Skip to main content

Information Security Policy (A.5.1)

Document ID: information-security-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual

Policy statement

SigmaShake is committed to protecting the confidentiality, integrity, and availability of information assets entrusted to us by customers, employees, and partners. This policy establishes the framework for managing information security risks and achieving ISO 27001:2022 compliance.

Objectives

  1. Protect customer data — Customer governance configurations and usage data are stored with encryption at rest and in transit. Access is restricted to authenticated, authorised parties only.
  2. Maintain evidence integrity — All compliance evidence is Ed25519-signed and Merkle-chained. Tampering is cryptographically detectable.
  3. Manage third-party risk — All vendors with access to customer or production data are subject to annual due-diligence review.
  4. Achieve continuous coverage — Automated collectors run on defined cadences (daily / weekly / monthly / quarterly) and gaps are surfaced automatically.
  5. Support legal compliance — Controls address GDPR data-subject rights, CCPA, and applicable privacy regulations for the markets SigmaShake operates in.

Principles

  • Least privilege — Every system account and API token is scoped to the minimum required permissions.
  • Defence in depth — Controls are layered: network (Cloudflare WAF + zero-trust), application (SSO + MFA), data (encryption + signing), and governance (ssg hook eval).
  • Continuous improvement — Monthly self-evaluation and quarterly access reviews feed a living risk register.
  • Transparency — Signed evidence is publicly verifiable via /.well-known/compliance-pubkey.

Scope

This policy applies to all information systems listed in the ISMS Scope document and to all personnel (currently: founder/CEO) who interact with those systems.

Responsibilities

RoleResponsibility
Founder / CEOAll ISMS decisions, control implementation, audit responses
Automated collectorsEvidence generation (daily–quarterly cadences)
Cloudflare / GitHub / AWSPhysical and infrastructure controls (inherited)

Enforcement

Violations of this policy must be recorded as incidents in the incident register and evaluated for corrective action. The governance hook (ssg hook eval) enforces coding-level controls automatically on every file write.

Policy hierarchy

This document is the apex policy. Topic-specific policies derive from it:

  • Access Control Policy (A.5.15)
  • Data Classification Policy (A.5.12)
  • Cryptographic Controls Policy (A.8.24)
  • Secure Development Policy (A.8.25)
  • Supplier Security Policy (A.5.19)
  • Incident Management Procedure (A.5.24)
  • Business Continuity Plan (A.5.29)

Reviewed and approved by the founder/CEO. Next review due 12 months from effective date.