integrity,
availability 		protectidentity and access management
protection
PPPPatronus manages user identities through unique accounts for all staff and contractors. Directors approve account creation, changes, and removal to ensure only authorised users have access.
26
5.17Authentication informationAllocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.Access control policy in place

Acceptable Use Policy in place		preventiveconfidentiality, integrity,
availability 		protectidentity and access management
protection
PPatronus protects authentication information through strong password requirements and multi-factor authentication on key systems such as LastPass. Passwords are never shared, and reset processes are controlled by directors.
27
5.18Access rightsAccess rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.Access control policy in placepreventiveconfidentiality, integrity,
availability 		protectidentity and access management
protection
PPUser access rights will be approved and reviewed by the directors to ensure alignment with role requirements. Access will be promptly adjusted or removed when responsibilities change or users leave as per Leaver Checklist.
28
5.19Information security in supplier relationshipsProcesses and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.Register of externally provided products, processes and services in place

Supplier Policy in place

Approved Supplier list in place

Register of Provider SLAs in place		preventiveconfidentiality, integrity,
availability 		identifysupplier relationships securitydefence,
governance and ecosystem,
protection,
resilience		PPatronus evaluates suppliers for information security and data protection requirements before engagement. Ongoing relationships will be reviewed periodically to ensure suppliers continue to meet agreed standards.
29
5.20Addressing information security within supplier agreementsRelevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.Register of externally provided products, processes and services in place

Supplier Policy in place

Approved Supplier list in place

Register of Provider SLAs in place		preventiveconfidentiality, integrity,
availability 		identifysupplier relationships securitygovernance and ecosystem,
protection
P'All required information security requirements is contained in the contract / SLA and be understood by all parties. Additionally other staff involved in this project should be given a basic understanding of the main terms.
30
5.21Managing information security in the information and communication technology (ICT) supply chainProcesses and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.Register of externally provided products, processes and services in place

Supplier Policy in place

Approved Supplier list in place

Register of Provider SLAs in place		preventiveconfidentiality, integrity,
availability 		identifysupplier relationships securitygovernance and ecosystem,
protection
PPatronus assesses ICT suppliers for security controls, data protection, and reliability. Directors will monitor supplier performance and ensure risks in the supply chain are identified and managed.
31
5.22Monitoring, review and change management of supplier servicesThe organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.Register of externally provided products, processes and services in place

Supplier Policy in place

Approved Supplier list in place

Register of Provider SLAs in place		preventiveconfidentiality, integrity,
availability 		identifysupplier relationships securitydefence,
governance and ecosystem,
protection,
resilience
Information Security Assurance		PSupplier services are monitored by the directors to confirm security requirements are met. Reviews take place at renewal or when significant changes occur, with actions tracked as needed.
32
5.23Information security for use of cloud servicesProcesses for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.Register of externally provided products, processes and services in place

