ISMS Scope (ISO 27001:2022 clause 4.3)
Document ID: isms-scope
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual
Scope statement
The SigmaShake Information Security Management System covers the design, development, operation, and delivery of the SigmaShake governance-as-code platform, including all supporting infrastructure, data processing, and customer-facing services operated by SigmaShake.
In-scope systems
| System | Description | Hosting |
|---|---|---|
| sigmashake-gov | Governance engine CLI and daemon | Customer device + Cloudflare Workers |
| sigmashake-hub | Rules hub and public registry | Cloudflare Workers + R2 |
| sigmashake-web | Marketing website | Cloudflare Workers |
| sigmashake-mcp | MCP server for AI-agent integration | Cloudflare Workers |
| sigmashake-docs | Product documentation | Cloudflare Pages |
| sigmashake-compliance | SOC 2 + ISO 27001 evidence automation | Cloudflare Workers + D1 + R2 |
| sigmashake-sso | Internal OIDC/SAML identity provider | Cloudflare Workers |
| sigmashake-support | Staff support portal | Cloudflare Workers |
| sigmashake-emailer | Transactional email | Cloudflare Workers |
| sigmashake-fleet | MDM control plane | Cloudflare Workers for Platforms |
| sigmashake-siem | SIEM ingestion testbench | Cloudflare Workers |
Out-of-scope systems
- Customer-managed infrastructure (customers' own repositories, CI/CD pipelines)
- Third-party SaaS used in a read-only or browser-only capacity (Slack, GitHub.com UI)
Physical boundary
SigmaShake operates exclusively on cloud infrastructure (Cloudflare, GitHub). There are no on-premises data centres, office servers, or physical production systems. Physical security controls are inherited from cloud vendors (see A.7 Physical controls in SoA).
Organisational boundary
SigmaShake is a solo-founder sole-operator individual entity. All information security decisions, controls, and evidence collection fall within the direct responsibility of the founder/CEO.
Exclusions
A.5.3 Segregation of duties is not-applicable (solo founder). Compensating controls are documented in the Statement of Applicability: Ed25519-signed audit trail, automated evidence collection, branch protection, and peer-review via GitHub pull requests.
This document is managed in sigmashake-compliance isms_documents and its hash is recorded at ISMS registration.