Not certified — here is exactly what we do have.
We treat ISO/IEC 27001:2022 as a management system, not a logo. We are not currently certified and make no claim to be. This maps our real posture across the clauses and Annex A themes, using an honest five-state legend.
Not currently certified. A gap assessment against the standard is part of our active readiness work — not a completed or audited programme. Physical controls are inherited from our hosting provider; the remaining gaps are tracked on the Security Roadmap. Readiness artefacts (scope, Statement of Applicability, risk register) are shared under NDA as they mature.
Readiness by area
Legend: Implemented in place · Partial partial · Planned planned · Inherited inherited from our host.
| Area | State | Note |
|---|---|---|
| Context, leadership & scope (cl. 4–5) | Partial | Scope and roles are documented informally as a small team; a formal ISMS scope statement is in progress. |
| Risk assessment & treatment (cl. 6, 8) | Partial | A working risk register exists (public risk IDs on the roadmap); formal methodology and a Statement of Applicability are being written. |
| Support — competence, awareness, documented info (cl. 7) | Planned | Policies are being consolidated ahead of certification. |
| Operation (cl. 8) | Partial | Change control runs through Git/PR review and CI; secure-SDLC controls are maturing. |
| Performance evaluation & improvement (cl. 9–10) | Planned | Internal audit and management review cadence not yet established. |
| A.5 Organisational controls | Partial | Access, supplier, and incident-response controls exist; several policies are not yet formalised. |
| A.6 People controls | Partial | Confidentiality obligations in place; formal screening/onboarding controls are lightweight at current size. |
| A.7 Physical controls | Inherited | Inherited from Hetzner's ISO 27001-certified Finnish datacentre. |
| A.8 Technological controls | Partial | Encryption in transit, file encryption at rest, logging, and access control are implemented; MFA, key rotation, internal TLS, and column encryption are on the roadmap. |
Path to certification
Our sequence is: formalise the ISMS scope and Statement of Applicability, close the technological gaps on the roadmap (MFA, key rotation, internal TLS, column encryption, tamper-evident logging), run an internal audit, then engage an accredited certification body. This is trigger-gated to production launch and customer demand rather than a fixed date. See the CAIQ self-assessment for control-level detail.