Supplier Policy in place

Approved Supplier list in place

Register of Provider SLAs in place		preventiveconfidentiality, integrity,
availability 		protectsupplier relationships securitygovernance and ecosystem,
protection
PPatronus uses cloud-based services with built-in resilience and backup to maintain operations during disruption. Directors will review continuity measures annually and test recovery arrangements where practical.
33
5.24Information security incident management planning and preparationThe organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.Security Incident Procedure and Security Incident Log in placepreventiveconfidentiality, integrity,
availability 		respond
recover		governance,
information security event management
defencePPatronus manages incidents through the Security Incident Procedure and maintains a Security Incident Log. Both directors are responsible for recording, investigating, and resolving incidents, with outcomes used to improve controls.
34
5.25Assessment and decision on information security eventsThe organization shall assess information security events and decide if they are to be categorized as information security incidents.Security Incident Procedure and Security Incident Log in placedetectiveconfidentiality, integrity,
availability 		detect,
respond
information security event management
defencePAll information security events are reviewed by the directors under the Security Incident Procedure. Events are assessed for impact and likelihood, with a decision recorded in the Security Incident Log on whether they qualify as incidents.
35
5.26Response to information security incidentsInformation security incidents shall be responded to in accordance with the documented procedures.Security Incident Procedure and Security Incident Log in placecorrectiveconfidentiality, integrity,
availability 		respond,
recover		information security event management
defencePWhen incidents occur, Patronus will follow the Security Incident Procedure to contain, investigate, and resolve them. Alerting software will send automated emails to the Tech Lead and Information Security Manager, who assign incidents based on priority and severity. Actions and outcomes will be recorded in the Security Incident Log and reviewed to prevent recurrence.
36
5.27Learning from information security incidentsKnowledge gained from information security incidents shall be used to strengthen and improve the information security controls.Security Incident Procedure and Security Incident Log in placepreventiveconfidentiality, integrity,
availability 		identify,
protect		information security event management
defencePPatronus will review all incidents recorded in the Security Incident Log to capture lessons learned. Directors will ensure corrective actions are implemented and improvements are fed back into policies, controls, and (future) staff awareness.
37
5.28Collection of evidenceThe organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.Security Incident Procedure and Security Incident Log in placecorrectiveconfidentiality, integrity,
availability 		detect,
respond
information security event management
defencePPatronus follows the Security Incident Procedure to collect and preserve evidence in a way that supports potential legal or disciplinary action. The Tech Lead and Information Security Manager ensure integrity and proper documentation in Google Drive with appropriate controls depending on the label of the data.
38
5.29Information security during disruptionThe organization shall plan how to maintain information security at an appropriate level during disruption.Business Continuity and handover plan in placepreventive,
corrective		confidentiality, integrity,
availability 		protect,
respond
continuity
protection,
resilience		PPPPatronus will maintain security controls during business disruptions by using resilient cloud services (AWS and Heroku) and predefined business continuity procedures as well as business impact analysis. Directors will ensure access, data protection, and monitoring remain in place throughout any disruption.
39
5.30ICT readiness for business continuityICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.Business Continuity and handover plan in place
Recovery time objective (RTO)
Business impact analysis (BIA)		correctiveavailability respond
continuity
protection,
resilience		PPPBIA and BAU plans in full operation which deail how the business will respond in the event of operational disruption. Business needs and expectations are detailed with regular testing in place to ensure the plan's continued fitness for purpose.
40
5.31Legal, statutory, regulatory and contractual requirementsLegal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.Information security legal obligations Register in placepreventiveconfidentiality, integrity,
availability 		identify
legal and compliance
governance and ecosystem,
protection
PPPPPatronus maintains a register of applicable legal, regulatory, and contractual obligations (e.g. UK GDPR, Data Protection Act 2018) in Information Security Obligations document. Directors will review compliance annually and when regulations or contracts change.
41
5.32Intellectual property rightsThe organization shall implement appropriate procedures to protect intellectual property rights.Use of Intellectual Property Policy in place

NDA templates in place		preventiveconfidentiality, integrity,
availability 		identify
legal and compliance
governance and ecosystem,
protection
PPPPPatronus respects and protects intellectual property by using properly licensed software and content. Directors will ensure that future staff and contractors follow Use of Intellectual Property Policy, with checks included in supplier and project reviews. NDA documents available when required.
42
5.33Protection of recordsRecords shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.Control of Documented Information Procedure in placepreventiveconfidentiality, integrity,
availability 		identify
protect		asset management,
identity and access management,
information protection,
legal and compliance
defencePPPPPatronus protects records through secure cloud storage with access controls and backups. Retention and disposal will follow legal, regulatory, and contractual requirements, overseen by the directors outlined in Control of Documented Information Procedure.
43
5.34Privacy and protection of personal identifiable information (PII)The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.Protection of Personal Information Policy in placepreventiveconfidentiality, integrity,
availability 		identify
protect		information protection,
legal and compliance
protection
PPPPatronus complies with UK GDPR and the Data Protection Act 2018. Personal data is processed lawfully and securely, with access limited to authorised users. Data protection is built into policies, procedures, and system design. Patronus is registered with the ICO
44
5.35Independent review of information securityThe organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.Internal Audit Plan and Form in place

