$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Not currently certified. A gap assessment against the standard is part of our active readiness work — not a completed or audited programme. Physical controls are inherited from our hosting provider; the remaining gaps are tracked on the Security Roadmap. Readiness artefacts (scope, Statement of Applicability, risk register) are shared under NDA as they mature.

Readiness by area

Legend: Implemented in place · Partial partial · Planned planned · Inherited inherited from our host.

AreaStateNote
Context, leadership & scope (cl. 4–5)PartialScope and roles are documented informally as a small team; a formal ISMS scope statement is in progress.
Risk assessment & treatment (cl. 6, 8)PartialA working risk register exists (public risk IDs on the roadmap); formal methodology and a Statement of Applicability are being written.
Support — competence, awareness, documented info (cl. 7)PlannedPolicies are being consolidated ahead of certification.
Operation (cl. 8)PartialChange control runs through Git/PR review and CI; secure-SDLC controls are maturing.
Performance evaluation & improvement (cl. 9–10)PlannedInternal audit and management review cadence not yet established.
A.5 Organisational controlsPartialAccess, supplier, and incident-response controls exist; several policies are not yet formalised.
A.6 People controlsPartialConfidentiality obligations in place; formal screening/onboarding controls are lightweight at current size.
A.7 Physical controlsInheritedInherited from Hetzner's ISO 27001-certified Finnish datacentre.
A.8 Technological controlsPartialEncryption in transit, file encryption at rest, logging, and access control are implemented; MFA, key rotation, internal TLS, and column encryption are on the roadmap.

Path to certification

Our sequence is: formalise the ISMS scope and Statement of Applicability, close the technological gaps on the roadmap (MFA, key rotation, internal TLS, column encryption, tamper-evident logging), run an internal audit, then engage an accredited certification body. This is trigger-gated to production launch and customer demand rather than a fixed date. See the CAIQ self-assessment for control-level detail.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]