|
|
| Regulator |
ISO / IEC |
| Jurisdiction |
Global |
| Status |
live |
| Applicability |
Platform |
ISO/IEC 27001:2022 specifies requirements for establishing, implementing, maintaining, and
continually improving an Information Security Management System (ISMS). The 2022 edition contains
93 Annex A controls across four categories: organisational controls (37), people controls (8),
physical controls (14), and technological controls (34). Certification demonstrates a structured
information security programme to regulators, customers, and counterparties.
ISO 27001 compliance is voluntary but expected by APRA CPS 234 (Information Security), RBNZ DTA
Technology Risk and Cyber Resilience standards, and most enterprise customers during security due
diligence. The platform targets ISO 27001 certification covering the cloud-hosted banking platform.
Physical controls (14 controls) covering office and data centre physical security are out of scope
for the cloud-native platform and are addressed by AWS (SOC 2 / ISO 27001 certified data centres).
The ISMS certification programme requires institutional ownership: the CISO owns the ISMS policy,
conducts the annual management review, manages the risk treatment register, and co-ordinates
the certification audit with the Certification Body (CB). Platform controls satisfy the
technological and some organisational Annex A controls but cannot substitute for the institutional
ISMS programme.
Compliance register
This register maps every material Annex A control and ISMS clause to the platform control or
institutional process that satisfies it. Technological controls are mapped individually;
organisational, people, and physical controls are grouped. This is the static traceability layer
for the Totara compliance report.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — ISMS programme, HR, physical security, management review. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
ISMS clauses (4–10)
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Cl. 4–6 |
ISMS scope, context, leadership, information security policy, and objectives |
🏛 Institutional |
DT-001 |
CISO owns the ISMS policy and scope document; platform provides the technical control implementation |
— |
| Cl. 8 — Risk treatment |
Risk treatment plan documented; controls selected from Annex A with Statement of Applicability (SoA) |
🏛 Institutional |
DT-001 |
CISO owns the SoA and risk register; platform controls appear in the SoA as technical control implementations |
— |
| Cl. 9 — Management review |
Annual ISMS management review; review metrics, audit findings, and improvement actions |
🏛 Institutional |
DT-001 |
MOD-076 (ALERT, LOG) — observability data provides the security metrics input to management review |
— |
Annex A — Technological controls (selected)
| Annex A |
Control |
Scope |
Policy |
Platform controls |
Build |
| A.5.15 — Access control |
Implement access control policy; enforce least privilege; no shared accounts |
🤖 Automated |
DT-001 |
MOD-044 (GATE) — least-privilege enforced at API gateway, no client-side security reliance; role separation enforced — no single user holds conflicting roles |
🔨 |
| A.5.23 — Cloud services |
Information security for use of cloud services; access management and exit strategy |
🤖 Automated |
DT-001 |
MOD-103 (GATE) — cross-domain direct DB connections structurally prevented; MOD-104 (GATE) — KMS CMKs provisioned per data classification level; encryption at rest enforced |
🔨 |
| A.8.2 — Privileged access |
Restrict and manage privileged access rights; no standing production access |
🤖 Automated |
DT-001 |
MOD-046 (GATE) — no standing production access: every session approved, time-limited, and logged |
🔨 |
| A.8.3 — Information access restriction |
Access to systems and applications restricted per access control policy |
🤖 Automated |
DT-001 |
MOD-052 (GATE) — minimum necessary data access enforced at API; no role can access data outside their scope |
🔨 |
| A.8.5 — Secure authentication |
Secure authentication technologies and procedures for all users |
🤖 Automated |
DT-001 |
MOD-068 (GATE) — MFA and device trust checks are prerequisite for session establishment; no session issued without passing cybersecurity controls |
🔨 |
| A.8.9 — Configuration management |
Configurations documented, implemented, monitored, and reviewed |
🤖 Automated |
DT-001 |
MOD-103 (GATE) — database roles and schema provisioned at bootstrap by IaC; MOD-104 (GATE) — all AWS resources tagged at IaC synthesis time; untagged resources blocked from deployment |
🔨 |
| A.8.10 — Information deletion |
Personal data deleted in accordance with retention schedules; deletion auditable |
🤖 Automated |
DT-001 |
MOD-103 — column-level permissions configured at bootstrap; data deletion processes enforced through the database access control layer |
🔨 |
| A.8.12 — Data leakage prevention |
Technical measures to detect and prevent unauthorised disclosure of sensitive information |
🤖 Automated |
DT-001 |
MOD-044 (GATE) — no data returned outside caller's permitted scope; role-based API scope enforced |
🔨 |
| A.8.16 — Monitoring activities |
Monitor systems for anomalous behaviour; generate, store, and analyse event logs |
📊 Evidenced |
DT-001 |
MOD-044 (LOG) — all authenticated API calls logged with user ID, role, endpoint, and timestamp; MOD-046 (LOG) — all production access sessions auditable |
🔨 |
| A.8.17 — Clock synchronisation |
Clocks synchronised to authorised time source |
🤖 Automated |
DT-001 |
MOD-104 — AWS infrastructure uses authoritative NTP; CloudTrail timestamps are authoritative |