Management Review Record in place

ISMS in place for ISO 270001		preventive,
corrective		confidentiality, integrity,
availability 		identify
protect		information security assurance
governance and ecosystem,
PPPPatronus’ ISMS is independently reviewed at planned intervals by the British Assessment Bureau as part of ISO 27001 certification. This provides assurance that policies and controls remain effective.
45
5.36Compliance with policies, rules and standards for information securityCompliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.Internal Audit Plan and Form in placepreventiveconfidentiality, integrity,
availability 		identify
protect		information security assurance,
legal and compliance
governance and ecosystem,
PPPPatronus will monitor compliance with its information security policies and procedures through internal checks by directors. Non-compliance is logged, investigated, and addressed through corrective actions as per Internal Audit Report Form and Management Review Record.
46
5.37Documented operating proceduresOperating procedures for information processing facilities shall be documented and made available to personnel who need them.Operational Controls Policypreventive,
corrective		confidentiality, integrity,
availability 		protect,
recover		Asset management
Physical security
System and network security
Application security
Secure configuration
identity and access management
threat and vulnerability management
Continuity
Information security event management		defence,
governance and ecosystem,
protection		PPatronus maintains documented procedures (e.g. Security Incident Procedure, Control of Documented Information) to guide consistent operations. Procedures are version-controlled, reviewed annually, and will be accessible to future staff and contractors.
47
6.00People Controls
48
6.1ScreeningBackground verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.Screening Policy in placePreventiveConfidentiality, IntegrityIdentify, ProtectGovernance, Legal & ComplianceGovernance & Ecosystem, ProtectionPPPPAll staff and contractors engaged by Patronus will undergo appropriate background checks (e.g. employment references, right-to-work, and where relevant, safeguarding checks). Screening is proportionate to role and responsibility.
49
6.2Terms and conditions of employmentThe employment contractual agreements shall state the personnel’s and the organization’s responsibilities for information security.Terms and conditions of employment in placePreventiveConfidentiality, IntegrityIdentify, ProtectGovernance, Legal & ComplianceGovernance & Ecosystem, ProtectionPPPPPatronus will include information security responsibilities in staff and contractor agreements. Contracts reference confidentiality, data protection, and compliance with Patronus’ policies and procedures.
50
6.3Information security awareness, education and trainingPersonnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.Relevant training complete as outlined in competency proofPreventive, DetectiveConfidentiality, Integrity, AvailabilityIdentify, ProtectGovernance, Human Resource SecurityGovernance & Ecosystem, ResiliencePPPPAll staff and contractors will receive induction training on Patronus’ information security policies and procedures. Awareness will be refreshed annually, and updates will be provided when significant changes occur.
51
6.4Disciplinary processA disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.Information Security Disciplinary Policy in placeCorrectiveConfidentiality, IntegrityRespondGovernance, Legal & ComplianceGovernance & Ecosystem, ResiliencePPPPPatronus has a documented disciplinary procedure that applies to breaches of information security policies. Directors investigate incidents, and actions may include retraining, formal warning, or termination, depending on severity.
52
6.5Responsibilities after termination or change of employmentInformation security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.Offboarding Register in placePreventive, CorrectiveConfidentiality, IntegrityProtectIdentity & Access Management, GovernanceGovernance & Ecosystem, ProtectionPPPPOn termination or role change, Patronus will follow a Leaver Checklist to ensure access rights are revoked, all assets are returned, and confidentiality obligations remain in force. Directors oversee and confirm completion and complete the Systems Access Control Register.
53
6.6Confidentiality or non-disclosure agreementsConfidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.NDA template in placePreventiveConfidentialityIdentify, ProtectLegal & Compliance, Supplier Relationship SecurityGovernance & Ecosystem, ProtectionPPPPAll Patronus future staff and contractors will sign confidentiality or non-disclosure agreements as part of their contracts. These obligations remain in force after engagement ends.
54
6.7Remote workingSecurity measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.Remote Working Policy in placePreventiveConfidentiality, Integrity, AvailabilityIdentify, ProtectContinuity, Asset ManagementProtection, ResiliencePPPPPatronus supports remote working through secure cloud services, MFA, and encrypted devices. Future staff and contractors will follow the Remote Working Procedure, which sets out requirements for secure access, storage, and communication.
55
6.8Information security event reportingThe organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.Security Incident Procedure and Security Incident Log in place

