Statement of Applicability (SoA)¶
Document ID: ISO-002 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Standard: ISO/IEC 27001:2022 — Annex A Version: 1.0 Last updated: March 2026 Next review: March 2027
Status Legend¶
| Status | Meaning |
|---|---|
| ✅ Implemented | Control is fully in place and evidenced |
| 🔄 In Progress | Control is partially implemented — completion date set |
| 📋 Planned | Control is not yet implemented — on roadmap |
| — N/A | Control is not applicable — justification provided |
Organisational Controls (5.x)¶
| Ref | Control | Status | Owner | Notes | SOC 2 Ref |
|---|---|---|---|---|---|
| 5.1 | Policies for information security | ✅ Implemented | Jan Marc Castlunger (ISO) | Information Security Policy | CC1.1 |
| 5.2 | Information security roles & responsibilities | ✅ Implemented | Jan Marc Castlunger (ISO) | Defined in Policy document (Section 1.5) | CC1.3 |
| 5.3 | Segregation of duties | ✅ Implemented | Jan Marc Castlunger (ISO) | RBAC enforced across Azure & GitHub | CC5.1 |
| 5.7 | Threat intelligence | 🔄 In Progress | Sebastian Windeck (CTO) | Azure Defender alerts active; formal process Q2 2026 | CC3.2 |
| 5.9 | Inventory of information & assets | ✅ Implemented | Jan Marc Castlunger (ISO) | Asset Register | CC6.1 |
| 5.10 | Acceptable use of information & assets | ✅ Implemented | Jan Marc Castlunger (ISO) | Acceptable Use Policy | CC1.4 |
| 5.12 | Classification of information | ✅ Implemented | Jan Marc Castlunger (ISO) | Data Classification Policy | C1.1 |
| 5.15 | Access control | ✅ Implemented | Jan Marc Castlunger (ISO) | Access Control Policy; quarterly review | CC6.1 |
| 5.16 | Identity management | ✅ Implemented | Jan Marc Castlunger (ISO) | MFA enforced; no shared accounts policy | CC6.1 |
| 5.19 | Information security in supplier relationships | ✅ Implemented | Sebastian Windeck (DPO) | Supplier Register | CC9.2 |
| 5.23 | Information security for cloud services | ✅ Implemented | Jan Marc Castlunger (ISO) | Azure Security Center active; DPAs with all cloud suppliers | CC6.1 |
| 5.24 | Incident management planning | ✅ Implemented | Jan Marc Castlunger (ISO) | Incident Response Plan | CC7.3 |
| 5.25 | Assessment of security events | ✅ Implemented | Jan Marc Castlunger (ISO) | Part of Incident Response Plan | CC7.3 |
| 5.26 | Response to incidents | ✅ Implemented | Jan Marc Castlunger (ISO) | Escalation matrix documented | CC7.4 |
| 5.27 | Learning from incidents | 🔄 In Progress | Jan Marc Castlunger (ISO) | Post-incident review process documented; formalisation in progress | CC7.5 |
| 5.29 | Information security during disruption | ✅ Implemented | Jan Marc Castlunger (ISO) | Business Continuity Plan | A1.2 |
| 5.33 | Protection of records | ✅ Implemented | Sebastian Windeck (DPO) | Retention policy per GDPR; immutable Azure logs | CC1.4 |
| 5.34 | Privacy & PII protection | ✅ Implemented | Sebastian Windeck (DPO) | GDPR compliance programme active; DPO appointed | P1.1 |
| 5.36 | Compliance with policies & standards | ✅ Implemented | Jan Marc Castlunger (ISO) | Internal Audit Procedure | CC4.1 |
People Controls (6.x)¶
| Ref | Control | Status | Owner | Notes | SOC 2 Ref |
|---|---|---|---|---|---|
| 6.1 | Screening / background checks | 🔄 In Progress | Jan Marc Castlunger (ISO) | HR Security Procedure — formalising Q2 2026 | CC1.4 |
| 6.3 | Security awareness & training | ✅ Implemented | Jan Marc Castlunger (ISO) | Annual training — all staff; completion tracked | CC1.4 |
| 6.4 | Disciplinary process | ✅ Implemented | Jan Marc Castlunger (ISO) | Defined in employment contracts and HR procedure | CC1.4 |
| 6.5 | Responsibilities after termination | ✅ Implemented | Jan Marc Castlunger (ISO) | Offboarding checklist: all access revoked within 24h | CC6.3 |
| 6.8 | Information security event reporting | ✅ Implemented | Jan Marc Castlunger (ISO) | Reporting via security@quick-id.com; part of IRP | CC7.3 |
