Skip to content

ISO 27001

Statement

ClaimGuard is not yet ISO 27001 certified. ISO 27001 is on the roadmap as a follow-on certification after SOC 2, with a target window in 2027. The two frameworks share most of their underlying controls — the same evidence will support both — but ISO 27001 adds explicit requirements around an Information Security Management System (ISMS) lifecycle (Plan → Do → Check → Act) that we will formalize as part of the engagement.

This page is the placeholder so an auditor, prospect, or partner can see that ISO 27001 is being treated as a known follow-up rather than a forgotten requirement.

Implementation

What's already aligned with ISO 27001 Annex A controls

A non-exhaustive snapshot of where current evidence on this portal maps to ISO 27001:2022 Annex A control families:

Annex A area ClaimGuard evidence today
A.5 Organizational (policies, segregation of duties, supplier relationships) Change management, Vendor management, Subprocessors
A.6 People (background, awareness, terms of employment) Not yet documented; planned.
A.7 Physical (perimeter, equipment) N/A — cloud-only; covered by GCP's data-center attestation.
A.8 Technological (access control, cryptography, secure development, vulnerability mgmt, logging) Authentication, Authorization, Cryptography, Secure SDLC, SAST, SCA, Audit logging (cloud), Application audit logging, Privileged access

What's missing specifically for ISO 27001

Most ISO 27001 evidence overlaps SOC 2; the framework-specific additions are:

  • A documented ISMS with explicit Plan / Do / Check / Act phases, named owners per phase, and a review cadence.
  • A formal Statement of Applicability (SoA) mapping each Annex A control to "in scope" / "out of scope" with a written justification.
  • Internal-audit cycle distinct from the certification audit — at least one internal audit pass before certification fieldwork.
  • Management review minutes — the certification body looks for a documented executive review of the ISMS at a defined cadence.

None of these exist yet. They are scoped to be created during the ISO engagement, not before.

Relationship to SOC 2

We are deliberately sequencing:

  1. SOC 2 Type I first (target H2 2026) — evidence and control framing.
  2. SOC 2 Type II second — operational period evidence.
  3. ISO 27001 after Type II — adds the ISMS lifecycle on top of the same control evidence.

This sequencing is the cheaper path: the SOC 2 engagement produces most of what ISO 27001 requires; the ISO engagement adds the management-system layer, not duplicate technical controls.

Status

planned — target window: 2027.

No current certification. No certification body engaged. No internal audit run yet.

Roadmap

  • Begin scoping during or immediately after SOC 2 Type II.
  • Engage an ISO 27001 consultant to draft the SoA and ISMS scope.
  • Run an internal audit before booking certification fieldwork.
  • Engage a certification body for the certification audit.
  • Surveillance audit schedule then begins (annual) once certified.