Improvement Procedure and Improvement Log in place		DetectiveConfidentiality, Integrity, AvailabilityDetect, RespondIncident Management, GovernanceDefence, Governance & EcosystemPPPPPatronus maintains a clear process for reporting actual or suspected information security events. Future staff and contractors are required to report events immediately via the Security Incident Procedure, which directs them to notify the Tech Lead or Information Security Manager without delay.
56
A.7Physical Controls
57
7.1Physical security perimetersSecurity perimeters shall be defined and used to protect areas that contain information and other associated assets.We are a remote first organisation with no physical office spaceEXCLUDED
58
7.2Physical entrySecure areas shall be protected by appropriate entry controls and access points.We are a remote first organisation with no physical office spaceEXCLUDED
59
7.3Securing offices, rooms and facilitiesPhysical security for offices, rooms and facilities shall be designed and implemented.We are a remote first organisation with no physical office spaceEXCLUDED
60
7.4Physical security monitoringPremises shall be continuously monitored for unauthorized physical access.We are a remote first organisation with no physical office spaceEXCLUDED
61
7.5Protecting against physical and environmental threatsProtection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.Approved Supplier list in place provides due dilligence against environmental threatsPreventiveAvailability, IntegrityIdentify, ProtectContinuity, Physical SecurityProtection, ResiliencePPPPRisks are managed via provider SLAs, insurance, and disaster recovery planning.
62
7.6Working in secure areasSecurity measures for working in secure areas shall be designed and implemented.We are a remote first organisation with no physical office spaceEXCLUDED
63
7.7Clear desk and clear screenClear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.Clear Desk and Clear Screen Policy in placePreventiveConfidentialityProtectGovernance, Information ProtectionProtectionPPPPPatronus enforces a clear desk and clear screen approach to reduce the risk of unauthorised access. Staff must lock screens when unattended, store papers and removable media securely, and avoid leaving sensitive information exposed.
64
7.8Equipment siting and protectionEquipment shall be sited securely and protected.We are a remote first organisation with no physical office spaceEXCLUDED
65
7.9Security of assets off-premisesOff-site assets shall be protected.Remote Working Policy in placePreventiveConfidentiality, IntegrityIdentify, ProtectAsset Management, ContinuityProtectionPPPPPatronus uses secure, provider-managed facilities for cloud services where physical entry is controlled by the supplier.
66
7.10Storage mediaStorage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.Control of Documented Information Procedure in place

Information Classification, Labelling, and Handling Policy in place		PreventiveConfidentiality, IntegrityProtectAsset Management, Information ProtectionProtectionPPPPPatronus limits the use of removable media. Where used, data must be encrypted, access controlled, and securely erased before reuse or disposal. Cloud storage is the default for data handling.
67
7.11Supporting utilitiesInformation processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.We are a remote first organisation with no physical office spaceEXCLUDED
68
7.12Cabling securityCables carrying power, data or supporting information services shall be protected from interception, interference or damage.We are a remote first organisation with no physical office spaceEXCLUDED
69
7.13Equipment maintenanceEquipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.Asset Register in placePreventiveAvailability, IntegrityProtectMaintenance, Asset ManagementProtectionPPPPPatronus ensures laptops and other equipment are maintained with regular software updates, patching, and hardware servicing where needed. Cloud service providers are responsible for maintaining hosted infrastructure.
70
7.14Secure disposal or re-use of equipmentItems of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.Acceptable Use of Assets Policy in placeCorrectiveConfidentiality, IntegrityProtectAsset Management, Information ProtectionProtectionPPPPPatronus will securely wipe all devices before re-use or disposal. Where external disposal services are used, certificates of destruction will be obtained and retained.
71
A.8Technological Controls
72
8.1User end point devicesInformation stored on, processed by or accessible via user end point devices shall be protected.Acceptable Use of Assets Policy in place

Access Control Policy in place

Mobile Devices Policy in place

Protection from Malware Policy in place		PreventiveConfidentiality, Integrity, AvailabilityIdentify, ProtectAsset Management, Information ProtectionProtectionPPPPPatronus manages laptops and mobile devices through encryption, strong authentication, and regular updates. Future staff will follow the Protection from Malware Policy and Acceptable Use Procedures to ensure secure handling and storage.
73
8.2Privileged access rightsThe allocation and use of privileged access rights shall be restricted and managed.Access Control Policy in Place

Systems Access Control Register in place		Preventive, DetectiveConfidentiality, IntegrityIdentify, ProtectIdentity & Access Management, GovernanceGovernance & Ecosystem, ProtectionPPPPPrivileged access is restricted to directors. Such rights are granted only when necessary, logged, and reviewed regularly to prevent misuse.
74
8.3Information access restrictionAccess to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.Access Control Policy in Place

