Skip to content

Changelog

All notable changes to the CTW Data Solutions ISMS documentation are recorded here.

Format: [Version] — Date — Author — Description

[2.4] — March 2026 — Jan Marc Castlunger (ISO) / Sebastian Windeck (CTO)

DPIA, Tabletop Exercise, Trust Centre, EU AI Act assessment

New Documents

  • Added DPIA for Quick-ID (REG-005) — GDPR Art. 35 risk assessment with data flow analysis
  • Added Tabletop Exercise Plan (IRP-EX-001) — API key compromise scenario for 21 March 2026
  • Added Trust Centre web page content — copy-paste ready for quick-id.com/security

Updates

  • Updated management review agenda: tabletop 09:00 + review 10:00 on 21 March
  • Updated IRP header: tabletop scheduled, v1.0 upgrade pending exercise
  • Updated audit schedule with tabletop exercise entry
  • Updated evidence index: DPIA, tabletop record, AI Act classification

[2.3] — March 2026 — Jan Marc Castlunger (ISO) / Sebastian Windeck (CTO)

Mandatory clause coverage: Context, Communication, Competence, Legal Register

New Documents

  • Added Legal & Regulatory Register (REG-004) — GDPR, BDSG, TTDSG, EU AI Act assessment, eIDAS 2.0, contractual obligations
  • Added Communication Plan (PROC-008) — Clause 7.4 internal/external communication matrix, competence (7.2), awareness (7.3)

Updates

  • Added Context of the Organisation (Clause 4.1) to ISMS Scope — 10 external issues, 8 internal issues
  • Added EU AI Act and TTDSG to applicable standards in ISMS Scope
  • Updated section numbering in ISMS Scope to accommodate new context section
  • Updated mkdocs.yml navigation with new documents

[2.2] — March 2026 — Jan Marc Castlunger (ISO) / Sebastian Windeck (CTO)

ISMS Objectives, Management Review, and Internal Audit Plan

New Documents

  • Added ISMS Objectives (ISO-005) — 8 measurable objectives per Clause 6.2
  • Added Management Review Agenda (21 March 2026) — initial full review with 12-point agenda
  • Added Internal Audit Plan (30 March 2026) — full-day audit with evidence checklist

Updates

  • Updated audit schedule with management review (21 March) and internal audit (30 March)
  • Updated management review procedure MTTR target to ≤ 12 hours
  • Updated mkdocs.yml navigation with new documents

[2.1] — March 2026 — Jan Marc Castlunger (ISO) / Sebastian Windeck (CTO)

Accuracy review: corrected gaps between documented controls and actual implementation

Corrections

  • Fixed log retention: documented as "12-month immutable" → actual is 30-day rolling (AKS + Caddy); extension to 90+ days planned Q2 2026
  • Fixed API key rotation: documented as "quarterly" → actual is customer-managed rotation (recommended 90 days)
  • Fixed Azure PIM: documented as active → actual is standard RBAC only (PIM planned Q3 2026)
  • Fixed penetration test: documented as "completed Q1 2026" → actual is planned Q2 2026
  • Fixed SoA control 8.15 (Logging): changed from ✅ Implemented to 🔄 In Progress (30-day retention insufficient)

New Risks & Assets

  • Added R13: Error images via email (7-day retention, customer consent required)
  • Added R14: Confidentiality agreements not formalised (NDA gap)
  • Added A15: Azure Database for PostgreSQL
  • Added A16: GDPR Art. 30 Processing Register
  • Updated BCP backup strategy with PostgreSQL, Azure File Blob, and Terraform/Git

SOC 2 Readiness Updates

  • Updated readiness from ~85% to ~80% overall (6 gaps, up from 4)
  • Added Gap 4 (log retention) and Gap 5 (NDAs) to readiness roadmap
  • Flagged PPL-01 (background checks) and PPL-03 (NDAs) as in-progress in control activities

Owner References

  • Replaced all generic references (ISO/CEO, Dev Lead, DPO) with real names throughout all documents
  • Document owners now consistently use: Jan Marc Castlunger (ISO), Sebastian Windeck (CTO/DPO)

[2.0] — March 2026 — Jan Marc Castlunger (ISO)

Major restructure: subfolder organisation, missing ISO 27001 docs, and SOC 2 compliance

Structure

  • Reorganised all documents into subfolders: policies/, procedures/, registers/, iso27001/, soc2/, cross-reference/, evidence/
  • Added document ID scheme (POL-xxx, PROC-xxx, REG-xxx, etc.)
  • Added framework cross-references (ISO 27001 + SOC 2) to all document headers

New ISO 27001 Documents

  • Added Access Control Policy (POL-002)
  • Added Acceptable Use Policy (POL-003)
  • Added Data Classification Policy (POL-004)
  • Added Change Management Policy (POL-005)
  • Added Cryptography Policy (POL-006)
  • Added Business Continuity Plan (PROC-002) with BIA, RTO/RPO, and DR procedures
  • Added Internal Audit Procedure (PROC-003)
  • Added Corrective Action Procedure (PROC-004)
  • Added Management Review Procedure (PROC-005) with KPIs
  • Added Document Control Procedure (PROC-006)
  • Added HR Security Procedure (PROC-007) with joiners/movers/leavers process
  • Added ISMS Scope document (ISO-001) per clause 4.3

SOC 2 Documentation

  • Added SOC 2 Overview with readiness summary
  • Added Trust Services Criteria mapping (52 criteria across all 5 categories)
  • Added Control Activities register (50+ control activities)
  • Added SOC 2 Readiness Roadmap with gap closure plan
  • Added SOC 2 audit timeline to certification roadmap

Cross-Reference & Audit Support

  • Added ISO 27001 / SOC 2 Control Mapping (40+ controls aligned)
  • Added Evidence Index (28 evidence artefacts catalogued)
  • Added SOC 2 cross-references to Statement of Applicability
  • Added new templates: Change Request, Corrective Action, Management Review Minutes

Updated Documents

  • Updated Statement of Applicability with SOC 2 references and improved control counts
  • Updated Audit Schedule with SOC 2 timeline
  • Updated Certification Roadmap with SOC 2 phases
  • Updated Supplier Register with risk assessment table
  • Updated Index page with compliance dashboard and auditor quick access
  • Updated mkdocs.yml with full subfolder navigation

[1.0] — March 2026 — Jan Marc Castlunger (ISO)

Initial release of the ISMS documentation package

  • Added Information Security Policy (v1.0)
  • Added Information Asset Register (12 assets)
  • Added Risk Register (12 risks)
  • Added Statement of Applicability (41 Annex A controls)
  • Added Incident Response Plan (draft — pending tabletop exercise)
  • Added Supplier Management register
  • Added Audit Schedule & Review Calendar
  • Added Certification Roadmap (target: Sep 2026)
  • Added document templates (Incident Report, Risk Entry, Access Review)
  • GitHub Actions CI/CD pipeline configured for auto-deployment to Cloudflare Pages

How to log changes

When you update any document, add an entry here:

## [version] — YYYY-MM-DD — Your Name

- Brief description of what changed and why

Use semantic versioning: - Patch (1.0.x): Minor corrections, typos, formatting - Minor (1.x.0): New records added (new risk, new asset, new supplier) - Major (x.0.0): Policy changes, significant scope changes, post-audit updates