Physical Controls (7.x)¶
| Ref | Control | Status | Owner | Notes | SOC 2 Ref |
|---|---|---|---|---|---|
| 7.1 | Physical security perimeters | — N/A | — | No on-premise infrastructure — cloud-only operation | CC6.4 |
| 7.2 | Physical entry controls | — N/A | — | Home office / co-working; no dedicated facility | CC6.4 |
| 7.8 | Equipment siting & protection | ✅ Implemented | Jan Marc Castlunger (ISO) | BYOD policy; full-disk encryption mandatory; screen lock enforced | CC6.4 |
| 7.9 | Security of assets off-premises | ✅ Implemented | Jan Marc Castlunger (ISO) | BYOD with encryption + OS update requirements; remote work policy | CC6.4 |
Technological Controls (8.x)¶
| Ref | Control | Status | Owner | Notes | SOC 2 Ref |
|---|---|---|---|---|---|
| 8.2 | Privileged access rights | ✅ Implemented | Jan Marc Castlunger (ISO) | Least-privilege RBAC; admin limited to CEO + CTO; Azure PIM planned Q3 2026 | CC6.1 |
| 8.3 | Information access restriction | ✅ Implemented | Jan Marc Castlunger (ISO) | Need-to-know basis; GitHub branch protection rules | CC6.1 |
| 8.5 | Secure authentication | ✅ Implemented | Jan Marc Castlunger (ISO) | MFA mandatory on all systems; passwordless where supported | CC6.1 |
| 8.6 | Capacity management | ✅ Implemented | Jan Marc Castlunger (ISO) | Azure auto-scaling; monthly usage review | A1.1 |
| 8.7 | Protection against malware | ✅ Implemented | Sebastian Windeck (CTO) | GitHub Advanced Security; Azure Defender for Endpoint | CC6.8 |
| 8.8 | Management of technical vulnerabilities | ✅ Implemented | Sebastian Windeck (CTO) | Automated scanning; monthly patching cycle | CC7.1 |
| 8.9 | Configuration management | ✅ Implemented | Sebastian Windeck (CTO) | Terraform IaC for all Azure AKS infrastructure; multi-region deployments managed via code | CC8.1 |
| 8.10 | Information deletion | ✅ Implemented | Jan Marc Castlunger (ISO) | ID images not persisted; GDPR deletion procedures documented | P4.3 |
| 8.12 | Data leakage prevention | 🔄 In Progress | Sebastian Windeck (CTO) | Azure DLP policies active; expansion planned Q2 2026 | C1.2 |
| 8.15 | Logging | 🔄 In Progress | Jan Marc Castlunger (ISO) | AKS + Caddy ingress rolling logs (30-day retention); Azure File Blob for log archives; extension to 90+ days planned Q2 2026 | CC7.2 |
| 8.16 | Monitoring activities | ✅ Implemented | Jan Marc Castlunger (ISO) | Azure Security Center; automated anomaly detection | CC7.2 |
| 8.20 | Network security | ✅ Implemented | Jan Marc Castlunger (ISO) | Azure VNet, NSGs, private endpoints; no public admin access | CC6.6 |
| 8.24 | Use of cryptography | ✅ Implemented | Jan Marc Castlunger (ISO) | Cryptography Policy | CC6.1 |
| 8.25 | Secure development lifecycle | ✅ Implemented | Sebastian Windeck (CTO) | Code review required; SAST on all PRs; dependency scanning | CC8.1 |
| 8.29 | Security testing | 🔄 In Progress | Sebastian Windeck (CTO) | Regression testing in CI/CD; external pentest planned Q2 2026 | CC8.1 |
| 8.32 | Change management | ✅ Implemented | Sebastian Windeck (CTO) | Change Management Policy | CC8.1 |
| 8.33 | Test information | ✅ Implemented | Sebastian Windeck (CTO) | No real personal data used in test/staging environments | CC8.1 |
| 8.34 | Protection during audit | ✅ Implemented | Jan Marc Castlunger (ISO) | Read-only audit access; full audit trail maintained | CC4.1 |
Summary¶
| Status | Count |
|---|---|
| ✅ Implemented | 32 |
| 🔄 In Progress | 6 |
| 📋 Planned | 0 |
| — N/A | 2 |
| Total | 40 |
Review Log¶
| Date | Reviewer | Changes |
|---|---|---|
| March 2026 | Jan Marc Castlunger (ISO) | Initial SoA with SOC 2 cross-references added |
| March 2026 | Sebastian Windeck (CTO) | Corrected 8.15 Logging (30-day actual), 8.2 PIM (planned), 8.29 pentest (planned); updated owners; counts: 32 Implemented, 6 In Progress |