Systems Access Control Register in place		PreventiveConfidentiality, IntegrityIdentify, ProtectIdentity & Access Management, GovernanceProtectionPPPPAccess to information is limited based on role and need-to-know. Directors will ensure permissions are applied in line with the Information Security Policy and reviewed regularly.
75
8.4Access to source codeRead and write access to source code, development tools and software libraries shall be appropriately managed.Access Control Policy in Place

Systems Access Control Register in place		PreventiveConfidentiality, IntegrityIdentify, ProtectSecure Development, Version ControlProtectionPPPPAccess to Patronus source code will be restricted to authorised developers. Version control systems will enforce authentication and logging, and changes will be peer-reviewed to maintain integrity. (When company grows)
76
8.5Secure authenticationSecure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.Access Control Policy in Place

Systems Access Control Register in place		PreventiveConfidentiality, IntegrityIdentify, ProtectIdentity & Access ManagementProtectionPPPPPatronus enforces secure authentication using strong passwords and multi-factor authentication on critical systems. Authentication methods will be reviewed periodically to align with best practice.
77
8.6Capacity managementThe use of resources shall be monitored and adjusted in line with current and expected capacity requirements.Cloud Scaling Policy in placePreventiveAvailabilityIdentify, ProtectContinuity, Resource PlanningResiliencePPPPPatronus monitors usage of cloud services and systems to ensure sufficient capacity and performance. Providers’ built-in monitoring and scaling features are relied upon, with directors reviewing as needed.
78
8.7Protection against malwareProtection against malware shall be implemented and supported by appropriate user awareness.Protection from Malware policy in placePreventive, DetectiveConfidentiality, Integrity, AvailabilityIdentify, Protect, DetectEndpoint Security, Threat ManagementDefence, ProtectionPPPPPatronus relies on built-in operating system protections and automatic updates to reduce malware risk. Directors and future staff will receive simple guidance during induction on recognising and reporting suspicious activity.
79
8.8Management of technical vulnerabilitiesInformation about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.Protection from Malware policy in place

Secure Software Development Lifecycle in place		Preventive, CorrectiveConfidentiality, Integrity, AvailabilityIdentify, ProtectThreat & Vulnerability ManagementDefence, ResiliencePPPPVulnerability scans scheduled weekly; automated penetration testing performed monthly; tickets tracked in Github.
80
8.9Configuration managementConfigurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.Configuration Management Policy in placePreventiveConfidentiality, Integrity, AvailabilityIdentify, ProtectAsset Management, Configuration ManagementProtection, GovernancePPPPPatronus keeps device and system configurations simple and secure by using standard operating system settings and updates. Changes are limited and overseen by the directors.
81
8.10Information deletion
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.Control of Documented Information Procedure in place

Information Deletion Register in place

Acceptable use of Assets Policy in place		CorrectiveConfidentiality, IntegrityProtectData Lifecycle ManagementProtectionPPPPPatronus deletes information securely when no longer required. Directors ensure deletion follows legal and contractual requirements and tracked in the information deletion register.
82
8.11Data maskingData masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.Access Control Policy in Place

Systems Access Control Register in place		PreventiveConfidentialityProtectInformation ProtectionProtectionPPPPProduction data does not leave the production environment and tools are provided for generating randomised test data,
83
8.12Data leakage preventionData leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.Information Classification, Labelling, and Handling Policy in placePreventive, DetectiveConfidentialityDetect, ProtectThreat Management, Data Loss PreventionProtection, DefencePPPPPatronus does not routinely process sensitive production data outside secure systems. Where test or demo data is needed, anonymised or dummy data is used instead of live personal data.
84
8.13Information backupBackup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.Backup policy in place

Business Continuity plan in place

Periodic restoration tests in place		PreventiveAvailability, IntegrityProtectContinuity, Backup & RecoveryResiliencePPPPBackups stored in multiple AWS regions; restoration tests logged.
85
8.14Redundancy of information processing facilitiesInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.Business Continuity plan in place

