Register Owner: CISO
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review
Frameworks: ISO/IEC 27001:2022 cl. 4–7, 9.1; supports ISO/IEC 42001:2023 and SOC 2
Effective Date: June 13, 2026
Reviewed: At each ISMS Management Review
Frameworks: ISO/IEC 27001:2022 cl. 4–7, 9.1; supports ISO/IEC 42001:2023 and SOC 2
1. ISMS scope (cl. 4.3)
The ISMS applies to the people, processes, and technology used to design, build, operate, and support the Neuroscale (Arbi) production services and the corporate systems that support them, as described in the SOC 2 System Description.- Organizational scope: NEUROSCALE LLC; remote-first workforce; registered office at 46175 Westlake Dr Ste 300, Sterling, VA 20165.
- Information systems in scope: production cloud infrastructure (AWS US, Vultr US), the Neuroscale-managed Vault cluster, the Arbi application and its data stores, and the corporate SaaS supporting the service (Microsoft 365, Rippling, Better Stack, Vanta, Linear, GitHub, Cloudflare, Tailscale, Dashlane).
- Interfaces and dependencies: subservice organizations carved out under the System Description (AWS, Vultr, and the model/infra sub-processors on the Subprocessor List).
- Exclusions: data-center physical/environmental controls (operated by AWS/Vultr) are carved out; justifications for any Annex A exclusions are in the Statement of Applicability.
2. Information-security objectives (cl. 6.2)
Measurable objectives, reviewed at each ISMS Management Review. Targets are set for the current cycle and tracked to completion.| # | Objective | Measure | Target | Owner |
|---|---|---|---|---|
| O-1 | Achieve and maintain SOC 2 Type II | Report issued, no qualified opinion | Initial Type II report by Q4 2026 | CISO |
| O-2 | Stand up the ISO 27001:2022 + ISO 42001 ISMS/AIMS | SoA complete; internal audit run; cert audit scheduled | Stage 1 readiness by H1 2027 | CISO |
| O-3 | Remediate audit/test findings within SLA | % corrective actions closed on time | ≥ 95% | CISO |
| O-4 | Workforce security-awareness + policy acknowledgement | % current staff complete in Vanta | 100% within 30 days of hire / annually | CHRO |
| O-5 | Vulnerability remediation within SLA | % Critical/High remediated within SLA | ≥ 95% | CISO |
| O-6 | Access reviews completed on cadence | Quarterly reviews completed and signed | 4/4 per year | CISO |
| O-7 | No Sev-1 security incidents with customer-data impact | Count | 0 | CISO |
3. Master list of ISMS documents (cl. 7.5)
The controlled ISMS document set. Each is controlled, version-tracked, and approved before use.| Ref | Document | Location |
|---|---|---|
| Scope | ISMS scope | this register §1 |
| Policy | Information Security Policy (ISMS policy) | /policies/information-security |
| Roles | Roles & Responsibilities | /policies/roles-responsibilities |
| Risk | Risk Management Policy + Annual Risk Assessment | /policies/risk-management, /procedures/annual-risk-assessment |
| SoA (27001) | Statement of Applicability | /registers/iso27001-statement-of-applicability |
| SoA (42001) | AIMS Statement of Applicability | /registers/iso42001-aims-statement-of-applicability |
| Objectives | Information-security objectives | this register §2 |
| Doc control | Control of documented information | this register §4 |
| Comms | Communication (internal/external) | /policies/information-security, /procedures/customer-communications |
| Internal audit | Internal Audit Procedure | /procedures/internal-audit |
| Mgmt review | ISMS Management Review Procedure | /procedures/isms-management-review |
| Improvement | Corrective Action & Continual Improvement | /procedures/corrective-action |
| Legal | Legal, Regulatory & Contractual Requirements Register | /registers/legal-regulatory-register |
| Controls | Controls Inventory | /registers/controls-inventory |
/policies/ and /procedures/ library; the Controls Inventory maps controls to their implementing documents.
4. Control of documented information (cl. 7.5.3)
- Authoring & format: ISMS documents are authored as controlled documents, each with a title, owner, effective date, and version history.
- Review & approval: changes are made through a controlled revision process and reviewed by the document owner before release; material changes require the named policy owner’s approval. Approval is recorded in the version-history table.
- Versioning & availability: every document carries a version history; approved documents are published to the workforce through the controlled documentation library. Acknowledgement is tracked in Vanta.
- Evidence vs. documentation split: governance documentation is maintained as the controlled document set (Policies, Procedures, Registers, and Program documents); operational evidence artifacts (signed PDFs, vendor reports, certificates) live in the SharePoint evidence library, per the Information Security Policy. Register rows that span both name each location.
- Retention & disposal: controlled per the Records Retention Schedule; superseded versions are retained in the document version history.
- External documents: externally-originated documents needed by the ISMS (vendor SOC 2 reports, the pen-test report, standards) are stored in the evidence library and referenced from the Vendor Inventory / Controls Inventory.
Cross-references
- Information Security Policy
- Statement of Applicability (27001) / AIMS SoA (42001)
- Internal Audit / Corrective Action / ISMS Management Review
- Legal & Regulatory Register
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial ISMS management-system register (scope, objectives, master list, doc control). | Cameron Wolfe | Ishan Jadhwani |