🔨 |
| A.8.20 — Network security |
Networks secured, managed, and controlled to protect information |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — all service-to-service traffic passes through TLS-terminated endpoints with mutual authentication; no plaintext internal API calls permitted |
🔨 |
| A.8.21 — Security of network services |
Identify and implement security mechanisms for all network services |
🤖 Automated |
DT-001 |
MOD-075 (GATE) — rate limiting and request signing enforce only registered, authenticated services can call platform APIs; unauthenticated requests rejected at gateway |
🔨 |
| A.8.24 — Use of cryptography |
Implement cryptographic controls policy; key management lifecycle |
🤖 Automated |
DT-001 |
MOD-045 (AUTO) — secrets cannot be extracted by developers; key rotation automated, no reliance on manual rotation schedule |
🔨 |
| A.8.28 — Secure coding |
Apply secure coding principles in software development |
🏛 Institutional |
DT-001 |
Secure SDLC and code review process are institutional programme obligations; OWASP ASVS L2 controls provide the technical baseline — see OWASP ASVS |
— |
| A.8.29 — Security testing |
Conduct security testing in development and acceptance; penetration testing programme |
🏛 Institutional |
DT-001 |
Annual penetration testing is an institutional programme; MOD-076 (LOG) — error handling and logging provide test evidence |
— |
| A.8.34 — SIEM / log protection |
Protect audit logs; generate audit events; log security events |
📊 Evidenced |
DT-001 |
MOD-044 (LOG) — security events logged; MOD-046 (LOG) — production access sessions logged; MOD-076 (LOG) — platform-level system events captured; MOD-104 (LOG) — CloudTrail enabled from bootstrap |
🔨 |
Annex A — Organisational controls (grouped)
| Control group |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| A.5.1–5.14 — Policies and procedures |
Information security policies, roles, responsibilities, segregation of duties, contact with authorities, threat intelligence |
🏛 Institutional |
DT-001 |
CISO owns these controls; MOD-044 (AUTO) — role separation enforced at platform layer |
— |
| A.5.24–5.28 — Incident management |
Information security incident response; reporting, assessment, response, and lessons learned |
🏛 Institutional |
DT-001 |
MOD-076 (ALERT) — anomalies surfaced automatically; incident response process is institutional |
— |
| A.5.29–5.30 — BCM integration |
Business continuity and ICT readiness |
🏛 Institutional |
DT-001, OPS-001 |
MOD-103 and MOD-104 provide infrastructure resilience; BCM programme is institutional |
— |
| A.5.31–5.34 — Legal and compliance |
Identification of legislative requirements, IP, privacy, cryptography |
🏛 Institutional |
DT-001 |
Legal compliance programme is institutional; MOD-045 addresses key management |
— |
| A.5.35–5.37 — Audit and review |
Independent review of ISMS; management of technical vulnerabilities; configuration audit |
🏛 Institutional |
DT-001 |
MOD-046 (LOG) — audit logs available; ISMS audit is an institutional programme obligation |
— |
Annex A — People controls (grouped)
| Control group |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| A.6.1–6.8 — People security |
Pre-employment screening, terms and conditions, information security awareness, training, disciplinary process, remote working |
🏛 Institutional |
DT-001 |
People controls are owned by the CPO and CISO; platform provides the access control layer via MOD-044 and MOD-046 |
— |
Annex A — Physical controls (grouped)
| Control group |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| A.7.1–7.14 — Physical security |
Physical entry controls, office security, clear desk, equipment maintenance, secure disposal |
N/A |
DT-001 |
Cloud-native platform hosted on AWS (ISO 27001 certified); physical data centre security is AWS scope; office physical security is an institutional obligation |
— |
| Obligation |
Owner |
Platform evidence input |
| ISMS programme ownership, risk register, and Statement of Applicability |
CISO |
Platform controls feature as technical controls in the SoA |
| Annual ISMS management review |
CISO / Board |
MOD-076 provides security metrics and event data |
| Certification audit (initial and surveillance) |
CISO |
All platform control evidence is audit-available |
| Annual penetration testing programme |
CISO |
MOD-076 and MOD-044 provide logging during tests |
| HR screening and security awareness training |
CPO / CISO |
MOD-046 logs production access; access is gated on cleared staff only |
| Physical office security (clean desk, visitor management) |
COO |
AWS data centre physical controls are AWS responsibility |
Coverage summary
| Area |
Total controls |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| ISMS clauses (4–10) |
3 |
0 |
0 |
3 |
0 |
| Technological controls (Annex A) |
16 |
12 |
2 |
2 |
0 |
| Organisational controls (Annex A) |
5 groups |
0 |
0 |
5 |
0 |
| People controls (Annex A) |
1 group |
0 |
0 |
1 |
0 |
| Physical controls (Annex A) |
1 group |
0 |
0 |
0 |
1 |
| Total |
26 |
12 (46%) |
2 (8%) |
11 (42%) |
1 (4%) |
All attributed modules are currently build_status: Not started. The ISMS certification programme
requires institutional programme investment alongside the platform controls.
| Policy |
Title |
| DT-001 |
Information Security Policy |
See D05 Data & Technology for the full risk domain.
Official documentation
Policies referencing this standard
- DT-001 — Information Security Policy
Compiled 2026-05-22 from source/entities/regulations/industry-iso-27001.yaml