Business Impact Analysis in place		PreventiveAvailabilityProtectContinuityResiliencePPPPProvider SLA reviewed annually; redundancy tested during DR exercises.
86
8.15LoggingLogs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.Coralogix and centralized SIEM store encrypted, immutable logs.DetectiveConfidentiality, IntegrityDetectThreat Detection, GovernanceDefence, GovernancePPPPLogs retained for 12 months; alerts configured for critical events.
87
8.16Monitoring activitiesNetworks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.SIEM monitors networks and applications; alerts trigger incident response workflows.DetectiveConfidentiality, Integrity, AvailabilityDetect, RespondThreat MonitoringDefencePPPPAlerts reviewed daily; escalation handled by ISM.
88
8.17Clock synchronizationThe clocks of information processing systems used by the organization shall be synchronized to approved time sources.Heroku automatically synchronise with trusted NTP servers. Logs include timestamps from these time sources.PreventiveIntegrityProtectConfiguration ManagementGovernance & EcosystemPPPPNTP configuration handled by Heroku- cloud service provider.
89
8.18Use of privileged utility programsThe use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.Access Control Policy in Place

Systems Access Control Register in place		Preventive, DetectiveConfidentiality, IntegrityIdentify, ProtectIdentity & Access ManagementGovernance & Ecosystem, ProtectionPPPPPatronus restricts the use of administrative tools and utility programs to authorised personnel only. Access is limited to the directors for now. Admin account separate from day to day use is used for administrative changes to google suite.
90
8.19Installation of software on operational systemsProcedures and measures shall be implemented to securely manage software installation on operational systems.Use of Software Policy in placePreventiveIntegrity, AvailabilityProtectAsset ManagementProtectionPPPPPatronus restricts software installation on laptops and systems to the directors. Only approved, licensed software is used to reduce security and compliance risks.
91
8.20Networks securityNetworks and network devices shall be secured, managed and controlled to protect information in systems and applications.Fully remote, no network in place.EXCLUDED
92
8.21Security of network servicesSecurity mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.Fully remote, no network in place.EXCLUDED
93
8.22Segregation of networksGroups of information services, users and information systems shall be segregated in the organization’s networks.Fully remote, no network in place.EXCLUDED
94
8.23Web filteringAccess to external websites shall be managed to reduce exposure to malicious content.Protection from Malware Policy in placePreventiveConfidentiality, IntegrityProtectThreat PreventionDefencePPPPCyber security training will be provided for appropriate staff renewed annually
95
8.24Use of cryptographyRules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.Cryptographic Controls Policy in placePreventiveConfidentiality, IntegrityProtectCryptographic ManagementProtectionPPPPCryptographic policies reviewed annually; compliance confirmed during audits.
96
8.25Secure development life cycleRules for the secure development of software and systems shall be established and applied.SSDLC in place

Information Security Change Management Procedure and Change Management Register in place

Project Documentation template in place		PreventiveConfidentiality, IntegrityIdentify, ProtectApplication Security, Development SecurityProtectionPPPPDevelopers receive annual secure coding training; SDLC documented and reviewed.
97
8.26Application security requirementsInformation security requirements shall be identified, specified and approved when developing or acquiring applications.SSDLC in place

Information Security Change Management Procedure and Change Management Register in place

Project Documentation template in place		PreventiveConfidentiality, IntegrityIdentify, ProtectApplication SecurityProtectionPPPPThe Project Documentation template will be used prior to kicking off any project, in order to ensure that any risks, data security considerations and timelines are taken into account early and throughout
98
8.27Secure system architecture and engineering principlesPrinciples for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.SSDLC in place

Information Security Change Management Procedure and Change Management Register in place

Project Documentation template in place		PreventiveConfidentiality, IntegrityIdentify, ProtectArchitecture & EngineeringProtection, GovernancePPPPPatronus designs its software using simple, secure architectures with cloud hosting, encryption, and role-based access. Security principles are considered in development and reviewed by the Tech Lead during changes.
99
8.28Secure codingSecure coding principles shall be applied to software development.SSDLC in place

Information Security Change Management Procedure and Change Management Register in place

Project Documentation template in place		PreventiveConfidentiality, IntegrityProtectSecure DevelopmentProtectionPPPPPatronus follows basic secure coding practices, including peer review, use of version control, and dependency management. The Tech Lead reviews changes to reduce vulnerabilities before release.
100
8.29Security testing in development and acceptanceSecurity testing processes shall be defined and implemented in the development life cycle.SSDLC in place

Information Security Change Management Procedure and Change Management Register in place

Project Documentation template in place		DetectiveConfidentiality, IntegrityDetectApplication Security TestingDefencePPPPPatronus carries out basic security testing during development and before release, including code review, static analysis and dependency checks. Directors confirm acceptance criteria include security considerations.