ISO/IEC 27001
How Scrydon controls map to ISO/IEC 27001:2022 — the information security management baseline most enterprises require.
ISO/IEC 27001 is the international standard for information security management. This page maps Scrydon's controls to ISO 27001:2022 Annex A and notes what evidence the platform produces automatically.
Scope
ISO 27001 is organisational. Scrydon implements the technical controls that satisfy the Annex A requirements relevant to a hosted enterprise application. The customer still owns the surrounding management-system controls — policies, risk treatment plans, internal audit, management review.
This page covers what Scrydon delivers. Pair it with your organisation's ISMS documentation for the full picture.
Annex A coverage
A.5 Organisational controls
| Control | Scrydon support |
|---|---|
| A.5.10 Acceptable use of information | Platform usage is governed by audit + ToS. |
| A.5.15 Access control | Three-tier permission hierarchy. See Permission model. |
| A.5.18 Access rights provisioning | SCIM-driven provisioning + audit. See Identity & Provisioning. |
| A.5.23 Cloud services security | Customer-deployed model means controls live in your cluster. See Architecture. |
A.8 Technological controls
| Control | Scrydon support |
|---|---|
| A.8.2 Privileged access rights | Org-owner / admin tiers are first-class. Every privileged action audited. |
| A.8.3 Information access restriction | Column masking, row filters, document clearance. See Classification & masking. |
| A.8.5 Secure authentication | SSO via Microsoft Entra, Okta, OneLogin; MFA via the IdP. See Identity & Provisioning. |
| A.8.7 Protection against malware | File-upload AV-scanning for knowledge-base ingestion. |
| A.8.10 Information deletion | Per-org delete + configurable retention. See GDPR → Right to erasure. |
| A.8.11 Data masking | Per-column mask strategies. See Classification & masking. |
| A.8.12 Data leakage prevention | Guardrails block, redaction on logs and exports. See DLP and Redaction. |
| A.8.15 Logging | Structured audit log with retention. See Audit logging. |
| A.8.16 Monitoring activities | Audit log + SIEM forwarding. |
| A.8.20 Network security | Service mesh with mTLS, explicit egress, ingress hardening. See Network boundary. |
| A.8.22 Segregation of networks | Each subsystem runs in its own namespace with Dapr ACLs. |
| A.8.24 Use of cryptography | TLS 1.2+ at ingress, mTLS internal, AES at rest. |
| A.8.25 Secure development life cycle | Signed Helm charts, signed images, SBOM. See Deployment. |
| A.8.26 Application security requirements | Server-issued execution grants, Rego authorisation. See Authorization. |
| A.8.28 Secure coding | Internal CI gates + code review enforced through harness. |
Evidence the platform produces
| Evidence type | Where it lives | Used for |
|---|---|---|
| Audit log | Audit endpoint + SIEM forwarder | A.5.7, A.8.15, A.8.16 |
| Access reviews | SCIM provisioning logs | A.5.18 |
| Mask strategy reports | Analytics governance UI | A.8.3, A.8.11 |
| Encryption configuration | Helm values + secret manager | A.8.24 |
| Network policy | Helm egress config | A.8.20, A.8.22 |
| SBOM | Release artefacts | A.8.25 |
| Vulnerability reports | Image scanner output | A.8.8 |
Vanta automation
If you use Vanta, the platform supports automatic evidence collection for:
- A.5.15, A.5.18 — access reviews via SCIM logs.
- A.8.15, A.8.16 — log evidence via the audit forwarder.
- A.8.24 — TLS posture via the ingress endpoint scan.
- A.8.25 — SBOM via the release manifest endpoint.
Manual evidence (organisational policies, training records, management review minutes) lives outside the platform.